Analysis
-
max time kernel
149s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2025, 03:19
Behavioral task
behavioral1
Sample
JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe
-
Size
5.0MB
-
MD5
7cb31a3ec7995574c848738ad108616c
-
SHA1
70faa7380f5722353a8c4be397aa40ec40297459
-
SHA256
640302e527419c0cf4e19e698a8e83697fe874d9753b9182d8e8b5f54cde5ab6
-
SHA512
6439fb7378330534cb0cea41c902396cc559d3127766731d468c32ae2d932885a7d370372b3b51899d24a63d5e72f6ce627b4f0766f2f3e5834d00bf847d9747
-
SSDEEP
98304:yJRo3d0hXVq9dri/msSa6WYiJ97m4am1p5jS9cmByE1lwd5KOHnlWY0:zd03qHImsQWYiz73aWjS9co3fqKOHlH0
Malware Config
Extracted
xtremerat
ak474.zapto.org
Signatures
-
Detect XtremeRAT payload 6 IoCs
resource yara_rule behavioral2/memory/3052-36-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/3052-37-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/3052-34-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/4292-45-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/5108-46-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/4292-48-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe -
Executes dropped EXE 4 IoCs
pid Process 6076 Panorama_Corrector.exe 5536 Dog.exe 3268 Panorama_Corrector.tmp 3052 Dog.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Panorama_Corrector.tmp File opened (read-only) \??\U: Panorama_Corrector.tmp File opened (read-only) \??\W: Panorama_Corrector.tmp File opened (read-only) \??\Y: Panorama_Corrector.tmp File opened (read-only) \??\K: Panorama_Corrector.tmp File opened (read-only) \??\L: Panorama_Corrector.tmp File opened (read-only) \??\N: Panorama_Corrector.tmp File opened (read-only) \??\O: Panorama_Corrector.tmp File opened (read-only) \??\P: Panorama_Corrector.tmp File opened (read-only) \??\Q: Panorama_Corrector.tmp File opened (read-only) \??\S: Panorama_Corrector.tmp File opened (read-only) \??\B: Panorama_Corrector.tmp File opened (read-only) \??\G: Panorama_Corrector.tmp File opened (read-only) \??\H: Panorama_Corrector.tmp File opened (read-only) \??\I: Panorama_Corrector.tmp File opened (read-only) \??\J: Panorama_Corrector.tmp File opened (read-only) \??\T: Panorama_Corrector.tmp File opened (read-only) \??\V: Panorama_Corrector.tmp File opened (read-only) \??\Z: Panorama_Corrector.tmp File opened (read-only) \??\E: Panorama_Corrector.tmp File opened (read-only) \??\M: Panorama_Corrector.tmp File opened (read-only) \??\X: Panorama_Corrector.tmp File opened (read-only) \??\A: Panorama_Corrector.tmp -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5536 set thread context of 3052 5536 Dog.exe 91 -
resource yara_rule behavioral2/memory/5100-0-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/5100-28-0x0000000000400000-0x000000000042F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 4692 4292 WerFault.exe 92 4680 5108 WerFault.exe 93 4812 5108 WerFault.exe 93 4848 4292 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panorama_Corrector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panorama_Corrector.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5536 Dog.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 5100 wrote to memory of 6076 5100 JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe 88 PID 5100 wrote to memory of 6076 5100 JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe 88 PID 5100 wrote to memory of 6076 5100 JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe 88 PID 5100 wrote to memory of 5536 5100 JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe 89 PID 5100 wrote to memory of 5536 5100 JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe 89 PID 5100 wrote to memory of 5536 5100 JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe 89 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 6076 wrote to memory of 3268 6076 Panorama_Corrector.exe 90 PID 6076 wrote to memory of 3268 6076 Panorama_Corrector.exe 90 PID 6076 wrote to memory of 3268 6076 Panorama_Corrector.exe 90 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 5536 wrote to memory of 3052 5536 Dog.exe 91 PID 3052 wrote to memory of 4292 3052 Dog.exe 92 PID 3052 wrote to memory of 4292 3052 Dog.exe 92 PID 3052 wrote to memory of 4292 3052 Dog.exe 92 PID 3052 wrote to memory of 4292 3052 Dog.exe 92 PID 3052 wrote to memory of 5108 3052 Dog.exe 93 PID 3052 wrote to memory of 5108 3052 Dog.exe 93 PID 3052 wrote to memory of 5108 3052 Dog.exe 93 PID 3052 wrote to memory of 5108 3052 Dog.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\Panorama_Corrector.exe"C:\Users\Admin\AppData\Local\Temp\Panorama_Corrector.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6076 -
C:\Users\Admin\AppData\Local\Temp\is-BVU8F.tmp\Panorama_Corrector.tmp"C:\Users\Admin\AppData\Local\Temp\is-BVU8F.tmp\Panorama_Corrector.tmp" /SL5="$501CE,4832331,141824,C:\Users\Admin\AppData\Local\Temp\Panorama_Corrector.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:3268
-
-
-
C:\Users\Admin\AppData\Local\Temp\Dog.exe"C:\Users\Admin\AppData\Local\Temp\Dog.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5536 -
C:\Users\Admin\AppData\Local\Temp\Dog.exeC:\Users\Admin\AppData\Local\Temp\Dog.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:4292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 4725⤵
- Program crash
PID:4692
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 4885⤵
- Program crash
PID:4848
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe4⤵
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 4845⤵
- Program crash
PID:4680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 4925⤵
- Program crash
PID:4812
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4292 -ip 42921⤵PID:4572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5108 -ip 51081⤵PID:4592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5108 -ip 51081⤵PID:4672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4292 -ip 42921⤵PID:4660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD58bfaf58c21c74ac73df6387709debd06
SHA108d050d619b60ec3586dc74358b15993c55e36d3
SHA25600dfa59e87f30d4efa8986a4b217d4ef8309a57366aff1c4f4064f5d8f222e95
SHA512661b7709bdbeb5ac4e067faaae7513ae2ad87ce83914547923b0fc23f4d333cbd2d55f58a3720a16d9c95284a4eed985447d58a34bd6a00fae760edf46ec4756
-
Filesize
5.0MB
MD51fc2828885558e6f26d83200a492b1c1
SHA163286efa86ac14a948ded8d4516878ae3af5757a
SHA256627b830466eb837dd5c4fb3d53d3dcd21fe329420f1b9e22e0c14844c834db6f
SHA512dab28f90efdbb26818cd1244582e023520a2e69c63824f59b247bd7f42498c229f90fafcb088bfa57fc8946121495fb99fe7278d67f73167a0dd035b5cb5db54
-
Filesize
1.1MB
MD52e30da9c21c0847dd7135895d6388d46
SHA13435b0964bd238022819733ea7f049b3b215df3e
SHA2560002f4046ef35e169fa79e2abf0b92212c1438487819dd8318301991ff99acac
SHA512d7dabdbeaab41eddfb045d55c4752485fe231373dd8e45af26add7a238e928fd7905ae3ee9a2df34f484eabe4d8b7bcda775ef12822993b1850a3daa58f06aae