Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 20:21

General

  • Target

    JaffaCakes118_435b72cfbf939eb1f32f3d2f528e21c4.exe

  • Size

    809KB

  • MD5

    435b72cfbf939eb1f32f3d2f528e21c4

  • SHA1

    f0320c280a25f03301586d1acd84edc9247d3da0

  • SHA256

    2fe90d9427c800ef20af4d2987c95b602a47a82ca42a39b9e9c8ea82f109054a

  • SHA512

    c726a5be311889f086091e2b622f66f6f6bf4a22ca0d8a57844ab1ae83ec0d964bbe8dbfae61b661aaf824ba0a6c120dae5ebf9cad7b85a376d908fe188abcaa

  • SSDEEP

    12288:OuXdjyfHShflT8ZfMfHS3HHiL9QHB11hJ2BHjyDNT9Zs3Aym8Gm:OAyfHSMZU/siBKhJ2BHG9ZsQyme

Malware Config

Extracted

Family

xtremerat

C2

mikropbisey.no-ip.biz

Signatures

  • Detect XtremeRAT payload 2 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Xtremerat family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_435b72cfbf939eb1f32f3d2f528e21c4.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_435b72cfbf939eb1f32f3d2f528e21c4.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TURKHA~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TURKHA~1.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:316
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\system32.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\system32.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\system32.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2232
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
            PID:2688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\TURKHA~1.EXE

      Filesize

      592KB

      MD5

      644c285f2b6201f213f4965d47569733

      SHA1

      6fef57d8beb24c5c601d6fb64cbd4a692b0461ac

      SHA256

      c37c408ff6bf45957ad8feafcffb36ef6c676756cbf24153f72d9c503d2ad63a

      SHA512

      14022d3be8c6083401332d51c348b1c7675162f98f8db0abcb2553cb8c4d657b8f67ac18c6f3011bddd5d74943b9df692ae70a5de7dffa6f2eabca26de0f4d50

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\system32.exe

      Filesize

      389KB

      MD5

      53d7993497873f49cf664b3b8e2dbfcc

      SHA1

      e470b1c09ac77214bb70c7852ab8f254ee4ac27d

      SHA256

      95e923e9d29f4748efb479e142469d3468290d2e0ea77e3cce84afd22bd7b17f

      SHA512

      50102ddcd36d5482b88a75daf29034f222c97f5227675f51eda619b70fae5f68100300ccbca8c35410ae576c5a756ec7173227f093a38ead7b9cfd155fbbdfbe

    • memory/1952-33-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

    • memory/1952-43-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

    • memory/1952-40-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

    • memory/1952-42-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

    • memory/1952-29-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

    • memory/1952-31-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

    • memory/1952-36-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB

    • memory/1952-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2196-24-0x0000000000400000-0x0000000000550000-memory.dmp

      Filesize

      1.3MB

    • memory/2196-38-0x0000000000400000-0x0000000000550000-memory.dmp

      Filesize

      1.3MB

    • memory/2196-39-0x0000000000401000-0x0000000000414000-memory.dmp

      Filesize

      76KB

    • memory/2196-27-0x0000000000401000-0x0000000000414000-memory.dmp

      Filesize

      76KB

    • memory/2232-46-0x0000000010000000-0x000000001004D000-memory.dmp

      Filesize

      308KB