Overview

overview

10

Static

static

3

JaffaCakes...84.exe

windows7-x64

10

JaffaCakes...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 05:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_0ac0ffcca354d86416b46dbe4a9a5e84.exe

  • Size

    36KB

  • MD5

    0ac0ffcca354d86416b46dbe4a9a5e84

  • SHA1

    e40b5d19b2340ad2a739391f969912d43a0d93d8

  • SHA256

    bc771a151e702b46e62755760588a27402d8d434f7489d78a7a53de6bd92ef63

  • SHA512

    50aaadd9055a4dacf43bf18adf72e12ec71778dd03ee07afd2509473460a86f0e3ff4eca8ae1bf13636f1e0f8ed6c500d03df184c73aba53d1c088071904ebd9

  • SSDEEP

    768:O1PWaaTmypGPRihzo1J+DqSVKZILneRg0ZLJySidfI:I+aaq3VQqKre/ZeI

Score
10/10
modiloaderxtremeratdiscoverypersistenceratspywaretrojanupx

Malware Config

Extracted

Family

xtremerat

C2

loveayada.zapto.org

Signatures

  • Detect XtremeRAT payload 4 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • ModiLoader Second Stage 1 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ac0ffcca354d86416b46dbe4a9a5e84.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ac0ffcca354d86416b46dbe4a9a5e84.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ac0ffcca354d86416b46dbe4a9a5e84.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ac0ffcca354d86416b46dbe4a9a5e84.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1780
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1848

Network

  • flag-us
    DNS
    loveayada.zapto.org
    explorer.exe
    Remote address:
    8.8.8.8:53
    Request
    loveayada.zapto.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    loveayada.zapto.org
    dns
    explorer.exe
    65 B
     125 B
     1
    1

    DNS Request

    loveayada.zapto.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\InstallDir\windos.exe
    Filesize

    36KB

    MD5

    0ac0ffcca354d86416b46dbe4a9a5e84

    SHA1

    e40b5d19b2340ad2a739391f969912d43a0d93d8

    SHA256

    bc771a151e702b46e62755760588a27402d8d434f7489d78a7a53de6bd92ef63

    SHA512

    50aaadd9055a4dacf43bf18adf72e12ec71778dd03ee07afd2509473460a86f0e3ff4eca8ae1bf13636f1e0f8ed6c500d03df184c73aba53d1c088071904ebd9

    Download Submit

  • memory/1780-19-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1848-23-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1848-25-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1976-5-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1976-10-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1976-9-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1976-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1976-2-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2336-0-0x0000000010000000-0x0000000010014000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2336-1-0x000000001000D000-0x000000001000E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2336-7-0x0000000010000000-0x0000000010014000-memory.dmp

    Filesize

    80KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.