Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2024 16:53

General

  • Target

    e75adde386505df699c22e87cc73e105_JaffaCakes118.exe

  • Size

    52KB

  • MD5

    e75adde386505df699c22e87cc73e105

  • SHA1

    4bcc42b49f3796acd5e3ba1e848c115adda2f9c3

  • SHA256

    a7626bffd9e9cb6c9e8be8081dee3ef9ed4178de7335a9285d748594ea2b306a

  • SHA512

    3118d25d4670c30d671e09a73b422539b50e7022f9f9044c343fff4a2dc66446871bfbcd35144d61eca7ead21dd2142a559664da69dd34578843ef3f3c03c32e

  • SSDEEP

    768:/JMuijtHf5g7/IIG3bGcYDBSvFIWuePQDGEsgQhiQAqrElEdETkTWOf20:/CNW71rcYDAWeoDrsxiQxeL0

Malware Config

Extracted

Family

xtremerat

C2

ㆼjoker01.zapto.org

Signatures

  • Detect XtremeRAT payload 2 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Xtremerat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e75adde386505df699c22e87cc73e105_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e75adde386505df699c22e87cc73e105_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\server (4).exe
      "C:\Users\Admin\AppData\Local\Temp\server (4).exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2852
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\server (4).exe

      Filesize

      33KB

      MD5

      5bd3c8170a95f0bfceecdbe49951619f

      SHA1

      e6cc2962d51088d1a4562df82bf3e2a51d05cdbd

      SHA256

      88fd589a55221b85a2c6daf3e1eadf9d080bd427faaa5ae7a9cf00bb33343d39

      SHA512

      5b70b22a29d4d2396c88394c315cde8ea517ac5fb34eb58d79d138d1812dc0cb8e4931b7fb5ecc2dabe7273c60de185daa06ceb84a8c3b4c939ba32f3a0bb808

    • memory/1048-5-0x00000000069C0000-0x0000000006BF8000-memory.dmp

      Filesize

      2.2MB

    • memory/1048-15-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

    • memory/1048-21-0x0000000004230000-0x0000000004232000-memory.dmp

      Filesize

      8KB

    • memory/2104-23-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

    • memory/2104-28-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

    • memory/2852-26-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB