c7f609b5ff1def1127e27977de13336bca8e0d1d705240cc9f607ba19c165455

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Size

878KB
MD5

41d52840210da5a68f9ef59547c16201
SHA1

44550cf84c590717297908b759369d909db2d600
SHA256

c7f609b5ff1def1127e27977de13336bca8e0d1d705240cc9f607ba19c165455
SHA512

aa2bfb5c982038b280f93284e7e5affbe9226d2c69690b0a41f8232cc6aa19a1328edd4cac5c6ba063a4601f363e3b37e268f139fc59202523bbb46e0f3f69a7
SSDEEP

24576:yowQUsiK3J1wrBxoU/fwYCLpviCcbdvh2p:Hll3J1YPoMOrM

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe"	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe"	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{TJI20SO8-5QD4-5DE4-201D-1M6XB2R26V1Y}	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{TJI20SO8-5QD4-5DE4-201D-1M6XB2R26V1Y}\StubPath = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe s"	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1476-17-0x0000000013400000-0x00000000134AB000-memory.dmp	upx
behavioral2/memory/1476-16-0x0000000013400000-0x00000000134AB000-memory.dmp	upx
behavioral2/memory/1476-24-0x0000000013400000-0x00000000134AB000-memory.dmp	upx
behavioral2/memory/1476-26-0x0000000013400000-0x00000000134AB000-memory.dmp	upx
behavioral2/memory/1476-25-0x0000000013400000-0x00000000134AB000-memory.dmp	upx
behavioral2/memory/1476-18-0x0000000013400000-0x00000000134AB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe"	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe"	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Xtreme\	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Xtreme\Xtreme.exe	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Xtreme\Xtreme.exe	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 780 set thread context of 628	780	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	85
PID 628 set thread context of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 5032 set thread context of 1476	5032	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	88
PID 1476 set thread context of 5100	1476	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3432	5100	WerFault.exe	89

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
780	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
780	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 628	780	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	85
PID 780 wrote to memory of 628	780	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	85
PID 780 wrote to memory of 628	780	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	85
PID 780 wrote to memory of 628	780	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	85
PID 780 wrote to memory of 628	780	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	85
PID 780 wrote to memory of 628	780	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	85
PID 780 wrote to memory of 628	780	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	85
PID 780 wrote to memory of 628	780	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	85
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 628 wrote to memory of 5032	628	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	87
PID 5032 wrote to memory of 1476	5032	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	88
PID 5032 wrote to memory of 1476	5032	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	88
PID 5032 wrote to memory of 1476	5032	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	88
PID 5032 wrote to memory of 1476	5032	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	88
PID 5032 wrote to memory of 1476	5032	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	88
PID 5032 wrote to memory of 1476	5032	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	88
PID 5032 wrote to memory of 1476	5032	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	88
PID 5032 wrote to memory of 1476	5032	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	88
PID 1476 wrote to memory of 5100	1476	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	89
PID 1476 wrote to memory of 5100	1476	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	89
PID 1476 wrote to memory of 5100	1476	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	89
PID 1476 wrote to memory of 5100	1476	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	89
PID 1476 wrote to memory of 5100	1476	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	89
PID 1476 wrote to memory of 5100	1476	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	89
PID 1476 wrote to memory of 5100	1476	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	89
PID 1476 wrote to memory of 5100	1476	41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\41d52840210da5a68f9ef59547c16201_JaffaCakes118.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Checks SCSI registry key(s)
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 12
        6⤵
        Program crash
        
        PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5100 -ip 5100
1⤵
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XtremeServerSource.dat

Filesize
203KB

MD5
c73f8a2f9c0be762b94815e4029befe8

SHA1
2013f791c309760e8d8944c71fff49a25a0d92d9

SHA256
b80530c79b4229a3e361a9fdfb714ba1fe38bfcd244de2662680fb9b6cac71f4

SHA512
f8f8ef01a8452ad4075abd36ebc0361bdbe23d3dc7ca69cd2ea2f572f7728fdc136ac9add34f20b6a32888cf33160c66511cba9e11de07e478b77f22f3a3aef0

Download Submit
memory/628-15-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/628-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/628-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/780-10-0x0000000000400000-0x00000000007EF000-memory.dmp

Filesize
3.9MB

Download
memory/780-0-0x0000000000400000-0x00000000007EF000-memory.dmp

Filesize
3.9MB

Download
memory/1476-26-0x0000000013400000-0x00000000134AB000-memory.dmp

Filesize
684KB

Download
memory/1476-17-0x0000000013400000-0x00000000134AB000-memory.dmp

Filesize
684KB

Download
memory/1476-16-0x0000000013400000-0x00000000134AB000-memory.dmp

Filesize
684KB

Download
memory/1476-24-0x0000000013400000-0x00000000134AB000-memory.dmp

Filesize
684KB

Download
memory/1476-25-0x0000000013400000-0x00000000134AB000-memory.dmp

Filesize
684KB

Download
memory/1476-18-0x0000000013400000-0x00000000134AB000-memory.dmp

Filesize
684KB

Download
memory/5032-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-11-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads