Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe
-
Size
82KB
-
MD5
df66f0ca4eedda1c0153aff63743f95f
-
SHA1
8b135e7c16dd6035df7bbc07e94330a590138e58
-
SHA256
76b19c816680d2463447e55ff6e05a54de6152e20954df549f058392919fc6c4
-
SHA512
cdf3de415da553c582fb7693bada6eaabf54bc9fd61cbffda482e1078de22edb75ac2a09b5368cb4ce925ad7725904fd3af17f989320a096da84b717dec669e8
-
SSDEEP
1536:dSfWkjK0aKqqVs9WzJmv/DdSeWJxfnsf0Zop/m+mxyxHsItTedbDVO7wGU0BM/eh:d4D20kqa9WdmnDYTPsf0Zow+m0lttCdG
Malware Config
Signatures
-
Detect XtremeRAT payload 4 IoCs
resource yara_rule behavioral1/files/0x0008000000015d59-8.dat family_xtremerat behavioral1/memory/2572-14-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2452-15-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2572-16-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Executes dropped EXE 1 IoCs
pid Process 2452 CryptedFile.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptedFile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2452 2156 df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe 30 PID 2156 wrote to memory of 2452 2156 df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe 30 PID 2156 wrote to memory of 2452 2156 df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe 30 PID 2156 wrote to memory of 2452 2156 df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe 30 PID 2452 wrote to memory of 2572 2452 CryptedFile.exe 31 PID 2452 wrote to memory of 2572 2452 CryptedFile.exe 31 PID 2452 wrote to memory of 2572 2452 CryptedFile.exe 31 PID 2452 wrote to memory of 2572 2452 CryptedFile.exe 31 PID 2452 wrote to memory of 2572 2452 CryptedFile.exe 31 PID 2452 wrote to memory of 2872 2452 CryptedFile.exe 32 PID 2452 wrote to memory of 2872 2452 CryptedFile.exe 32 PID 2452 wrote to memory of 2872 2452 CryptedFile.exe 32 PID 2452 wrote to memory of 2872 2452 CryptedFile.exe 32 PID 2452 wrote to memory of 2872 2452 CryptedFile.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2872
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD59d85ce7760eca54db59755eae9ef3175
SHA181ece56f5d159c7a25cfa67bc2bc5de8602b0776
SHA2562b2a8f5f2d9ffe7a82671f2f46d580f9a0c5914af6ff4138b76d6dd94b047042
SHA512c348586e9d0e2d1199a6e34692882eb243f3186328b1380e53479578a1d787dc02fb314dd1bcd180c743a392da298d2407d919ed40f42525cd2271c2c45dc1f8