Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2025, 04:48
Behavioral task
behavioral1
Sample
JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe
-
Size
25KB
-
MD5
4708ece1802d61ef3fdc620134b960e1
-
SHA1
1f8a84da1fc3cecc4d1ba2f951d92f6b62828f4b
-
SHA256
3db790e11b94c8259a39623b0ab4a70dda8a8d67c14e69755213f107d976ada1
-
SHA512
6e1344de6f728d9094c6b163534fda362745586e3b18bc339105796f26e5ae46db8e4967cfabcdb7aa7a6c9bd3611d1068c14071dbb5c9dc906e4960a319ea77
-
SSDEEP
384:xLpj7eNmfp+UrM8j3Mk8mw2Qwz9cEVWNuOuuOYPq8P9iYwbzuvExgRW2r3p:xmmfpbM8j8wQwz9caAuxYyuJExrS
Malware Config
Extracted
xtremerat
momed.no-ip.info
Signatures
-
Detect XtremeRAT payload 2 IoCs
resource yara_rule behavioral2/memory/3188-5-0x0000000013140000-0x000000001315F000-memory.dmp family_xtremerat behavioral2/memory/3256-9-0x0000000013140000-0x000000001315F000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\system.exe restart" JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\system.exe" JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe Set value (str) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\system.exe" JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\InstallDir\system.exe JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe File created C:\Windows\SysWOW64\InstallDir\system.exe JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe -
resource yara_rule behavioral2/memory/3256-0-0x0000000013140000-0x000000001315F000-memory.dmp upx behavioral2/memory/3188-5-0x0000000013140000-0x000000001315F000-memory.dmp upx behavioral2/memory/3256-9-0x0000000013140000-0x000000001315F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3256 wrote to memory of 3188 3256 JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe 78 PID 3256 wrote to memory of 3188 3256 JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe 78 PID 3256 wrote to memory of 3188 3256 JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe 78 PID 3256 wrote to memory of 3188 3256 JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe 78 PID 3256 wrote to memory of 3640 3256 JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe 79 PID 3256 wrote to memory of 3640 3256 JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe 79 PID 3256 wrote to memory of 3640 3256 JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe 79 PID 3640 wrote to memory of 4160 3640 cmd.exe 81 PID 3640 wrote to memory of 4160 3640 cmd.exe 81 PID 3640 wrote to memory of 4160 3640 cmd.exe 81 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4160 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- System Location Discovery: System Language Discovery
PID:3188
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\attrib.exeattrib -A -S -H "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4708ece1802d61ef3fdc620134b960e1.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4160
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368B
MD5eb201b4e6828711d882c20794aae62c7
SHA1c62575d2b96cbc1fd6983acb1ce576502716cef8
SHA25670572faffb027583cd8a3ea5a47f863806764e60d15213346b5fe635dac7ad3b
SHA5127a6e07be5d6dd790c53b780c2684457db49a0be765568abd0036028553be0d53fa4f5a0b7e66e66fd507d2db50a7022a1cec1b0595d406e5871888c194cc8257