Overview

overview

10

Static

static

5

ee2137ca6f...18.exe

windows7-x64

10

ee2137ca6f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2024 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    ee2137ca6fc3ad1710e1ad4fd0419625

  • SHA1

    4f9e275901f9a2d65512a793422c316cd0f74361

  • SHA256

    efff17caa85cf12923caa783477206e90197fabecae18e2f719400207483323d

  • SHA512

    bef89fc269a7ca3a3f731e921a26869f134448323dcc4520ce12908623b85255541744e17614a8c0d937f0b1603f3c351c290e5d027aefaa94199050c4c4f041

  • SSDEEP

    24576:LFE//Tct4bOski47Ersh4TP96Rw9PsbgwRe6aegxiu32exMfAmULP:hSVkv7qsWP96cPQRe6Ru322MImU7

Score
10/10
xtremeratdiscoverypersistenceratspywareupx

Malware Config

Signatures

  • Detect XtremeRAT payload 1 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Executes dropped EXE 4 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Users\Admin\AppData\Local\Temp\bebers.exe
      C:\Users\Admin\AppData\Local\Temp/bebers.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Users\Admin\AppData\Local\Temp\bebers.exe
        C:\Users\Admin\AppData\Local\Temp\bebers.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          4⤵
            PID:408
      • C:\Users\Admin\AppData\Local\Temp\MP3Cutter.exe
        C:\Users\Admin\AppData\Local\Temp/MP3Cutter.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\Users\Admin\AppData\Local\Temp\is-M197B.tmp\is-5UD14.tmp
          C:\Users\Admin\AppData\Local\Temp\is-M197B.tmp\is-5UD14.tmp /SL4 $90068 C:\Users\Admin\AppData\Local\Temp\MP3Cutter.exe 949089 68096
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MP3Cutter.exe
      Filesize

      935KB

      MD5

      433d89ab2e25de2c4df585d9de3d8826

      SHA1

      504f78c9527088dc638f0f100b3593081d2277f2

      SHA256

      6f24345093fb88cc2299f15aa7ce53d98bf6f9781e737bb6b0d7c4437b300449

      SHA512

      8bf1f2c748880bc20815a2cee27e9f935296adb227c04b24d62fc973098e7d7ac43dde5da9f92e6a128d2346fa2ce6c8e106512ddfc28d2ab7243d1b9f01c673

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aut86C4.tmp
      Filesize

      70KB

      MD5

      9dc2f8113a65f305d8ce70b387b5b5b8

      SHA1

      d6261cbdacafa66fdef41f57c2c7a1dfa47f98ee

      SHA256

      797020db930f76f9f5cf236a8b21b66d1c578143eaf41f393210fd64551ecfdd

      SHA512

      038841ff2d3022391e762bb2db1e58cb842eba7dc32e68bfd399b59acbd9bb1c36acd44eeffa33396da2b7fa751cff0d4ac6fb914ab42cc316173d7bdeee71b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-M197B.tmp\is-5UD14.tmp
      Filesize

      550KB

      MD5

      f8af304447fc04618285f448d0651220

      SHA1

      ec2dd2c8b931501f977eefef5449b37373734415

      SHA256

      f0678194ef4b80ed8ec73ef78e5dff621c2602df47fb90e43800b6ab30c33d59

      SHA512

      c2e4cca9a38c8a5616936b2c643596c6125782bf32619eb9e890f9a7b4a293504151b22478e308656f43fc30e7ba4d9859e1a8ac1aba5e72169b8ded7cf39289

      Download Submit

    • memory/1812-31-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1812-35-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1812-34-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-42-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-58-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-68-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-40-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-66-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-64-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-62-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-60-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-56-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-44-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-46-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-48-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-50-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-52-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2016-54-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2796-20-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2796-39-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3820-41-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3820-24-0x0000000000401000-0x000000000040D000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3820-21-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4616-0-0x0000000000400000-0x00000000004C1000-memory.dmp

      Filesize

      772KB

      Download

    • memory/4616-25-0x0000000000400000-0x00000000004C1000-memory.dmp

      Filesize

      772KB

      Download