Overview

overview

10

Static

static

10

JaffaCakes...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/04/2025, 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_b21e16d26a741f0ebafdcb4773f4af10.exe

  • Size

    747KB

  • MD5

    b21e16d26a741f0ebafdcb4773f4af10

  • SHA1

    2dccc61d0b5ed0f598596426fb9624963aab5727

  • SHA256

    2003b6788d0ae9f3dfa199d6b458683024935e561c922fa54f2a30a995b54755

  • SHA512

    58c96ee217a5afe313921b27685a068952600bbba76aaf05834d20f06e2540944094672f9055a4463041ae22e5f2cbcd7eedfee3b549faafb25e49d9f8bb7ace

  • SSDEEP

    12288:Y1j327fuuvuEPdPnP+hVdC2DBHgeas88MEqj4CFRA+LjTUf3rH3OvA:YEzuEVPnWhVdCyBAy88o4CN/y3LMA

Score
10/10
xtremeratdiscoverypersistenceratspyware

Malware Config

Extracted

Family

xtremerat

C2

lethal.no-ip.org

타慮뀀lethal.no-ip.org

踀Microsolethal.no-ip.org

Signatures

  • Detect XtremeRAT payload 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Adds policy Run key to start application 2 TTPs 8 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b21e16d26a741f0ebafdcb4773f4af10.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b21e16d26a741f0ebafdcb4773f4af10.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Modifies WinLogon for persistence
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:5540
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5528
    • C:\Program Files (x86)\167Weapon Myster Hack.exe
      "C:\Program Files (x86)\167Weapon Myster Hack.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3692

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\167Weapon Myster Hack.exe
    Filesize

    692KB

    MD5

    31fa625878b7c96c503afe23b68ff38c

    SHA1

    3fd0fa70f96bb9fa8737bb4c693e61e063220710

    SHA256

    cf6f11c3b54b5aa212672e29980431a22ee8f813ec28f91863000a5df946473a

    SHA512

    b050d7a47674ccf0b5881bb86b1dbed41e9176044016b0d83d0e38264c7308648d2146dac42a3f01ada24529451ee002b63469943c24408f89bfdf906fe2ddde

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System32\cmd.exe
    Filesize

    747KB

    MD5

    b21e16d26a741f0ebafdcb4773f4af10

    SHA1

    2dccc61d0b5ed0f598596426fb9624963aab5727

    SHA256

    2003b6788d0ae9f3dfa199d6b458683024935e561c922fa54f2a30a995b54755

    SHA512

    58c96ee217a5afe313921b27685a068952600bbba76aaf05834d20f06e2540944094672f9055a4463041ae22e5f2cbcd7eedfee3b549faafb25e49d9f8bb7ace

    Download Submit

  • memory/1552-20-0x0000000000C80000-0x0000000000D43000-memory.dmp

    Filesize

    780KB

    Download

  • memory/3692-22-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-25-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/5528-8-0x0000000000C80000-0x0000000000D43000-memory.dmp

    Filesize

    780KB

    Download

  • memory/5528-24-0x0000000000C80000-0x0000000000D43000-memory.dmp

    Filesize

    780KB

    Download

  • memory/5540-6-0x0000000000C80000-0x0000000000D43000-memory.dmp

    Filesize

    780KB

    Download