Overview

overview

10

Static

static

3

JaffaCakes...34.exe

windows7-x64

10

JaffaCakes...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/02/2025, 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_25d2ddbce9d5949b943fe58930507134.exe

  • Size

    92KB

  • MD5

    25d2ddbce9d5949b943fe58930507134

  • SHA1

    c687874a70222d227bb24f814859a47ab12b56e4

  • SHA256

    1391317a47c89d0565b3a43a8ffeda8bf9a540ce1d9941ddbb5cd42e0ebfe4cb

  • SHA512

    711b0a79cc4ab687dc5f475179b8b18ba95a1066c1754bcdf0548171e464ad0ac211a0a9a96628b0043275c70ab57d3f55194dd1b03464204ec033f3c51d75e3

  • SSDEEP

    1536:VKxpv88ouifThnmVfm/mzS64JD+E4qxw882jJpSdQvXQKwvJpL1:GpqSVfBS6S+QxB82adONwvJpB

Score
10/10
xtremeratdiscoverypersistenceratspywareupx

Malware Config

Signatures

  • Detect XtremeRAT payload 4 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25d2ddbce9d5949b943fe58930507134.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25d2ddbce9d5949b943fe58930507134.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\55.exe
      "C:\Users\Admin\AppData\Local\Temp\55.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Users\Admin\AppData\Local\Temp\55.exe
        C:\Users\Admin\AppData\Local\Temp\55.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2704
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\24.jpg
    Filesize

    9KB

    MD5

    83bcfdaf642fe1692bebb4e46431b7b1

    SHA1

    d90de53d9105e4bfb6f45c102efb4f21ff132c12

    SHA256

    05364955c6fdd54183f3fea36bbf6193bf319edc4c2370adae5cf537cf6fa9ac

    SHA512

    da41e13a0dd3875c5bcc18d42296ed7d9cfd83ee01d5f095ae39144b9d0e1051cdc9905d96c48560e5f58e612a5d652481588630f2670b1ab2f2413e8169b70e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sfx.ini
    Filesize

    187B

    MD5

    bc48041f1457a3639872b4de20a2dac9

    SHA1

    2fb6d90be5e55bcc8a452a09d12955ac43cdb5b1

    SHA256

    d7d7f32dca4f383b1f4451e58fe2429df8e56a8d3543e62f4cda8f73f81e749e

    SHA512

    4fe56f82d899adbb81f618307a67cb0a01d1f3974a5eec33f2e2aa6f0d6256f44491e41fa97637bfa641712fa7d1ddcb174f938c4a90a3043cf28eb18c5905c7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\55.exe
    Filesize

    45KB

    MD5

    d7c7170f6f46e95a10695157088a620f

    SHA1

    e8d9826b0f60014187dedfa1307c16be28e93fa2

    SHA256

    2e2f911153571516a6df4fa008e756e6c93f038068e5ec37e91dc9c720b975f8

    SHA512

    bede756d0425d19d389f6a3ed396a4336d4c491e239eabcd299bbab6b8ac849e2056b90e13b011310ec93ae69c6aea1a6f5c85b86b11175d09e797fed9c4eee5

    Download Submit

  • memory/1156-45-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1156-63-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1156-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-36-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1156-37-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1156-35-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1156-40-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1156-43-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1156-47-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2136-29-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2136-46-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2136-34-0x0000000000230000-0x000000000024A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2380-0-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2380-53-0x0000000003C90000-0x0000000003C92000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2380-55-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2380-56-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2380-23-0x0000000003560000-0x000000000357A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2380-1-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2704-59-0x0000000000C80000-0x0000000000C95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2992-54-0x00000000000B0000-0x00000000000B2000-memory.dmp

    Filesize

    8KB

    Download