Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2025, 15:19
Behavioral task
behavioral1
Sample
JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe
-
Size
535KB
-
MD5
a0f79b7b8f5bce76f9d6ca94293d7538
-
SHA1
898f057bfc60817ede94d9664b840486f2385164
-
SHA256
80be7acd19b153b6afc35df2842a55f255b77254915acd16def77b5130087de1
-
SHA512
34aee253d49e53d59f55fc99eb913d8c71afada504b311692f8256612805104fb388d2249a45673fd8a53d2a5bea3ad76def2c0ccd4db464aef75d172ca81896
-
SSDEEP
12288:6GuWm0QRVRdgFkEXIc0pg3xTX2ep3vWQrWKZZo/:Xc7dgadoTXFdeaWM+/
Malware Config
Signatures
-
Detect XtremeRAT payload 2 IoCs
resource yara_rule behavioral2/memory/1616-18-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/2064-22-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{WI0S0J7A-BN72-NO77-52AY-3K5H2N2G8E37} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{WI0S0J7A-BN72-NO77-52AY-3K5H2N2G8E37}\StubPath = "C:\\Windows\\system32\\InstallDir\\blank.exe restart" server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{WI0S0J7A-BN72-NO77-52AY-3K5H2N2G8E37} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{WI0S0J7A-BN72-NO77-52AY-3K5H2N2G8E37}\StubPath = "C:\\Windows\\system32\\InstallDir\\blank.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe -
Executes dropped EXE 1 IoCs
pid Process 2064 server.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\blank.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\blank.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\blank.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\blank.exe" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\InstallDir\blank.exe server.exe File created C:\Windows\SysWOW64\InstallDir\blank.exe server.exe -
resource yara_rule behavioral2/memory/648-0-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-1-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/files/0x000f000000023b51-6.dat upx behavioral2/memory/2064-13-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/1616-18-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/648-21-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/2064-22-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/648-24-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-26-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-28-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-30-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-32-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-34-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-36-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-38-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-40-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-42-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-44-0x0000000000400000-0x0000000000596000-memory.dmp upx behavioral2/memory/648-46-0x0000000000400000-0x0000000000596000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 648 JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe 648 JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4800 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4800 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 648 JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe 648 JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe 2064 server.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 648 wrote to memory of 2064 648 JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe 87 PID 648 wrote to memory of 2064 648 JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe 87 PID 648 wrote to memory of 2064 648 JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe 87 PID 2064 wrote to memory of 1616 2064 server.exe 89 PID 2064 wrote to memory of 1616 2064 server.exe 89 PID 2064 wrote to memory of 1616 2064 server.exe 89 PID 2064 wrote to memory of 1616 2064 server.exe 89 PID 2064 wrote to memory of 2388 2064 server.exe 90 PID 2064 wrote to memory of 2388 2064 server.exe 90 PID 2064 wrote to memory of 2388 2064 server.exe 90 PID 2064 wrote to memory of 2584 2064 server.exe 91 PID 2064 wrote to memory of 2584 2064 server.exe 91 PID 2064 wrote to memory of 2584 2064 server.exe 91 PID 2064 wrote to memory of 3460 2064 server.exe 92 PID 2064 wrote to memory of 3460 2064 server.exe 92 PID 2064 wrote to memory of 3460 2064 server.exe 92 PID 2064 wrote to memory of 1136 2064 server.exe 93 PID 2064 wrote to memory of 1136 2064 server.exe 93 PID 2064 wrote to memory of 1136 2064 server.exe 93 PID 2064 wrote to memory of 884 2064 server.exe 94 PID 2064 wrote to memory of 884 2064 server.exe 94 PID 2064 wrote to memory of 884 2064 server.exe 94 PID 2064 wrote to memory of 412 2064 server.exe 95 PID 2064 wrote to memory of 412 2064 server.exe 95 PID 2064 wrote to memory of 412 2064 server.exe 95 PID 2064 wrote to memory of 400 2064 server.exe 96 PID 2064 wrote to memory of 400 2064 server.exe 96 PID 2064 wrote to memory of 400 2064 server.exe 96 PID 2064 wrote to memory of 1568 2064 server.exe 97 PID 2064 wrote to memory of 1568 2064 server.exe 97 PID 2064 wrote to memory of 1568 2064 server.exe 97 PID 2064 wrote to memory of 116 2064 server.exe 98 PID 2064 wrote to memory of 116 2064 server.exe 98 PID 2064 wrote to memory of 116 2064 server.exe 98 PID 2064 wrote to memory of 2740 2064 server.exe 99 PID 2064 wrote to memory of 2740 2064 server.exe 99 PID 2064 wrote to memory of 2740 2064 server.exe 99 PID 2064 wrote to memory of 220 2064 server.exe 100 PID 2064 wrote to memory of 220 2064 server.exe 100 PID 2064 wrote to memory of 220 2064 server.exe 100 PID 2064 wrote to memory of 2816 2064 server.exe 101 PID 2064 wrote to memory of 2816 2064 server.exe 101 PID 2064 wrote to memory of 2816 2064 server.exe 101 PID 2064 wrote to memory of 1812 2064 server.exe 102 PID 2064 wrote to memory of 1812 2064 server.exe 102 PID 2064 wrote to memory of 1812 2064 server.exe 102 PID 2064 wrote to memory of 4976 2064 server.exe 103 PID 2064 wrote to memory of 4976 2064 server.exe 103 PID 2064 wrote to memory of 4976 2064 server.exe 103 PID 2064 wrote to memory of 1492 2064 server.exe 104 PID 2064 wrote to memory of 1492 2064 server.exe 104 PID 2064 wrote to memory of 1492 2064 server.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0f79b7b8f5bce76f9d6ca94293d7538.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe" cd$2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1616
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2388
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2584
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3460
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1136
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:884
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:412
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:400
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1568
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:116
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2740
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:220
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2816
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1812
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4976
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1492
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4ec 0x2cc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD54903fed7be13b3083b59f19bb3e1c62b
SHA196ddfd8acf0aa41d3cd8224fcd893878e429d4ab
SHA25687162eca70b101610a3aff424bdaee76bd6474898d35fb5a3f69233a88392688
SHA51258c692d20e085f94bff3261578a32796aca73868fae89aeb7975e40ff1ae066179957076c20fa0e2b4f46787c244a8aabbdbe99238ad2a18d967dc586340c16d