Analysis
-
max time kernel
95s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 16:53
Static task
static1
Behavioral task
behavioral1
Sample
e75adde386505df699c22e87cc73e105_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
e75adde386505df699c22e87cc73e105_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e75adde386505df699c22e87cc73e105_JaffaCakes118.exe
-
Size
52KB
-
MD5
e75adde386505df699c22e87cc73e105
-
SHA1
4bcc42b49f3796acd5e3ba1e848c115adda2f9c3
-
SHA256
a7626bffd9e9cb6c9e8be8081dee3ef9ed4178de7335a9285d748594ea2b306a
-
SHA512
3118d25d4670c30d671e09a73b422539b50e7022f9f9044c343fff4a2dc66446871bfbcd35144d61eca7ead21dd2142a559664da69dd34578843ef3f3c03c32e
-
SSDEEP
768:/JMuijtHf5g7/IIG3bGcYDBSvFIWuePQDGEsgQhiQAqrElEdETkTWOf20:/CNW71rcYDAWeoDrsxiQxeL0
Malware Config
Extracted
xtremerat
ㆼjoker01.zapto.org
Signatures
-
Detect XtremeRAT payload 3 IoCs
resource yara_rule behavioral2/memory/3552-41-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/5020-42-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3552-43-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation e75adde386505df699c22e87cc73e105_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5020 server (4).exe -
resource yara_rule behavioral2/files/0x000c000000023b8e-7.dat upx behavioral2/memory/5020-39-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3552-41-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/5020-42-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3552-43-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\server (4).exe:Zone.Identifier e75adde386505df699c22e87cc73e105_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4484 3552 WerFault.exe 84 4676 3552 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server (4).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e75adde386505df699c22e87cc73e105_JaffaCakes118.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e75adde386505df699c22e87cc73e105_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings e75adde386505df699c22e87cc73e105_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\server (4).exe:Zone.Identifier e75adde386505df699c22e87cc73e105_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1716 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1716 wrote to memory of 5020 1716 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe 82 PID 1716 wrote to memory of 5020 1716 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe 82 PID 1716 wrote to memory of 5020 1716 e75adde386505df699c22e87cc73e105_JaffaCakes118.exe 82 PID 5020 wrote to memory of 3552 5020 server (4).exe 84 PID 5020 wrote to memory of 3552 5020 server (4).exe 84 PID 5020 wrote to memory of 3552 5020 server (4).exe 84 PID 5020 wrote to memory of 3552 5020 server (4).exe 84 PID 5020 wrote to memory of 2028 5020 server (4).exe 85 PID 5020 wrote to memory of 2028 5020 server (4).exe 85 PID 5020 wrote to memory of 2028 5020 server (4).exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\e75adde386505df699c22e87cc73e105_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e75adde386505df699c22e87cc73e105_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\server (4).exe"C:\Users\Admin\AppData\Local\Temp\server (4).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:3552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 5124⤵
- Program crash
PID:4484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 5204⤵
- Program crash
PID:4676
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2028
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3552 -ip 35521⤵PID:2420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3552 -ip 35521⤵PID:4996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD55bd3c8170a95f0bfceecdbe49951619f
SHA1e6cc2962d51088d1a4562df82bf3e2a51d05cdbd
SHA25688fd589a55221b85a2c6daf3e1eadf9d080bd427faaa5ae7a9cf00bb33343d39
SHA5125b70b22a29d4d2396c88394c315cde8ea517ac5fb34eb58d79d138d1812dc0cb8e4931b7fb5ecc2dabe7273c60de185daa06ceb84a8c3b4c939ba32f3a0bb808