Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
11/02/2025, 03:08
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe
-
Size
201KB
-
MD5
e20a8efbd4adf6a9cffd9e4f4b5402af
-
SHA1
d6e5f381f58e2b63481c4c9f42058a97236ee7a1
-
SHA256
57d21d6d9530678bdafd4ffe8f1f637bbfcba254ecb05cdad2623d0b0cba3da9
-
SHA512
f7884f4e8bdf5ea3c122267d091fee3b45aa877e2e4d9e4876a598f0f885ccf97af4ab1590641f58e91e353f9194f6bd4c7c1ed1663eabc2b1a5464dd7bfde1e
-
SSDEEP
3072:b1dlKwgj23+Oz05YoNozaOY4zVfqCr7L6lAoDy0I2IOGDJmgDFh6d7cy:b1dlZro5yzZH2Py0I2IOG9pDH62y
Malware Config
Extracted
xtremerat
ayada.no-ip.info
Signatures
-
Detect XtremeRAT payload 6 IoCs
resource yara_rule behavioral2/memory/3640-35-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/3640-34-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/116-39-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/2924-41-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/3640-42-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/2924-44-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{526D7626-7DE5-63MU-CSCC-7A31T284O28A} Project1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{526D7626-7DE5-63MU-CSCC-7A31T284O28A}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Project1.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{526D7626-7DE5-63MU-CSCC-7A31T284O28A} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{526D7626-7DE5-63MU-CSCC-7A31T284O28A}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" svchost.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 40 3036 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe -
Executes dropped EXE 2 IoCs
pid Process 2852 Project1.exe 3640 Project1.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Project1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Project1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2852 set thread context of 3640 2852 Project1.exe 85 -
resource yara_rule behavioral2/memory/3640-30-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/3640-33-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/3640-35-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/3640-34-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/116-39-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/2924-41-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/3640-42-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/2924-44-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\KKKÿgghévv|íggYùˆˆAÿ JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe File created C:\Program Files\Project1.exe JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe File opened for modification C:\Program Files\ÿÿÿÿÿÿÿ JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe File created C:\Program Files\Icon_19.ico JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\InstallDir\Server.exe Project1.exe File opened for modification C:\Windows\InstallDir\Server.exe Project1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Project1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Project1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1568 MicrosoftEdgeUpdate.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2852 Project1.exe 2924 explorer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2852 2804 JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe 84 PID 2804 wrote to memory of 2852 2804 JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe 84 PID 2804 wrote to memory of 2852 2804 JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe 84 PID 2852 wrote to memory of 3640 2852 Project1.exe 85 PID 2852 wrote to memory of 3640 2852 Project1.exe 85 PID 2852 wrote to memory of 3640 2852 Project1.exe 85 PID 2852 wrote to memory of 3640 2852 Project1.exe 85 PID 2852 wrote to memory of 3640 2852 Project1.exe 85 PID 2852 wrote to memory of 3640 2852 Project1.exe 85 PID 2852 wrote to memory of 3640 2852 Project1.exe 85 PID 2852 wrote to memory of 3640 2852 Project1.exe 85 PID 3640 wrote to memory of 116 3640 Project1.exe 86 PID 3640 wrote to memory of 116 3640 Project1.exe 86 PID 3640 wrote to memory of 116 3640 Project1.exe 86 PID 3640 wrote to memory of 116 3640 Project1.exe 86 PID 3640 wrote to memory of 3060 3640 Project1.exe 87 PID 3640 wrote to memory of 3060 3640 Project1.exe 87 PID 3640 wrote to memory of 3060 3640 Project1.exe 87 PID 3640 wrote to memory of 2096 3640 Project1.exe 88 PID 3640 wrote to memory of 2096 3640 Project1.exe 88 PID 3640 wrote to memory of 2096 3640 Project1.exe 88 PID 3640 wrote to memory of 2924 3640 Project1.exe 89 PID 3640 wrote to memory of 2924 3640 Project1.exe 89 PID 3640 wrote to memory of 2924 3640 Project1.exe 89 PID 3640 wrote to memory of 2924 3640 Project1.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e20a8efbd4adf6a9cffd9e4f4b5402af.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Program Files\Project1.exe"C:\Program Files\Project1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files\Project1.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:116
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3060
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2096
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2924
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzE5MDg5NTMtOTQ4QS00Q0MwLUE0MUYtRkZCMENFREM3OTI5fSIgdXNlcmlkPSJ7RTUyRjIwNzYtMUUzNi00RDRBLUE3RTQtRDNGOUY0NEQ4MzJFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTU3OEI4QUMtQjQ1Qi00QzBGLUFBNDgtMzczQ0EwMjA2NTlDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODAxNjUyMzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDc4ODQzNTY4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1568
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD55f196fc3bd4b0e264c3eac02488f7ff2
SHA1a3e8d91b30bb66d6d7fecf859ae1f74f7c669614
SHA256673f296dabec3508ab4fceb56ddeebf60de0a64b036cb4148cbf0186252329df
SHA512c4b728b6156ed2cb15b2ef91f00256ba35db3c03e711980e4d94e861062dc7ebd193d5455955b2f0402ff572020b8673cd403e6b8e0629ecc5a0b9f41f44b817
-
Filesize
218B
MD5f235e1810d8d8b7072a558b57cfb2ee4
SHA196f992af68f4bff4d863b285444927767c9a1bcc
SHA256f942ab10149a717eea8fc376b68813b2419fc5a04b08d6718e72279dedd5bc6b
SHA5126c1fde80d41c08d558b69fdf47d5e32b1f367f4d8f56aec7891ff08dacb98aa9147879546bbbc31167f4fb82a64c12bee7956346c0bee583bfd9a2a2e3cdaca2