Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
28-01-2025 09:54
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe
Resource
win7-20241023-en
General
-
Target
JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe
-
Size
872KB
-
MD5
49903a1f7b3e8018132a6c757f4c75c3
-
SHA1
0522dd27679f2a6c3c781a26365ecf0d97ea9061
-
SHA256
356302f99a32f089bf48764621c9cf6e38c08f112b6e82d1b475efaa2192bfc6
-
SHA512
85a46ce914863bb38712338bcc5892669fe4be54e7fde853dca2222eea854bb59933cbe1716a7ce0c657a9e14fc70fc98e0e5d4acf1db2d0872655ba1b28358e
-
SSDEEP
6144:U9XRz+saO24Pr7yyrBIErxcYKJZCHbmWaOGRryrBIErxcYKJZCHbmWaOGR+7:U9Xf24DVBIEqYKqHqhO/BIEqYKqHqhO
Malware Config
Extracted
xtremerat
ehec.no-ip.info
Signatures
-
Detect XtremeRAT payload 1 IoCs
resource yara_rule behavioral1/memory/2384-51-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Executes dropped EXE 2 IoCs
pid Process 2304 taskmgr.exe 2384 79852.exe -
Loads dropped DLL 4 IoCs
pid Process 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2320 set thread context of 2304 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 33 -
resource yara_rule behavioral1/files/0x00090000000164b1-38.dat upx behavioral1/memory/2384-47-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2384-51-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79852.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2304 taskmgr.exe 2304 taskmgr.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2320 wrote to memory of 1516 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 30 PID 2320 wrote to memory of 1516 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 30 PID 2320 wrote to memory of 1516 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 30 PID 2320 wrote to memory of 1516 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 30 PID 1516 wrote to memory of 356 1516 csc.exe 32 PID 1516 wrote to memory of 356 1516 csc.exe 32 PID 1516 wrote to memory of 356 1516 csc.exe 32 PID 1516 wrote to memory of 356 1516 csc.exe 32 PID 2320 wrote to memory of 2304 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 33 PID 2320 wrote to memory of 2304 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 33 PID 2320 wrote to memory of 2304 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 33 PID 2320 wrote to memory of 2304 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 33 PID 2320 wrote to memory of 2304 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 33 PID 2320 wrote to memory of 2304 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 33 PID 2320 wrote to memory of 2304 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 33 PID 2320 wrote to memory of 2304 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 33 PID 2320 wrote to memory of 2304 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 33 PID 2320 wrote to memory of 2304 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 33 PID 2320 wrote to memory of 2384 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 34 PID 2320 wrote to memory of 2384 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 34 PID 2320 wrote to memory of 2384 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 34 PID 2320 wrote to memory of 2384 2320 JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe 34 PID 2384 wrote to memory of 1888 2384 79852.exe 35 PID 2384 wrote to memory of 1888 2384 79852.exe 35 PID 2384 wrote to memory of 1888 2384 79852.exe 35 PID 2384 wrote to memory of 1888 2384 79852.exe 35 PID 2384 wrote to memory of 1888 2384 79852.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\coj2qrss.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC43A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC439.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:356
-
-
-
C:\Users\Admin\AppData\Roaming\taskmgr.exeC:\Users\Admin\AppData\Roaming\taskmgr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2304
-
-
C:\Users\Admin\AppData\Roaming\79852.exe"C:\Users\Admin\AppData\Roaming\79852.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1888
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53609bc20d4a779d3fdd50315732b8e8b
SHA1d4d923c199c19a6577a5153e6cf8a2734f45df73
SHA2568b9bbd93de08c49ff76e81eaf423a42e5596d972a69328cb30f91facd1a650b6
SHA5128f41cc73f40fe7465bb5a4312c82e9303578898ec354d6316d1ae85f4f60a844ebd966969912d748fa6ea99cef181eea7a04378048b3632f91316b38c9071709
-
Filesize
5KB
MD5b75511e641ef49355454f8bf2b4f4e2b
SHA1ec48ed91887ff3577da0265094cf56e8a1f7dbd6
SHA2560b03646fa80640502cc416f0f9dfc3f95659e0f2340386bd82589942c7f648c4
SHA5124021b5b5b44badb1803320d30f6af6ab1ccc9da62bd220436c8c503ffd74d7ed8410f5e137d9d6da60b11b46eea42ce9fbb6cdeb16a01f0e1c3f21ae7f944254
-
Filesize
652B
MD515c844491bf079c1284b5e50fc234e64
SHA102273be1c6033c8b8b1e96da3a7772b35a59c6c7
SHA256733a8682f952e09d84aeb7580feb5cc363c7d7aa27d1497466532a886b581c91
SHA5129fee94626d319ea00635fccc611db2f0a93ea401349ee94c24d31443d651ff9fe2007e2414779e7cd8cf73004088e4286c6ac5719e7c49b6c8914cba1f8aaa16
-
Filesize
4KB
MD56830431c6b49f72eaca4b2888a0ddaa9
SHA1502083f68f991bfcfd771a7ba5bd508c2834591c
SHA256ae57e8973a24563582d571743f0339d9347ffc82ed716d12a994694c2b673bf8
SHA512939fa8cb2ca518904dea91b9612c53d833b9cf11e393fb376c1b0d00734e52b33708a6302e04bf15cb6a8e745475163766dec5a29ac265c914d0c286a170b35a
-
Filesize
206B
MD59bb289162319e8b6a5db65ce9569b006
SHA19e457ed04d79a8ceae9f32eae09dc5f64c3a90f7
SHA256d2f9c5e70ca4ca2c8a2030f8eaecc7d643757c4486bb4f304f2f5cc032df78ee
SHA5120a6333edca64b2f37d61f74cda2b6c281f03815c5bf02922ca7917a939898708535153e1e9308a88c1cf904812f39da54ea03cac3dc090be9a6ac3363a883050
-
Filesize
33KB
MD5d3136e874b081f6a32ccfde17aeaca84
SHA10262e57d4c272243b4ac88f91386ad9e476dfa72
SHA2564051a0076596628190f927e30dd461e44c3c721dc52c2e058b5b41cfb661f4be
SHA5127e12fdac66debb1c4ca40d009ddb702ff71afeacfb93d43b37a43c274675a273dbab76a29bf47d2eb0da72412f3f90d1862eb67423abcf9c904ce5b8955060e5
-
Filesize
256KB
MD52b30aeb9e54cc47c153369c4c955367e
SHA180f492a8937b85aa2a56ba513e2686e7f6970dc4
SHA256dac95b0c8866c7a5ace718fcea5e349e5e065467ea06e98bca16b87449794af7
SHA512bac8d1fa9305fce1ebc46b53d4ea14ff6b228ccebdd084f273134b95577174e765dde7141cbd0a45d041e40cde36991a90b5eb363a72c6c82d809c9c3a9c0015