Overview

overview

10

Static

static

3

JaffaCakes...06.exe

windows7-x64

10

JaffaCakes...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe

  • Size

    279KB

  • MD5

    60346d6d7471ce30de99997efaf63006

  • SHA1

    97edc6484b68609a483950fc88dbc8fd885997d1

  • SHA256

    5d7c90c03d6582b8b067ee14328b93bb08680d12f32d503a308ec0ff410f3dfb

  • SHA512

    f8dcc57e1662e45fa3b7bb69569113e5a863a6ff6c84ab6eed28982e8bac6d5fb722595450e0509d996654b72481fa15383a5344a3d401f57ca575c8620771e7

  • SSDEEP

    6144:VAbjy/ALTraclI9AOveibOH3oxrqFNCapD7Vz1iRVfotU:V2jy4L/JlI91veibKY5q2apD7RYf+U

Score
10/10
xtremeratdiscoverypersistenceratspywareupx

Malware Config

Signatures

  • Detect XtremeRAT payload 6 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe"
      2⤵
      • Checks BIOS information in registry
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Checks computer location settings
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4492
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
            PID:540
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
            4⤵
              PID:3640
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
              4⤵
                PID:4420
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                4⤵
                  PID:4716
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                  4⤵
                    PID:364
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                    4⤵
                      PID:3292
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                      4⤵
                        PID:3728
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                        4⤵
                          PID:3108
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                          4⤵
                            PID:1508
                          • C:\Windows\SysWOW64\InstallDir\Server.exe
                            "C:\Windows\system32\InstallDir\Server.exe"
                            4⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:2612
                            • C:\Windows\SysWOW64\InstallDir\Server.exe
                              "C:\Windows\system32\InstallDir\Server.exe"
                              5⤵
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:844
                              • C:\Windows\SysWOW64\InstallDir\Server.exe
                                "C:\Windows\SysWOW64\InstallDir\Server.exe"
                                6⤵
                                • Boot or Logon Autostart Execution: Active Setup
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:3480
                                • C:\Windows\SysWOW64\svchost.exe
                                  svchost.exe
                                  7⤵
                                    PID:4300
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                    7⤵
                                      PID:4216
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                      7⤵
                                        PID:4112
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                        7⤵
                                          PID:1180
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                          7⤵
                                            PID:3064
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                            7⤵
                                              PID:4748
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                              7⤵
                                                PID:544
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                7⤵
                                                  PID:2316
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                  7⤵
                                                    PID:1120
                                                  • C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
                                                    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
                                                    7⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2568
                                                    • C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
                                                      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
                                                      8⤵
                                                      • Checks BIOS information in registry
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2900
                                                      • C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
                                                        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
                                                        9⤵
                                                        • Boot or Logon Autostart Execution: Active Setup
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:1712
                                                        • C:\Windows\SysWOW64\svchost.exe
                                                          svchost.exe
                                                          10⤵
                                                            PID:3500
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                            10⤵
                                                              PID:4884
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                              10⤵
                                                                PID:752
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                10⤵
                                                                  PID:1564
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                  10⤵
                                                                    PID:3592
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                    10⤵
                                                                      PID:3024
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                      10⤵
                                                                        PID:2372
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                        10⤵
                                                                          PID:4360
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                          10⤵
                                                                            PID:4052
                                                                          • C:\Windows\SysWOW64\InstallDir\Server.exe
                                                                            "C:\Windows\system32\InstallDir\Server.exe"
                                                                            10⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:3424
                                                                            • C:\Windows\SysWOW64\InstallDir\Server.exe
                                                                              "C:\Windows\system32\InstallDir\Server.exe"
                                                                              11⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1044

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Temp\F827973E.TMP
                                                          Filesize

                                                          25B

                                                          MD5

                                                          74c7f15f70e3cc50139cc6b798d57feb

                                                          SHA1

                                                          c5c58d8003d6d8eb3bf30b93cd87b5600856a988

                                                          SHA256

                                                          35f0ac141abdb905adacede4d8987205f51148fe59b15b17ff0d66334271207d

                                                          SHA512

                                                          40f2a4f5ebb5f79efbab3c426b8e2e3164b4a9b199977b8617d692f739ab6d6309ac40b2f598fc2e318806ffa8602a6c965d70e18d53d152fedd2bc781f7df5e

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227495264-2217614367-4027411560-1000\699c4b9cdebca7aaea5193cae8a50098_423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3
                                                          Filesize

                                                          50B

                                                          MD5

                                                          5b63d4dd8c04c88c0e30e494ec6a609a

                                                          SHA1

                                                          884d5a8bdc25fe794dc22ef9518009dcf0069d09

                                                          SHA256

                                                          4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

                                                          SHA512

                                                          15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg
                                                          Filesize

                                                          1KB

                                                          MD5

                                                          79d4a60cff7ff3053b33e1c43e662ea1

                                                          SHA1

                                                          5454cef04080bcc009c63daf88dfe948a3dcbb9c

                                                          SHA256

                                                          557b3fbd62fd84f5aefae950790ae7a852604ed5af8c498385ec3033d80ce1fe

                                                          SHA512

                                                          31e9c46648b97db17a6cb04de969395bb256ca9e7e8177a9ccbab9084807881ddee1eb7c6b64046b76d9a5a03d6687986ce520aac19444789faf8cb1e75ac13c

