Overview

overview

10

Static

static

5

JaffaCakes...2c.exe

windows7-x64

10

JaffaCakes...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-02-2025 04:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_bede504f34a28906459bb40b346a512c.exe

  • Size

    2.0MB

  • MD5

    bede504f34a28906459bb40b346a512c

  • SHA1

    414431aa97798a7365008c720fbb9cc088e692b0

  • SHA256

    72385796e68f246015c4204f3751ef4e8c4d8bb636fd7eeb16d4807f9d68b59f

  • SHA512

    f571970313b0912c032cfb9a6b804cdbd75af540ac8562d25a6cc8085ac6f93fd7d42613ccaf99c4351a62cf74601c5e9b7bacc5f73d969c3bdf93f1b8f9445f

  • SSDEEP

    49152:2SV3+XvHQ5LbvZMBalN7VBwQhnmCTtJ8Sv2LyFPXd3m:2SBSQ5Lbecl7wy/vJFPZm

Score
10/10
xtremeratdiscoverypersistenceratspywareupx

Malware Config

Signatures

  • Detect XtremeRAT payload 6 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bede504f34a28906459bb40b346a512c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bede504f34a28906459bb40b346a512c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Users\Admin\AppData\Local\Temp\final.exe
      C:\Users\Admin\AppData\Local\Temp/final.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Users\Admin\AppData\Local\Temp\final.exe
        C:\Users\Admin\AppData\Local\Temp\final.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          4⤵
            PID:4924
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
            4⤵
              PID:4220
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
              4⤵
                PID:5104
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                4⤵
                  PID:2296
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                  4⤵
                    PID:4748
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                    4⤵
                      PID:2748
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                      4⤵
                        PID:3720
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                        4⤵
                          PID:4500
                        • C:\Program Files (x86)\InstallDir\smss.exe
                          "C:\Program Files (x86)\InstallDir\smss.exe"
                          4⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:2492
                          • C:\Program Files (x86)\InstallDir\smss.exe
                            "C:\Program Files (x86)\InstallDir\smss.exe"
                            5⤵
                            • Boot or Logon Autostart Execution: Active Setup
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:2188
                            • C:\Program Files (x86)\InstallDir\smss.exe
                              smss.exe
                              6⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:3884
                    • C:\Users\Admin\AppData\Local\Temp\Asrar_3.exe
                      C:\Users\Admin\AppData\Local\Temp/Asrar_3.exe
                      2⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of SetWindowsHookEx
                      PID:228
                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUUxODczMTUtRkMxQy00RUJGLThGQ0EtNEJEM0JERDVCOTNCfSIgdXNlcmlkPSJ7RDg5RjNDQUItQjEyMC00NzI4LTk1RkMtQzUxQkNERjY5RTFFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Q0VERjA1NTMtMDhERi00NDg1LUI4OUYtRTI2NzlCNjJFRTBCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODAxNjUyMzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzUzMzgxNDQ2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
                    1⤵
                    • System Location Discovery: System Language Discovery
                    • System Network Configuration Discovery: Internet Connection Discovery
                    PID:2156

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\Asrar_3.exe
                    Filesize

                    5.7MB

                    MD5

                    b9a1bf137aecbd36e234fa08bb4ac69b

                    SHA1

                    b24b2d9159dfbd3eb28993cd6bbb2fe05e4d2d8a

                    SHA256

                    15738d22ac6eacf1f54cc155bde72d368f81ab2525dd2f64733a36e31d8b137e

                    SHA512

                    e08168999544934683600846b8ae0785dad4f1a9ac46e2e0416980930fff08614bca184fe6430314a752d106bcc0f98692a2237a3b3e4a9f26d839b0f9536e10

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\autC0C0.tmp
                    Filesize

