Analysis

  • max time kernel
    95s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2024 16:53

General

  • Target

    e75adde386505df699c22e87cc73e105_JaffaCakes118.exe

  • Size

    52KB

  • MD5

    e75adde386505df699c22e87cc73e105

  • SHA1

    4bcc42b49f3796acd5e3ba1e848c115adda2f9c3

  • SHA256

    a7626bffd9e9cb6c9e8be8081dee3ef9ed4178de7335a9285d748594ea2b306a

  • SHA512

    3118d25d4670c30d671e09a73b422539b50e7022f9f9044c343fff4a2dc66446871bfbcd35144d61eca7ead21dd2142a559664da69dd34578843ef3f3c03c32e

  • SSDEEP

    768:/JMuijtHf5g7/IIG3bGcYDBSvFIWuePQDGEsgQhiQAqrElEdETkTWOf20:/CNW71rcYDAWeoDrsxiQxeL0

Malware Config

Extracted

Family

xtremerat

C2

ㆼjoker01.zapto.org

Signatures

  • Detect XtremeRAT payload 3 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Xtremerat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e75adde386505df699c22e87cc73e105_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e75adde386505df699c22e87cc73e105_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Subvert Trust Controls: Mark-of-the-Web Bypass
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\Temp\server (4).exe
      "C:\Users\Admin\AppData\Local\Temp\server (4).exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3552
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 512
          4⤵
          • Program crash
          PID:4484
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 520
          4⤵
          • Program crash
          PID:4676
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        3⤵
          PID:2028
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3552 -ip 3552
      1⤵
        PID:2420
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3552 -ip 3552
        1⤵
          PID:4996

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\server (4).exe

          Filesize

          33KB

          MD5

          5bd3c8170a95f0bfceecdbe49951619f

          SHA1

          e6cc2962d51088d1a4562df82bf3e2a51d05cdbd

          SHA256

          88fd589a55221b85a2c6daf3e1eadf9d080bd427faaa5ae7a9cf00bb33343d39

          SHA512

          5b70b22a29d4d2396c88394c315cde8ea517ac5fb34eb58d79d138d1812dc0cb8e4931b7fb5ecc2dabe7273c60de185daa06ceb84a8c3b4c939ba32f3a0bb808

        • memory/3552-41-0x0000000010000000-0x000000001004D000-memory.dmp

          Filesize

          308KB

        • memory/3552-43-0x0000000010000000-0x000000001004D000-memory.dmp

          Filesize

          308KB

        • memory/5020-39-0x0000000010000000-0x000000001004D000-memory.dmp

          Filesize

          308KB

        • memory/5020-42-0x0000000010000000-0x000000001004D000-memory.dmp

          Filesize

          308KB