Overview

overview

10

Static

static

3

JaffaCakes...eb.exe

windows7-x64

10

JaffaCakes...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_40d95f0aae2b8cfaaa5d7c1d30b2e5eb.exe

  • Size

    621KB

  • MD5

    40d95f0aae2b8cfaaa5d7c1d30b2e5eb

  • SHA1

    e5ab01d677560b0b4136b3a2197096360d0d66fd

  • SHA256

    1be1e3c54902c2fa8481888505ec900185231713ed07fc85e140f489965f6855

  • SHA512

    926220911b2176443bc6392d7fbe3727f3de37e1660e8e5e6cc7d2d600b38c3ce46d81d2e1d1d6a7c7637c402afab9c7ed0791187360012ff8d9d31f8f049936

  • SSDEEP

    12288:Z4BL/9Z2VngICLCi+wLquqMBBUsebeFZnbXCQJiI:ZKlZ3IK+Eqib86nTTs

Score
10/10
xtremeratdiscoverypersistenceratspywareupx

Malware Config

Signatures

  • Detect XtremeRAT payload 2 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40d95f0aae2b8cfaaa5d7c1d30b2e5eb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40d95f0aae2b8cfaaa5d7c1d30b2e5eb.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Users\Admin\AppData\Local\Temp\AFONSOBR LOADER V08.EXE
      "C:\Users\Admin\AppData\Local\Temp\AFONSOBR LOADER V08.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1200
    • C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
      "C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AFONSOBR LOADER V08.EXE
    Filesize

    540KB

    MD5

    6501b34429972096598dc19a688ededf

    SHA1

    607de33670c1fd3fac85520c3b2069c6d2aca8df

    SHA256

    960e6263f86c20eb885c4c5e7660aa24c4aff11512b246c154eee4dbf52d8c0b

    SHA512

    85caeaa2b2e2d03eb4048b6a3d396df03553273df6e18e6b517202e1944fa639ccd41c766275ea12e65854d697542619aa02b0d486c1243ce368157531100046

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
    Filesize

    19KB

    MD5

    f8a143bbe52fa1e447505fe32d2afda5

    SHA1

    381806c29114a754a49db2b71c357bdc2104e034

    SHA256

    da0a25ac122265f455909be484b02c855ecf4f2cdfec076d4a8fc79bb6f5f6d2

    SHA512

    7c37300147c245788368c58f6bf6c68c43524ca2815c93b5aaf9b2f72136868d6801832f410248f5193774293c1540adbf4476d26b55f53263245af0503ad292

    Download Submit

  • memory/1200-17-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-27-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-28-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

    Download

  • memory/2544-16-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2544-26-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3852-23-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download