Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...ab.exe

windows7-x64

10

JaffaCakes...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2025, 23:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_50423fd16d4e2c21d286c062164c27ab.exe

  • Size

    108KB

  • MD5

    50423fd16d4e2c21d286c062164c27ab

  • SHA1

    a574914d4e8b304216ce09e13d75e8af51e3b476

  • SHA256

    3ec9b2e6eaa1dacbd0446096270912390e77fcdf9540961afec83c31e95e207e

  • SHA512

    de7bcbe31052f43757f66bb45c4d1bb5eb5853879b6161f64347dd15d483717c2af855462c3cf428459ddda6d6416e49b9f60e72c38934a8d2e442780ea8fe3b

  • SSDEEP

    1536:PnFnrx4TEk1btTmmfAa6R5NlT94rbK/n36ek2+K39:PnVUbtT9f76Flx4cn36bDK39

Score
10/10
xtremeratdiscoverypersistenceratspywareupx

Malware Config

Extracted

Family

xtremerat

C2

securitywindows.3utilities.com

Signatures

  • Detect XtremeRAT payload 4 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50423fd16d4e2c21d286c062164c27ab.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50423fd16d4e2c21d286c062164c27ab.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50423fd16d4e2c21d286c062164c27ab.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50423fd16d4e2c21d286c062164c27ab.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2596
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2548-0-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2548-5-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2548-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2548-2-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2548-1-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2548-7-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2548-8-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2548-9-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2548-13-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2596-12-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2596-14-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.