Overview

overview

10

Static

static

5

JaffaCakes...6c.exe

windows7-x64

10

JaffaCakes...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2025, 03:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe

  • Size

    5.0MB

  • MD5

    7cb31a3ec7995574c848738ad108616c

  • SHA1

    70faa7380f5722353a8c4be397aa40ec40297459

  • SHA256

    640302e527419c0cf4e19e698a8e83697fe874d9753b9182d8e8b5f54cde5ab6

  • SHA512

    6439fb7378330534cb0cea41c902396cc559d3127766731d468c32ae2d932885a7d370372b3b51899d24a63d5e72f6ce627b4f0766f2f3e5834d00bf847d9747

  • SSDEEP

    98304:yJRo3d0hXVq9dri/msSa6WYiJ97m4am1p5jS9cmByE1lwd5KOHnlWY0:zd03qHImsQWYiz73aWjS9co3fqKOHlH0

Score
10/10
xtremeratdiscoverypersistenceratspywareupx

Malware Config

Extracted

Family

xtremerat

C2

ak474.zapto.org

Signatures

  • Detect XtremeRAT payload 6 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Users\Admin\AppData\Local\Temp\Panorama_Corrector.exe
      "C:\Users\Admin\AppData\Local\Temp\Panorama_Corrector.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:6076
      • C:\Users\Admin\AppData\Local\Temp\is-BVU8F.tmp\Panorama_Corrector.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-BVU8F.tmp\Panorama_Corrector.tmp" /SL5="$501CE,4832331,141824,C:\Users\Admin\AppData\Local\Temp\Panorama_Corrector.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        PID:3268
    • C:\Users\Admin\AppData\Local\Temp\Dog.exe
      "C:\Users\Admin\AppData\Local\Temp\Dog.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5536
      • C:\Users\Admin\AppData\Local\Temp\Dog.exe
        C:\Users\Admin\AppData\Local\Temp\Dog.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4292
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 472
            5⤵
            • Program crash
            PID:4692
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 488
            5⤵
            • Program crash
            PID:4848
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5108
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 484
            5⤵
            • Program crash
            PID:4680
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 492
            5⤵
            • Program crash
            PID:4812
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4292 -ip 4292
    1⤵
      PID:4572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5108 -ip 5108
      1⤵
        PID:4592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5108 -ip 5108
        1⤵
          PID:4672
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4292 -ip 4292
          1⤵
            PID:4660

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Dog.exe
            Filesize

            121KB

            MD5

            8bfaf58c21c74ac73df6387709debd06

            SHA1

            08d050d619b60ec3586dc74358b15993c55e36d3

            SHA256

            00dfa59e87f30d4efa8986a4b217d4ef8309a57366aff1c4f4064f5d8f222e95

            SHA512

            661b7709bdbeb5ac4e067faaae7513ae2ad87ce83914547923b0fc23f4d333cbd2d55f58a3720a16d9c95284a4eed985447d58a34bd6a00fae760edf46ec4756

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Panorama_Corrector.exe
            Filesize

            5.0MB

            MD5

            1fc2828885558e6f26d83200a492b1c1

            SHA1

            63286efa86ac14a948ded8d4516878ae3af5757a

            SHA256

            627b830466eb837dd5c4fb3d53d3dcd21fe329420f1b9e22e0c14844c834db6f

            SHA512

            dab28f90efdbb26818cd1244582e023520a2e69c63824f59b247bd7f42498c229f90fafcb088bfa57fc8946121495fb99fe7278d67f73167a0dd035b5cb5db54

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\is-BVU8F.tmp\Panorama_Corrector.tmp
            Filesize

            1.1MB

            MD5

            2e30da9c21c0847dd7135895d6388d46

            SHA1

            3435b0964bd238022819733ea7f049b3b215df3e

            SHA256

            0002f4046ef35e169fa79e2abf0b92212c1438487819dd8318301991ff99acac

            SHA512

            d7dabdbeaab41eddfb045d55c4752485fe231373dd8e45af26add7a238e928fd7905ae3ee9a2df34f484eabe4d8b7bcda775ef12822993b1850a3daa58f06aae

            Download Submit

          • memory/3052-36-0x0000000010000000-0x0000000010048000-memory.dmp

            Filesize

            288KB

            Download

          • memory/3052-34-0x0000000010000000-0x0000000010048000-memory.dmp

            Filesize

            288KB

            Download

          • memory/3052-38-0x0000000000400000-0x0000000000427000-memory.dmp

            Filesize

            156KB

            Download

          • memory/3052-37-0x0000000010000000-0x0000000010048000-memory.dmp

            Filesize

            288KB

            Download

          • memory/3268-62-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-66-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-76-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-74-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-72-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-70-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-68-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-64-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-60-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-58-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-56-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-50-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-52-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-54-0x0000000000400000-0x000000000053B000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4292-48-0x0000000010000000-0x0000000010048000-memory.dmp

            Filesize

            288KB

            Download

          • memory/4292-45-0x0000000010000000-0x0000000010048000-memory.dmp

            Filesize

            288KB

            Download

          • memory/5100-0-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/5100-28-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/5108-46-0x0000000010000000-0x0000000010048000-memory.dmp

            Filesize

            288KB

            Download

          • memory/5536-44-0x0000000000400000-0x0000000000427000-memory.dmp

            Filesize

            156KB

            Download

          • memory/5536-25-0x0000000000400000-0x0000000000427000-memory.dmp

            Filesize

            156KB

            Download

          • memory/5536-26-0x0000000000400000-0x0000000000427000-memory.dmp

            Filesize

            156KB

            Download

          • memory/6076-49-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/6076-21-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/6076-24-0x0000000000401000-0x0000000000417000-memory.dmp

            Filesize

            88KB

            Download