Malware Analysis Report

2024-08-06 17:39

Sample ID 240508-sr4vbsah2x
Target 2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118
SHA256 0f4e7faf833c30ed300efa46b4b1d083523d48ec2864f110d2a2d5b47eb67a72
Tags
xpertrat group evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f4e7faf833c30ed300efa46b4b1d083523d48ec2864f110d2a2d5b47eb67a72

Threat Level: Known bad

The file 2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xpertrat group evasion rat trojan

Windows security bypass

XpertRAT

XpertRAT Core payload

UAC bypass

Executes dropped EXE

Windows security modification

Drops startup file

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-08 15:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 15:22

Reported

2024-05-08 15:25

Platform

win7-20240221-en

Max time kernel

133s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

XpertRAT

rat xpertrat

XpertRAT Core payload

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2264 set thread context of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2936 set thread context of 2384 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 set thread context of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2264 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2264 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2264 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2264 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2264 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2264 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2264 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2264 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2264 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2264 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2264 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2264 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2264 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2264 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2264 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2936 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2936 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2936 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2936 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2936 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2936 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2936 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2936 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2936 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1724 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1724 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1724 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Roaming\tmp.exe

"C:\Users\Admin\AppData\Roaming\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Roaming\tmp.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\svhost.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp

Files

memory/2264-0-0x0000000074331000-0x0000000074332000-memory.dmp

memory/2264-1-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/2264-2-0x0000000074330000-0x00000000748DB000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe

MD5 2578debd234465c8aa7bcdf53bc3858a
SHA1 aaec53a7560318b698cec4f1388f26b1c12f9c40
SHA256 0f4e7faf833c30ed300efa46b4b1d083523d48ec2864f110d2a2d5b47eb67a72
SHA512 849947365c47ab82f54d7e7b6a5105e28bf684cff0ad3f313541722dcc2b0ae9bbdeb794b771a32a07fd6b1f071f2b99e7c8464167aff036a622fc969ce4fcdf

\Users\Admin\AppData\Roaming\tmp.exe

MD5 d5ac3689652f1d3566ec15d8ba4f088a
SHA1 aedd8e90ec29f1a0259eb31fab519a398cb4f205
SHA256 4c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8
SHA512 6b989ca5018c9ff845461e150ac23b92ae71ef1d268d8975e52a3293f15eefadde6f3b73670c902f4d146e80db0f799b08fedd87c786ab7af366f4b54e35ba70

memory/2936-20-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

MD5 dca86f6bec779bba1b58d992319e88db
SHA1 844e656d3603d15ae56f36298f8031ad52935829
SHA256 413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743
SHA512 4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

memory/2384-44-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/2936-26-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2936-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2936-23-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2936-22-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 dea4be0cd6e1e8e3c7b5ac7c0bd90a57
SHA1 07f8fbaaa4c65c3e9327aeb8afba76895e269507
SHA256 a221e9aa2edf42cbd95a7d1aefa30e0d73d2c7ba0cff93c3b53db9e364334fef
SHA512 a963cc3056d9fdce74ffabcfa7cc32d62c49700a25167f80468919da4d80806c4ceec82d77be04b8bc9362c43bb25d2a0437708bb1159b7efed48fa0ff749f5f

memory/2264-50-0x0000000074330000-0x00000000748DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 15:22

Reported

2024-05-08 15:25

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

XpertRAT

rat xpertrat

XpertRAT Core payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1104 set thread context of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4764 set thread context of 1012 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3252 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3252 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1104 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1104 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1104 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1104 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1104 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1104 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1104 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1104 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1104 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1104 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1104 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1260 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1260 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1260 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Roaming\tmp.exe

"C:\Users\Admin\AppData\Roaming\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Roaming\tmp.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

memory/1104-0-0x0000000074A62000-0x0000000074A63000-memory.dmp

memory/1104-1-0x0000000074A60000-0x0000000075011000-memory.dmp

memory/1104-2-0x0000000074A60000-0x0000000075011000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe

MD5 2578debd234465c8aa7bcdf53bc3858a
SHA1 aaec53a7560318b698cec4f1388f26b1c12f9c40
SHA256 0f4e7faf833c30ed300efa46b4b1d083523d48ec2864f110d2a2d5b47eb67a72
SHA512 849947365c47ab82f54d7e7b6a5105e28bf684cff0ad3f313541722dcc2b0ae9bbdeb794b771a32a07fd6b1f071f2b99e7c8464167aff036a622fc969ce4fcdf

C:\Users\Admin\AppData\Roaming\tmp.exe

MD5 d5ac3689652f1d3566ec15d8ba4f088a
SHA1 aedd8e90ec29f1a0259eb31fab519a398cb4f205
SHA256 4c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8
SHA512 6b989ca5018c9ff845461e150ac23b92ae71ef1d268d8975e52a3293f15eefadde6f3b73670c902f4d146e80db0f799b08fedd87c786ab7af366f4b54e35ba70

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

memory/1908-26-0x00000000005D0000-0x00000000005FC000-memory.dmp

memory/1012-31-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

MD5 dca86f6bec779bba1b58d992319e88db
SHA1 844e656d3603d15ae56f36298f8031ad52935829
SHA256 413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743
SHA512 4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

memory/1104-37-0x0000000074A60000-0x0000000075011000-memory.dmp