                    592KB

                    MD5

                    adfb50bb910167bc3cfe04400718ca08

                    SHA1

                    844f0684b40cd79a910333151783392bb69b717d

                    SHA256

                    27ef002d724edd175c32649a4335ca5a26b12eb221ad846ee300e933060925f5

                    SHA512

                    644daf1c23286370ebe2c525d4647114f92e4f26e837ea053fc33da1deb2b9e9c0b161dea13fef416ea5d02ebe1cd294c56f0933d2d41918fa1479656539ec28

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg
                    Filesize

                    1KB

                    MD5

                    f84414c79d8f4143afda296aaaa9ea42

                    SHA1

                    d1414e5cc8e189be1f0f9e2161fb56ad0d6af777

                    SHA256

                    ef3b627ae9b0b7598b28ea2236883b7aef88be90ffddab8950a4b10dd4ebbc99

                    SHA512

                    2f6e8d065c064a14f0a36dda55e76547bd5830275fc45777bf3b7630f9df26bc8fbc1a2829c7525fd2b12c1f66972f673bcb47734ea0a165c33efff50c56bec5

                    Download Submit

                  • C:\Windows\SysWOW64\server.exe.mbxcfg
                    Filesize

                    297B

                    MD5

                    4eabb8b873346f1d44e52285c1535857

                    SHA1

                    c9f9502717e53d7964fc69bdae56c835c0165d09

                    SHA256

                    0524dbbcbc9c74560be985af54d7b3330b49bd919f68fa0e923b773b2037f90a

                    SHA512

                    bd3c7ea4ea3ff51c4730aba573880a3779c0d9b46247d4605f9c9b3351fb81204054bf97d37f3e5db5ce6b15833ef5937418493db3188d19c9368ed4f84ec713

                    Download Submit

                  • memory/228-71-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-80-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-94-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-92-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-90-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-88-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-86-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-84-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-25-0x0000000002740000-0x0000000002741000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/228-67-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-74-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-65-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-82-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-69-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/228-62-0x0000000002740000-0x0000000002741000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/228-76-0x0000000000400000-0x00000000009B7000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2188-53-0x0000000000C80000-0x0000000000C95000-memory.dmp

                    Filesize

                    84KB

                    Download

                  • memory/2188-54-0x0000000000C80000-0x0000000000C95000-memory.dmp

                    Filesize

                    84KB

                    Download

                  • memory/2492-56-0x0000000000400000-0x00000000004C4000-memory.dmp

                    Filesize

                    784KB

                    Download

                  • memory/2764-15-0x0000000000400000-0x00000000004C4000-memory.dmp

                    Filesize

                    784KB

                    Download

                  • memory/2764-33-0x0000000000400000-0x00000000004C4000-memory.dmp

                    Filesize

                    784KB

                    Download

                  • memory/3120-0-0x0000000000400000-0x00000000004B5000-memory.dmp

                    Filesize

                    724KB

                    Download

                  • memory/3120-21-0x0000000000400000-0x00000000004B5000-memory.dmp

                    Filesize

                    724KB

                    Download

                  • memory/3884-66-0x0000000000400000-0x00000000004C4000-memory.dmp

                    Filesize

                    784KB

                    Download

                  • memory/3884-64-0x0000000000C80000-0x0000000000C95000-memory.dmp

                    Filesize

                    84KB

                    Download

                  • memory/3884-60-0x0000000000C80000-0x0000000000C95000-memory.dmp

                    Filesize

                    84KB

                    Download

                  • memory/3956-48-0x0000000000C80000-0x0000000000C95000-memory.dmp

                    Filesize

                    84KB

                    Download

                  • memory/3956-31-0x0000000000C80000-0x0000000000C95000-memory.dmp

                    Filesize

                    84KB

                    Download

                  • memory/3956-30-0x0000000000C80000-0x0000000000C95000-memory.dmp

                    Filesize

                    84KB

                    Download

                  • memory/3956-29-0x0000000000C80000-0x0000000000C95000-memory.dmp

                    Filesize

                    84KB

                    Download

                  • memory/3956-26-0x0000000000C80000-0x0000000000C95000-memory.dmp

                    Filesize

                    84KB

                    Download