Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe
-
Size
269KB
-
MD5
dc5362b9b39cf550b34c1272fe15b355
-
SHA1
6c60bda81bd19686165f8c2070e6e8e1a32948d5
-
SHA256
48cfbdeb4600dfd22582198b12d32538385f7a4f361281161892ff0ae2f9ccaf
-
SHA512
f45ba811f2c9072d7b54ace3bbc26295d72ba10c639e3dcc9ef986761caad660933d0bba8c24fcc3c9fb7f67901ce284a38daec4d84249fe22bef6a23a29e0ff
-
SSDEEP
3072:G/v7xIj0jsCpbqpu+IDzyyJRCvxe1ddRa53apZF8a4EvsagMGh0HDF++4B5hiSnu:MdJjrpRqrXaJ/15++shXhGTNKq8dR3Ra
Malware Config
Extracted
xtremerat
somee.no-ip.biz
Signatures
-
Detect XtremeRAT payload 3 IoCs
resource yara_rule behavioral1/memory/2288-13-0x0000000000C80000-0x0000000000CE1000-memory.dmp family_xtremerat behavioral1/memory/2772-25-0x0000000000C80000-0x0000000000CE1000-memory.dmp family_xtremerat behavioral1/memory/2288-29-0x0000000000C80000-0x0000000000CE1000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2288 server.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ server.exe -
resource yara_rule behavioral1/files/0x0009000000016cc9-10.dat upx behavioral1/memory/2288-13-0x0000000000C80000-0x0000000000CE1000-memory.dmp upx behavioral1/memory/2772-25-0x0000000000C80000-0x0000000000CE1000-memory.dmp upx behavioral1/memory/2288-29-0x0000000000C80000-0x0000000000CE1000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1672 dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe Token: 33 1672 dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1672 dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe Token: 33 1672 dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1672 dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe Token: 33 1672 dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1672 dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2288 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1672 wrote to memory of 2288 1672 dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe 31 PID 1672 wrote to memory of 2288 1672 dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe 31 PID 1672 wrote to memory of 2288 1672 dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe 31 PID 1672 wrote to memory of 2288 1672 dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2772 2288 server.exe 32 PID 2288 wrote to memory of 2772 2288 server.exe 32 PID 2288 wrote to memory of 2772 2288 server.exe 32 PID 2288 wrote to memory of 2772 2288 server.exe 32 PID 2288 wrote to memory of 2772 2288 server.exe 32 PID 2288 wrote to memory of 2840 2288 server.exe 33 PID 2288 wrote to memory of 2840 2288 server.exe 33 PID 2288 wrote to memory of 2840 2288 server.exe 33 PID 2288 wrote to memory of 2840 2288 server.exe 33 PID 2288 wrote to memory of 2940 2288 server.exe 34 PID 2288 wrote to memory of 2940 2288 server.exe 34 PID 2288 wrote to memory of 2940 2288 server.exe 34 PID 2288 wrote to memory of 2940 2288 server.exe 34 PID 2288 wrote to memory of 2824 2288 server.exe 35 PID 2288 wrote to memory of 2824 2288 server.exe 35 PID 2288 wrote to memory of 2824 2288 server.exe 35 PID 2288 wrote to memory of 2824 2288 server.exe 35 PID 2288 wrote to memory of 2180 2288 server.exe 36 PID 2288 wrote to memory of 2180 2288 server.exe 36 PID 2288 wrote to memory of 2180 2288 server.exe 36 PID 2288 wrote to memory of 2180 2288 server.exe 36 PID 2288 wrote to memory of 2756 2288 server.exe 37 PID 2288 wrote to memory of 2756 2288 server.exe 37 PID 2288 wrote to memory of 2756 2288 server.exe 37 PID 2288 wrote to memory of 2756 2288 server.exe 37 PID 2288 wrote to memory of 2924 2288 server.exe 38 PID 2288 wrote to memory of 2924 2288 server.exe 38 PID 2288 wrote to memory of 2924 2288 server.exe 38 PID 2288 wrote to memory of 2924 2288 server.exe 38 PID 2288 wrote to memory of 3044 2288 server.exe 39 PID 2288 wrote to memory of 3044 2288 server.exe 39 PID 2288 wrote to memory of 3044 2288 server.exe 39 PID 2288 wrote to memory of 3044 2288 server.exe 39 PID 2288 wrote to memory of 2656 2288 server.exe 40 PID 2288 wrote to memory of 2656 2288 server.exe 40 PID 2288 wrote to memory of 2656 2288 server.exe 40 PID 2288 wrote to memory of 2656 2288 server.exe 40 PID 2288 wrote to memory of 2652 2288 server.exe 41 PID 2288 wrote to memory of 2652 2288 server.exe 41 PID 2288 wrote to memory of 2652 2288 server.exe 41 PID 2288 wrote to memory of 2652 2288 server.exe 41 PID 2288 wrote to memory of 3056 2288 server.exe 42 PID 2288 wrote to memory of 3056 2288 server.exe 42 PID 2288 wrote to memory of 3056 2288 server.exe 42 PID 2288 wrote to memory of 3056 2288 server.exe 42 PID 2288 wrote to memory of 2016 2288 server.exe 43 PID 2288 wrote to memory of 2016 2288 server.exe 43 PID 2288 wrote to memory of 2016 2288 server.exe 43 PID 2288 wrote to memory of 2016 2288 server.exe 43 PID 2288 wrote to memory of 2796 2288 server.exe 44 PID 2288 wrote to memory of 2796 2288 server.exe 44 PID 2288 wrote to memory of 2796 2288 server.exe 44 PID 2288 wrote to memory of 2796 2288 server.exe 44 PID 2288 wrote to memory of 2804 2288 server.exe 45 PID 2288 wrote to memory of 2804 2288 server.exe 45 PID 2288 wrote to memory of 2804 2288 server.exe 45 PID 2288 wrote to memory of 2804 2288 server.exe 45 PID 2288 wrote to memory of 2744 2288 server.exe 46 PID 2288 wrote to memory of 2744 2288 server.exe 46 PID 2288 wrote to memory of 2744 2288 server.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dc5362b9b39cf550b34c1272fe15b355_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2840
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2940
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2824
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2180
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2756
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2924
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3044
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2656
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2652
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3056
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2016
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2796
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2804
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2744
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2688
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD5a51f1b4db4bdd656d0c31bc77f1e9a79
SHA1f2a3e3f725a985d7d24b66bed17cb37f3c05105c
SHA25637bb3e1193f4684934a8cf62a68ffde17d044e5f6af3c2f7d6370f7e48b50a6d
SHA5128fb4ae8042a887dadb9b7a07b50e61735a75447896c24d28aaa5f811680f4db517ee606d1b1899a00c8a57104ba2ada09666cad9814abb4384ca5b22a424aaae