Analysis
-
max time kernel
96s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 14:59
Behavioral task
behavioral1
Sample
d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
d7a32826a8931724221b193e9f448b04
-
SHA1
a284d56bcfb9f82177deaed765bda78d260f5d47
-
SHA256
f62cce747b4d393e3d2ab03f14ec4412f882333da5cce7a7bb368f4495cb8c19
-
SHA512
8709b4f9083cbd8b899b97ac12498d1ffd12081bfbe368073de397dfa861357b8b1531a7cd6a16914fd2eeb35eab7b6d37bdc01cad8be90dc36b82dea4cb4d11
-
SSDEEP
24576:OPze+0Pze+moJmnNg4XVMD0nDImeKvThFFmB5d:ize7zeJoJmNfND9eK7had
Malware Config
Extracted
xtremerat
neuromante.no-ip.org
ʨneuromante.no-ip.org
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral2/memory/4200-0-0x0000000010000000-0x000000001013F000-memory.dmp family_xtremerat behavioral2/files/0x0007000000023cb9-6.dat family_xtremerat behavioral2/memory/4560-10-0x0000000010000000-0x000000001013F000-memory.dmp family_xtremerat behavioral2/memory/4200-12-0x0000000010000000-0x000000001013F000-memory.dmp family_xtremerat behavioral2/memory/2856-15-0x0000000010000000-0x00000000100DF000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2856 16server.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\16server.exe.exe d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe File created C:\Windows\SysWOW64\16server.exe d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe File created C:\Windows\SysWOW64\156Jasmine.jpg.exe 16server.exe File created C:\Windows\SysWOW64\156Jasmine.jpg 16server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1628 4200 WerFault.exe 84 2340 4200 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 16server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4560 wrote to memory of 4200 4560 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 84 PID 4560 wrote to memory of 4200 4560 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 84 PID 4560 wrote to memory of 4200 4560 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 84 PID 4560 wrote to memory of 4200 4560 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 84 PID 4560 wrote to memory of 4132 4560 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 85 PID 4560 wrote to memory of 4132 4560 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 85 PID 4560 wrote to memory of 4132 4560 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 85 PID 4560 wrote to memory of 2856 4560 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 90 PID 4560 wrote to memory of 2856 4560 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 90 PID 4560 wrote to memory of 2856 4560 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 90 PID 2856 wrote to memory of 928 2856 16server.exe 92 PID 2856 wrote to memory of 928 2856 16server.exe 92 PID 2856 wrote to memory of 928 2856 16server.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- System Location Discovery: System Language Discovery
PID:4200 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 4883⤵
- Program crash
PID:1628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 4963⤵
- Program crash
PID:2340
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:4132
-
-
C:\Windows\SysWOW64\16server.exe"C:\Windows\system32\16server.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:928
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4200 -ip 42001⤵PID:3208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4200 -ip 42001⤵PID:404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD526425b2fbb73627e02a1ea7f095eab7d
SHA1929b1d21ed7976f274df9520a0d53210969176b3
SHA256ce463e3d32f919e7c9870223fccde542d9f198d012a7dcb5738e75017fab59c1
SHA512ff3cc950d1c335395edb3f68577381c1153d24841136b1c9d828c742d02d47ed46cce8a7244bba030da1e464ac400baa0c53d6c32d99bf0a8fc82ba979cb332d