Analysis
-
max time kernel
146s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28-01-2025 04:48
General
-
Target
JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe
-
Size
25KB
-
MD5
4708ece1802d61ef3fdc620134b960e1
-
SHA1
1f8a84da1fc3cecc4d1ba2f951d92f6b62828f4b
-
SHA256
3db790e11b94c8259a39623b0ab4a70dda8a8d67c14e69755213f107d976ada1
-
SHA512
6e1344de6f728d9094c6b163534fda362745586e3b18bc339105796f26e5ae46db8e4967cfabcdb7aa7a6c9bd3611d1068c14071dbb5c9dc906e4960a319ea77
-
SSDEEP
384:xLpj7eNmfp+UrM8j3Mk8mw2Qwz9cEVWNuOuuOYPq8P9iYwbzuvExgRW2r3p:xmmfpbM8j8wQwz9caAuxYyuJExrS
Malware Config
Extracted
xtremerat
momed.no-ip.info
Signatures
-
Detect XtremeRAT payload 4 IoCs
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -A -S -H "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368B
MD5eb201b4e6828711d882c20794aae62c7
SHA1c62575d2b96cbc1fd6983acb1ce576502716cef8
SHA25670572faffb027583cd8a3ea5a47f863806764e60d15213346b5fe635dac7ad3b
SHA5127a6e07be5d6dd790c53b780c2684457db49a0be765568abd0036028553be0d53fa4f5a0b7e66e66fd507d2db50a7022a1cec1b0595d406e5871888c194cc8257
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB