Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 16:53
Static task
static1
Behavioral task
behavioral1
Sample
e75adde386505df699c22e87cc73e105_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
e75adde386505df699c22e87cc73e105_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e75adde386505df699c22e87cc73e105_JaffaCakes118.exe
-
Size
52KB
-
MD5
e75adde386505df699c22e87cc73e105
-
SHA1
4bcc42b49f3796acd5e3ba1e848c115adda2f9c3
-
SHA256
a7626bffd9e9cb6c9e8be8081dee3ef9ed4178de7335a9285d748594ea2b306a
-
SHA512
3118d25d4670c30d671e09a73b422539b50e7022f9f9044c343fff4a2dc66446871bfbcd35144d61eca7ead21dd2142a559664da69dd34578843ef3f3c03c32e
-
SSDEEP
768:/JMuijtHf5g7/IIG3bGcYDBSvFIWuePQDGEsgQhiQAqrElEdETkTWOf20:/CNW71rcYDAWeoDrsxiQxeL0
Malware Config
Extracted
xtremerat
ㆼjoker01.zapto.org
Signatures
-
Detect XtremeRAT payload 2 IoCs
resource yara_rule behavioral1/memory/2852-26-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2104-28-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Executes dropped EXE 1 IoCs
pid Process 2104 server (4).exe -
Loads dropped DLL 4 IoCs
pid Process 1048 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe 1048 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe 1048 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe 1048 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe -
resource yara_rule behavioral1/files/0x0008000000016de8-7.dat upx behavioral1/memory/2104-23-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2852-26-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2104-28-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e75adde386505df699c22e87cc73e105_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server (4).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1048 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2104 1048 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe 30 PID 1048 wrote to memory of 2104 1048 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe 30 PID 1048 wrote to memory of 2104 1048 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe 30 PID 1048 wrote to memory of 2104 1048 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2852 2104 server (4).exe 31 PID 2104 wrote to memory of 2852 2104 server (4).exe 31 PID 2104 wrote to memory of 2852 2104 server (4).exe 31 PID 2104 wrote to memory of 2852 2104 server (4).exe 31 PID 2104 wrote to memory of 2852 2104 server (4).exe 31 PID 2104 wrote to memory of 2876 2104 server (4).exe 32 PID 2104 wrote to memory of 2876 2104 server (4).exe 32 PID 2104 wrote to memory of 2876 2104 server (4).exe 32 PID 2104 wrote to memory of 2876 2104 server (4).exe 32 PID 2104 wrote to memory of 2876 2104 server (4).exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e75adde386505df699c22e87cc73e105_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e75adde386505df699c22e87cc73e105_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\server (4).exe"C:\Users\Admin\AppData\Local\Temp\server (4).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2876
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD55bd3c8170a95f0bfceecdbe49951619f
SHA1e6cc2962d51088d1a4562df82bf3e2a51d05cdbd
SHA25688fd589a55221b85a2c6daf3e1eadf9d080bd427faaa5ae7a9cf00bb33343d39
SHA5125b70b22a29d4d2396c88394c315cde8ea517ac5fb34eb58d79d138d1812dc0cb8e4931b7fb5ecc2dabe7273c60de185daa06ceb84a8c3b4c939ba32f3a0bb808