Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 01:43

General

  • Target

    df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe

  • Size

    82KB

  • MD5

    df66f0ca4eedda1c0153aff63743f95f

  • SHA1

    8b135e7c16dd6035df7bbc07e94330a590138e58

  • SHA256

    76b19c816680d2463447e55ff6e05a54de6152e20954df549f058392919fc6c4

  • SHA512

    cdf3de415da553c582fb7693bada6eaabf54bc9fd61cbffda482e1078de22edb75ac2a09b5368cb4ce925ad7725904fd3af17f989320a096da84b717dec669e8

  • SSDEEP

    1536:dSfWkjK0aKqqVs9WzJmv/DdSeWJxfnsf0Zop/m+mxyxHsItTedbDVO7wGU0BM/eh:d4D20kqa9WdmnDYTPsf0Zow+m0lttCdG

Malware Config

Signatures

  • Detect XtremeRAT payload 4 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Xtremerat family
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe
      "C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2572
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe

      Filesize

      65KB

      MD5

      9d85ce7760eca54db59755eae9ef3175

      SHA1

      81ece56f5d159c7a25cfa67bc2bc5de8602b0776

      SHA256

      2b2a8f5f2d9ffe7a82671f2f46d580f9a0c5914af6ff4138b76d6dd94b047042

      SHA512

      c348586e9d0e2d1199a6e34692882eb243f3186328b1380e53479578a1d787dc02fb314dd1bcd180c743a392da298d2407d919ed40f42525cd2271c2c45dc1f8

    • memory/2156-0-0x000007FEF600E000-0x000007FEF600F000-memory.dmp

      Filesize

      4KB

    • memory/2156-1-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

      Filesize

      9.6MB

    • memory/2156-2-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

      Filesize

      9.6MB

    • memory/2156-4-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

      Filesize

      9.6MB

    • memory/2156-11-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

      Filesize

      9.6MB

    • memory/2452-15-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2572-14-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2572-12-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2572-16-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB