Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

JaffaCakes...08.exe

windows7-x64

10

JaffaCakes...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/01/2025, 12:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_170320a37ff1e869777b2cf6474c6e08.exe

  • Size

    79KB

  • MD5

    170320a37ff1e869777b2cf6474c6e08

  • SHA1

    b8612e2e0314a034d08f4b38b55c213ff9209d7c

  • SHA256

    68f21aca4c1cc217c49e20b1e42a8d5101e2b48737bcd9229ea4e25539724de8

  • SHA512

    f5ab1de672f8dbfcfddc646b7c338c2b561558444dc878ad8fe4125be99ff244596e93d733ad2d38681875b3583d11912055a9ca486d94fc8718b931de1d7934

  • SSDEEP

    1536:5NGcqZYlSLhe5GDe6JU85n5p+bvVnFEDGPF1HEz6lLYpyqP1uuKrypk0vJ+O:LbuYlS1e5IlJ55TAVnaDGPJRqP1i4rf

Score
10/10
xtremeratdiscoverypersistenceratspyware

Malware Config

Extracted

Family

xtremerat

C2

alssm.no-ip.biz

Signatures

  • Detect XtremeRAT payload 11 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_170320a37ff1e869777b2cf6474c6e08.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_170320a37ff1e869777b2cf6474c6e08.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3180
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_170320a37ff1e869777b2cf6474c6e08.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_170320a37ff1e869777b2cf6474c6e08.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 480
          4⤵
          • Program crash
          PID:4680
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 488
          4⤵
          • Program crash
          PID:320
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Deletes itself
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:964
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5044 -ip 5044
    1⤵
      PID:1056
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5044 -ip 5044
      1⤵
        PID:3672

      Network

      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        98.250.22.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        98.250.22.2.in-addr.arpa
        IN PTR
        Response
        98.250.22.2.in-addr.arpa
        IN PTR
        a2-22-250-98deploystaticakamaitechnologiescom
      • flag-us
        DNS
        alssm.no-ip.biz
        explorer.exe
        Remote address:
        8.8.8.8:53
        Request
        alssm.no-ip.biz
        IN A
        Response
        alssm.no-ip.biz
        IN A
        0.0.0.0
      • flag-us
        DNS
        76.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        76.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        167.173.78.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        167.173.78.104.in-addr.arpa
        IN PTR
        Response
        167.173.78.104.in-addr.arpa
        IN PTR
        a104-78-173-167deploystaticakamaitechnologiescom
      • flag-us
        DNS
        241.150.49.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.150.49.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        200.163.202.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.163.202.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.42.69.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.42.69.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        21.49.80.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        21.49.80.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        214.72.21.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        214.72.21.2.in-addr.arpa
        IN PTR
        Response
        214.72.21.2.in-addr.arpa
        IN PTR
        a2-21-72-214deploystaticakamaitechnologiescom
      • flag-us
        DNS
        19.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        19.229.111.52.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        97.17.167.52.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        97.17.167.52.in-addr.arpa

      • 8.8.8.8:53
        98.250.22.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        98.250.22.2.in-addr.arpa

      • 8.8.8.8:53
        alssm.no-ip.biz
        dns
        explorer.exe
        61 B
         77 B
         1
        1

        DNS Request

        alssm.no-ip.biz

        DNS Response

        0.0.0.0

      • 8.8.8.8:53
        167.173.78.104.in-addr.arpa
        dns
        73 B
         139 B
         1
        1

        DNS Request

        167.173.78.104.in-addr.arpa

      • 8.8.8.8:53
        76.32.126.40.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        76.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        241.150.49.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        241.150.49.20.in-addr.arpa

      • 8.8.8.8:53
        200.163.202.172.in-addr.arpa
        dns
        74 B
         160 B
         1
        1

        DNS Request

        200.163.202.172.in-addr.arpa

      • 8.8.8.8:53
        241.42.69.40.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        241.42.69.40.in-addr.arpa

      • 8.8.8.8:53
        21.49.80.91.in-addr.arpa
        dns
        70 B
         145 B
         1
        1

        DNS Request

        21.49.80.91.in-addr.arpa

      • 8.8.8.8:53
        214.72.21.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        214.72.21.2.in-addr.arpa

      • 8.8.8.8:53
        19.229.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        19.229.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/964-15-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

        Download

      • memory/964-10-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

        Download

      • memory/964-17-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

        Download

      • memory/964-16-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

        Download

      • memory/2468-3-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

        Download

      • memory/2468-4-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

        Download

      • memory/2468-7-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

        Download

      • memory/2468-8-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

        Download

      • memory/2468-11-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

        Download

      • memory/3180-6-0x0000000000400000-0x000000000049B000-memory.dmp

        Filesize

        620KB

        Download

      • memory/3180-0-0x0000000000400000-0x000000000049B000-memory.dmp

        Filesize

        620KB

        Download

      • memory/5044-9-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

        Download

      • memory/5044-14-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.