Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe
-
Size
82KB
-
MD5
df66f0ca4eedda1c0153aff63743f95f
-
SHA1
8b135e7c16dd6035df7bbc07e94330a590138e58
-
SHA256
76b19c816680d2463447e55ff6e05a54de6152e20954df549f058392919fc6c4
-
SHA512
cdf3de415da553c582fb7693bada6eaabf54bc9fd61cbffda482e1078de22edb75ac2a09b5368cb4ce925ad7725904fd3af17f989320a096da84b717dec669e8
-
SSDEEP
1536:dSfWkjK0aKqqVs9WzJmv/DdSeWJxfnsf0Zop/m+mxyxHsItTedbDVO7wGU0BM/eh:d4D20kqa9WdmnDYTPsf0Zow+m0lttCdG
Malware Config
Signatures
-
Detect XtremeRAT payload 4 IoCs
resource yara_rule behavioral2/files/0x0009000000023c83-12.dat family_xtremerat behavioral2/memory/3228-18-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2820-19-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/3228-20-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2820 CryptedFile.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2848 3228 WerFault.exe 85 3092 3228 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptedFile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1036 wrote to memory of 2820 1036 df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe 84 PID 1036 wrote to memory of 2820 1036 df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe 84 PID 1036 wrote to memory of 2820 1036 df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe 84 PID 2820 wrote to memory of 3228 2820 CryptedFile.exe 85 PID 2820 wrote to memory of 3228 2820 CryptedFile.exe 85 PID 2820 wrote to memory of 3228 2820 CryptedFile.exe 85 PID 2820 wrote to memory of 3228 2820 CryptedFile.exe 85 PID 2820 wrote to memory of 1580 2820 CryptedFile.exe 86 PID 2820 wrote to memory of 1580 2820 CryptedFile.exe 86 PID 2820 wrote to memory of 1580 2820 CryptedFile.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df66f0ca4eedda1c0153aff63743f95f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:3228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 4844⤵
- Program crash
PID:2848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 5044⤵
- Program crash
PID:3092
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1580
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3228 -ip 32281⤵PID:2496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3228 -ip 32281⤵PID:2444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD59d85ce7760eca54db59755eae9ef3175
SHA181ece56f5d159c7a25cfa67bc2bc5de8602b0776
SHA2562b2a8f5f2d9ffe7a82671f2f46d580f9a0c5914af6ff4138b76d6dd94b047042
SHA512c348586e9d0e2d1199a6e34692882eb243f3186328b1380e53479578a1d787dc02fb314dd1bcd180c743a392da298d2407d919ed40f42525cd2271c2c45dc1f8