Analysis Overview
SHA256
320f50297a53c683ea9775b1fa0a3928a260a3a005d152618018ee60405f3530
Threat Level: Known bad
The file 3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Xtremerat family
XtremeRAT
Boot or Logon Autostart Execution: Active Setup
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-11 11:52
Signatures
Xtremerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-11 11:52
Reported
2024-07-11 11:55
Platform
win7-20240708-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
XtremeRAT
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6} | C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart" | C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart" | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\server.exe | C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe | N/A |
| File created | C:\Windows\InstallDir\server.exe | C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp | |
| N/A | 127.0.0.1:82 | tcp |
Files
memory/2132-4-0x0000000000C80000-0x0000000000C93000-memory.dmp
C:\Windows\InstallDir\server.exe
| MD5 | 3900bb3a90b8d5f3e57c44ca748dc2da |
| SHA1 | 5e52957a229c1380b27c6b29ab24666e29981339 |
| SHA256 | 320f50297a53c683ea9775b1fa0a3928a260a3a005d152618018ee60405f3530 |
| SHA512 | be1b6129a9f1f34e251f5c048c1006bb6abab4c4a83e7f8ccab09efb731f1cb72513a26c9ddb7610287d5bf010910e6f87927bff95a1eeca23c0f71e21d449fe |
memory/2132-5-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/1524-9-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2624-10-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/1524-12-0x0000000000C80000-0x0000000000C93000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-11 11:52
Reported
2024-07-11 11:55
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
XtremeRAT
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6} | C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart" | C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6} | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\server.exe | C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe | N/A |
| File created | C:\Windows\InstallDir\server.exe | C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| N/A | 127.0.0.1:82 | tcp | |
| US | 8.8.8.8:53 | microsoft2012.no-ip.biz | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:82 | tcp |
Files
memory/1068-3-0x0000000000C80000-0x0000000000C93000-memory.dmp
C:\Windows\InstallDir\server.exe
| MD5 | 3900bb3a90b8d5f3e57c44ca748dc2da |
| SHA1 | 5e52957a229c1380b27c6b29ab24666e29981339 |
| SHA256 | 320f50297a53c683ea9775b1fa0a3928a260a3a005d152618018ee60405f3530 |
| SHA512 | be1b6129a9f1f34e251f5c048c1006bb6abab4c4a83e7f8ccab09efb731f1cb72513a26c9ddb7610287d5bf010910e6f87927bff95a1eeca23c0f71e21d449fe |
memory/2040-5-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2032-6-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2040-8-0x0000000000C80000-0x0000000000C93000-memory.dmp