Malware Analysis Report

2024-08-06 17:38

Sample ID 240509-mm6kgafg75
Target 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118
SHA256 2ce70e3ec75c2e85928d0590e3d0909bd0fdb28600a5b3443a527d6560de01e6
Tags
xpertrat group evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ce70e3ec75c2e85928d0590e3d0909bd0fdb28600a5b3443a527d6560de01e6

Threat Level: Known bad

The file 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xpertrat group evasion rat trojan

UAC bypass

XpertRAT

XpertRAT Core payload

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Windows security modification

Checks computer location settings

Drops startup file

Drops desktop.ini file(s)

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-09 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 10:35

Reported

2024-05-09 10:38

Platform

win7-20240220-en

Max time kernel

137s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

XpertRAT

rat xpertrat

XpertRAT Core payload

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2732 set thread context of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2232 set thread context of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2012 set thread context of 692 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2732 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2732 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2732 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2732 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2732 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2732 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 2012 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2012 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2012 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2012 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2012 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2012 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2012 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2012 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2012 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2732 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1136 wrote to memory of 276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1136 wrote to memory of 276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1136 wrote to memory of 276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Roaming\tmp.exe

"C:\Users\Admin\AppData\Roaming\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Roaming\tmp.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 2640

Network

Country Destination Domain Proto
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp

Files

memory/2732-0-0x00000000749E1000-0x00000000749E2000-memory.dmp

memory/2732-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp

memory/2732-2-0x00000000749E0000-0x0000000074F8B000-memory.dmp

memory/2732-3-0x00000000749E0000-0x0000000074F8B000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe

MD5 298d23c0ecd0b23b303eed58288e8209
SHA1 7536e0937095311b8565adbadea597e99745d774
SHA256 2ce70e3ec75c2e85928d0590e3d0909bd0fdb28600a5b3443a527d6560de01e6
SHA512 bb6766ac874e69d8a37575ffa5e450724b638e82c1e9316bb58f2252d1d047e450686c27c4549e17e19ed5d66207997bff1b0ed2b06a58f9c343785acaf85bb8

\Users\Admin\AppData\Roaming\tmp.exe

MD5 d5ac3689652f1d3566ec15d8ba4f088a
SHA1 aedd8e90ec29f1a0259eb31fab519a398cb4f205
SHA256 4c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8
SHA512 6b989ca5018c9ff845461e150ac23b92ae71ef1d268d8975e52a3293f15eefadde6f3b73670c902f4d146e80db0f799b08fedd87c786ab7af366f4b54e35ba70

memory/2012-18-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2012-20-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2012-26-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2012-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2012-23-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

MD5 2f98167fa44c455560450f60ceff0fa0
SHA1 34b599d23f9424deed3e4ead29d315f2b5e9dd21
SHA256 acc75b60b025aa61061c7663a81505dca62d69aa792cac010a11fea2c5d10f3b
SHA512 1d1f1eb11f2bb5ea6aecd8260aee3645f6a28b1f71bca354addd88212fa5627609a9f5ee9622b539f6eb1bfea448ede98a049647cac27e088c9938a292617437

memory/692-38-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2012-49-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2732-50-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 10:35

Reported

2024-05-09 10:38

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

XpertRAT

rat xpertrat

XpertRAT Core payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1408 set thread context of 4928 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 892 set thread context of 2376 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1408 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1408 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1408 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1408 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 1408 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 1408 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 1408 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 1408 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 1408 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 1408 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
PID 892 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 892 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 892 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 892 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 892 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 892 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 892 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 892 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\tmp.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1408 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 924 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 924 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Roaming\tmp.exe

"C:\Users\Admin\AppData\Roaming\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Roaming\tmp.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 2640

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
LV 46.183.220.104:10101 tcp
LV 46.183.220.104:10101 tcp
US 8.8.8.8:53 udp

Files

memory/1408-0-0x0000000075492000-0x0000000075493000-memory.dmp

memory/1408-1-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/1408-2-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/1408-3-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/1408-4-0x0000000075492000-0x0000000075493000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe

MD5 298d23c0ecd0b23b303eed58288e8209
SHA1 7536e0937095311b8565adbadea597e99745d774
SHA256 2ce70e3ec75c2e85928d0590e3d0909bd0fdb28600a5b3443a527d6560de01e6
SHA512 bb6766ac874e69d8a37575ffa5e450724b638e82c1e9316bb58f2252d1d047e450686c27c4549e17e19ed5d66207997bff1b0ed2b06a58f9c343785acaf85bb8

C:\Users\Admin\AppData\Roaming\tmp.exe

MD5 d5ac3689652f1d3566ec15d8ba4f088a
SHA1 aedd8e90ec29f1a0259eb31fab519a398cb4f205
SHA256 4c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8
SHA512 6b989ca5018c9ff845461e150ac23b92ae71ef1d268d8975e52a3293f15eefadde6f3b73670c902f4d146e80db0f799b08fedd87c786ab7af366f4b54e35ba70

memory/4928-27-0x0000000000350000-0x000000000037C000-memory.dmp

memory/2376-30-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

MD5 2f98167fa44c455560450f60ceff0fa0
SHA1 34b599d23f9424deed3e4ead29d315f2b5e9dd21
SHA256 acc75b60b025aa61061c7663a81505dca62d69aa792cac010a11fea2c5d10f3b
SHA512 1d1f1eb11f2bb5ea6aecd8260aee3645f6a28b1f71bca354addd88212fa5627609a9f5ee9622b539f6eb1bfea448ede98a049647cac27e088c9938a292617437

memory/1408-38-0x0000000075490000-0x0000000075A41000-memory.dmp