Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...4a.exe

windows7-x64

10

JaffaCakes...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2025, 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_7ddf01df05eb4f9affa42914d91da24a.exe

  • Size

    194KB

  • MD5

    7ddf01df05eb4f9affa42914d91da24a

  • SHA1

    10f56c3b002d8f877288cce8898bec0fa05e1deb

  • SHA256

    52c4f19fe6ac08c8a23e841f4704121950421c32e8a78b8e5f46a1d8e1a574b6

  • SHA512

    75bdbeeb978a932e73d5f61b4483749219a02c579ad8b35fd3f33c93a3d7e3d8379792a43a0fc19431ab28261efa0455f979b91fdf36144f270b4c180de3dabd

  • SSDEEP

    3072:44lRkAehGfzmuqTPryF5draBIpPQMPozgEAQIIOxm9v9S:44lRkAehaKuqT+F5draBCDorAB4K

Score
10/10
xtremeratdiscoverypersistenceratspyware

Malware Config

Signatures

  • Detect XtremeRAT payload 2 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ddf01df05eb4f9affa42914d91da24a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ddf01df05eb4f9affa42914d91da24a.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\WINDOWS\1.exe
      "C:\WINDOWS\1.exe"
      2⤵
      • Executes dropped EXE
      PID:3448
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 500
        3⤵
        • Program crash
        PID:4180
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3448 -ip 3448
    1⤵
      PID:4872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\1.exe
      Filesize

      40KB

      MD5

      2bd4570ab11e273b365e0527abdee325

      SHA1

      d0d753d1db682a23c3a7875e645cbc42abc95a03

      SHA256

      6328c12432677c5533db16757d50904910946fbb5e46aeca60a0de565a60fe7b

      SHA512

      7fb02e2b01d1fbec2248783261a9af5b0337afc5246d472cfce87de75c3a3d64e234d12c90176e3292468c2ecec6ccd19c7af9cf6c61bd9b097ced6415a7a872

      Download Submit

    • memory/3448-9-0x0000000000C80000-0x0000000000C92000-memory.dmp

      Filesize

      72KB

      Download