                                                          Download Submit

                                                        • C:\Windows\SysWOW64\InstallDir\Server.exe
                                                          Filesize

                                                          279KB

                                                          MD5

                                                          60346d6d7471ce30de99997efaf63006

                                                          SHA1

                                                          97edc6484b68609a483950fc88dbc8fd885997d1

                                                          SHA256

                                                          5d7c90c03d6582b8b067ee14328b93bb08680d12f32d503a308ec0ff410f3dfb

                                                          SHA512

                                                          f8dcc57e1662e45fa3b7bb69569113e5a863a6ff6c84ab6eed28982e8bac6d5fb722595450e0509d996654b72481fa15383a5344a3d401f57ca575c8620771e7

                                                          Download Submit

                                                        • memory/540-31-0x0000000000C80000-0x0000000000C95000-memory.dmp

                                                          Filesize

                                                          84KB

                                                          Download

                                                        • memory/844-118-0x0000000000400000-0x0000000000482000-memory.dmp

                                                          Filesize

                                                          520KB

                                                          Download

                                                        • memory/844-117-0x0000000001F30000-0x0000000001F55000-memory.dmp

                                                          Filesize

                                                          148KB

                                                          Download

                                                        • memory/844-102-0x0000000000400000-0x0000000000482000-memory.dmp

                                                          Filesize

                                                          520KB

                                                          Download

                                                        • memory/844-103-0x0000000001F30000-0x0000000001F55000-memory.dmp

                                                          Filesize

                                                          148KB

                                                          Download

                                                        • memory/844-101-0x0000000000400000-0x0000000000482000-memory.dmp

                                                          Filesize

                                                          520KB

                                                          Download

                                                        • memory/844-94-0x0000000001F30000-0x0000000001F55000-memory.dmp

                                                          Filesize

                                                          148KB

                                                          Download

                                                        • memory/852-16-0x0000000000560000-0x0000000000585000-memory.dmp

                                                          Filesize

                                                          148KB

                                                          Download

                                                        • memory/852-10-0x0000000000560000-0x0000000000585000-memory.dmp

                                                          Filesize

                                                          148KB

                                                          Download

                                                        • memory/852-8-0x0000000000400000-0x0000000000482000-memory.dmp

                                                          Filesize

                                                          520KB

                                                          Download

                                                        • memory/852-2-0x0000000000560000-0x0000000000585000-memory.dmp

                                                          Filesize

                                                          148KB

                                                          Download

                                                        • memory/852-9-0x0000000000400000-0x0000000000482000-memory.dmp

                                                          Filesize

                                                          520KB

                                                          Download

                                                        • memory/852-17-0x0000000000400000-0x0000000000482000-memory.dmp

                                                          Filesize

                                                          520KB

                                                          Download

                                                        • memory/2900-188-0x0000000000580000-0x00000000005A5000-memory.dmp

                                                          Filesize

                                                          148KB

                                                          Download

                                                        • memory/2900-195-0x0000000000400000-0x0000000000482000-memory.dmp

                                                          Filesize

                                                          520KB

                                                          Download

                                                        • memory/2900-210-0x0000000000580000-0x00000000005A5000-memory.dmp

                                                          Filesize

                                                          148KB

                                                          Download

                                                        • memory/2900-211-0x0000000000400000-0x0000000000482000-memory.dmp

                                                          Filesize

                                                          520KB

                                                          Download

                                                        • memory/2900-197-0x0000000000580000-0x00000000005A5000-memory.dmp

                                                          Filesize

                                                          148KB

                                                          Download

                                                        • memory/2900-196-0x0000000000400000-0x0000000000482000-memory.dmp

                                                          Filesize

                                                          520KB

                                                          Download

                                                        • memory/3480-110-0x0000000000C80000-0x0000000000C95000-memory.dmp

                                                          Filesize

                                                          84KB

                                                          Download

                                                        • memory/3480-115-0x0000000000C80000-0x0000000000C95000-memory.dmp

                                                          Filesize

                                                          84KB

                                                          Download

                                                        • memory/3500-218-0x0000000000C80000-0x0000000000C95000-memory.dmp

                                                          Filesize

                                                          84KB

                                                          Download

                                                        • memory/4300-125-0x0000000000C80000-0x0000000000C95000-memory.dmp

                                                          Filesize

                                                          84KB

                                                          Download

                                                        • memory/4492-25-0x0000000000C80000-0x0000000000C95000-memory.dmp

                                                          Filesize

                                                          84KB

                                                          Download

                                                        • memory/4492-24-0x0000000000C80000-0x0000000000C95000-memory.dmp

                                                          Filesize

                                                          84KB

                                                          Download

                                                        • memory/4492-14-0x0000000000C80000-0x0000000000C95000-memory.dmp

                                                          Filesize

                                                          84KB

                                                          Download

                                                        • memory/4492-19-0x0000000000C80000-0x0000000000C95000-memory.dmp

                                                          Filesize

                                                          84KB

                                                          Download