Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/02/2025, 03:08
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe
-
Size
201KB
-
MD5
e20a8efbd4adf6a9cffd9e4f4b5402af
-
SHA1
d6e5f381f58e2b63481c4c9f42058a97236ee7a1
-
SHA256
57d21d6d9530678bdafd4ffe8f1f637bbfcba254ecb05cdad2623d0b0cba3da9
-
SHA512
f7884f4e8bdf5ea3c122267d091fee3b45aa877e2e4d9e4876a598f0f885ccf97af4ab1590641f58e91e353f9194f6bd4c7c1ed1663eabc2b1a5464dd7bfde1e
-
SSDEEP
3072:b1dlKwgj23+Oz05YoNozaOY4zVfqCr7L6lAoDy0I2IOGDJmgDFh6d7cy:b1dlZro5yzZH2Py0I2IOG9pDH62y
Malware Config
Extracted
xtremerat
ayada.no-ip.info
Signatures
-
Detect XtremeRAT payload 6 IoCs
resource yara_rule behavioral1/memory/2904-34-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2904-35-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2560-41-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2304-45-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2904-48-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2304-51-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{526D7626-7DE5-63MU-CSCC-7A31T284O28A} Project1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{526D7626-7DE5-63MU-CSCC-7A31T284O28A}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Project1.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{526D7626-7DE5-63MU-CSCC-7A31T284O28A} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{526D7626-7DE5-63MU-CSCC-7A31T284O28A}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2556 Project1.exe 2904 Project1.exe -
Loads dropped DLL 3 IoCs
pid Process 2280 JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe 2280 JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe 2556 Project1.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Project1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Project1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2556 set thread context of 2904 2556 Project1.exe 30 -
resource yara_rule behavioral1/memory/2904-30-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2904-34-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2904-35-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2904-33-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2560-41-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2304-45-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2904-48-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2304-51-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Icon_19.ico JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe File opened for modification C:\Program Files\KKKÿgghévv|íggYùˆˆAÿ JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe File opened for modification C:\Program Files\Icon_19.ico DllHost.exe File created C:\Program Files\Project1.exe JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe File opened for modification C:\Program Files\ÿÿÿÿÿÿÿ JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe Project1.exe File created C:\Windows\InstallDir\Server.exe Project1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Project1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Project1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2728 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2556 Project1.exe 2304 explorer.exe 2728 DllHost.exe 2728 DllHost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2556 2280 JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe 29 PID 2280 wrote to memory of 2556 2280 JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe 29 PID 2280 wrote to memory of 2556 2280 JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe 29 PID 2280 wrote to memory of 2556 2280 JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe 29 PID 2556 wrote to memory of 2904 2556 Project1.exe 30 PID 2556 wrote to memory of 2904 2556 Project1.exe 30 PID 2556 wrote to memory of 2904 2556 Project1.exe 30 PID 2556 wrote to memory of 2904 2556 Project1.exe 30 PID 2556 wrote to memory of 2904 2556 Project1.exe 30 PID 2556 wrote to memory of 2904 2556 Project1.exe 30 PID 2556 wrote to memory of 2904 2556 Project1.exe 30 PID 2556 wrote to memory of 2904 2556 Project1.exe 30 PID 2556 wrote to memory of 2904 2556 Project1.exe 30 PID 2904 wrote to memory of 2560 2904 Project1.exe 31 PID 2904 wrote to memory of 2560 2904 Project1.exe 31 PID 2904 wrote to memory of 2560 2904 Project1.exe 31 PID 2904 wrote to memory of 2560 2904 Project1.exe 31 PID 2904 wrote to memory of 2560 2904 Project1.exe 31 PID 2904 wrote to memory of 2304 2904 Project1.exe 32 PID 2904 wrote to memory of 2304 2904 Project1.exe 32 PID 2904 wrote to memory of 2304 2904 Project1.exe 32 PID 2904 wrote to memory of 2304 2904 Project1.exe 32 PID 2904 wrote to memory of 2304 2904 Project1.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Program Files\Project1.exe"C:\Program Files\Project1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Program Files\Project1.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2560
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2304
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD5d7b36c3e5e4698a2a6ef6d4221d14257
SHA1b6c2876bc7affcf79942343d41e0a30f36dbcb11
SHA25674e7bf3570967fe9898243b49dac159cb90ce51c857588b44d334e2beb2b58e6
SHA51218fee95c523fc9539f8a704bf0bc8a35ad9fe113a850324b651fd2c6daf804d6b193353bf0a1677dbd51ac3f0c61ed7cce5d82483e55efb428e4782fa1d44c56
-
Filesize
121KB
MD55f196fc3bd4b0e264c3eac02488f7ff2
SHA1a3e8d91b30bb66d6d7fecf859ae1f74f7c669614
SHA256673f296dabec3508ab4fceb56ddeebf60de0a64b036cb4148cbf0186252329df
SHA512c4b728b6156ed2cb15b2ef91f00256ba35db3c03e711980e4d94e861062dc7ebd193d5455955b2f0402ff572020b8673cd403e6b8e0629ecc5a0b9f41f44b817
-
Filesize
218B
MD5f235e1810d8d8b7072a558b57cfb2ee4
SHA196f992af68f4bff4d863b285444927767c9a1bcc
SHA256f942ab10149a717eea8fc376b68813b2419fc5a04b08d6718e72279dedd5bc6b
SHA5126c1fde80d41c08d558b69fdf47d5e32b1f367f4d8f56aec7891ff08dacb98aa9147879546bbbc31167f4fb82a64c12bee7956346c0bee583bfd9a2a2e3cdaca2