Analysis Overview
SHA256
e0d466aaa7404635283ce504bcd5dbe14ad8b54b64e4afe5d77e77d36a585e7d
Threat Level: Known bad
The file 4eee159abe15465cbfda76691299210f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detect XtremeRAT payload
XtremeRAT
Boot or Logon Autostart Execution: Active Setup
Molebox Virtualization software
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-16 15:26
Signatures
Molebox Virtualization software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-16 15:26
Reported
2024-07-16 15:29
Platform
win7-20240708-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BTYF631O-I731-W158-BB0S-264Y328ETC5K}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BTYF631O-I731-W158-BB0S-264Y328ETC5K} | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | N/A |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1300 wrote to memory of 328 | N/A | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 1300 wrote to memory of 328 | N/A | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 1300 wrote to memory of 328 | N/A | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 1300 wrote to memory of 328 | N/A | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 1300 wrote to memory of 328 | N/A | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | C:\Windows\SysWOW64\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp |
Files
memory/1300-5-0x0000000076311000-0x0000000076312000-memory.dmp
memory/1300-4-0x0000000076FF0000-0x0000000076FF1000-memory.dmp
memory/1300-3-0x00000000009F0000-0x0000000000A00000-memory.dmp
memory/1300-2-0x00000000009C0000-0x00000000009D0000-memory.dmp
memory/1300-1-0x0000000000260000-0x00000000002AD000-memory.dmp
memory/1300-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1300-6-0x0000000076300000-0x0000000076410000-memory.dmp
memory/1300-7-0x0000000000C80000-0x0000000000C9E000-memory.dmp
memory/328-11-0x0000000000C80000-0x0000000000C9E000-memory.dmp
memory/328-13-0x0000000000C80000-0x0000000000C9E000-memory.dmp
memory/328-14-0x0000000076300000-0x0000000076410000-memory.dmp
memory/1300-15-0x0000000000C80000-0x0000000000C9E000-memory.dmp
memory/1300-16-0x0000000000260000-0x00000000002AD000-memory.dmp
memory/1300-17-0x0000000076300000-0x0000000076410000-memory.dmp
memory/328-19-0x0000000000C80000-0x0000000000C9E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-16 15:26
Reported
2024-07-16 15:29
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{BTYF631O-I731-W158-BB0S-264Y328ETC5K} | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BTYF631O-I731-W158-BB0S-264Y328ETC5K}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4eee159abe15465cbfda76691299210f_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:81 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:81 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:85 | tcp | |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 127.0.0.1:85 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/788-2-0x00000000005D0000-0x00000000005E0000-memory.dmp
memory/788-7-0x0000000075990000-0x0000000075991000-memory.dmp
memory/788-6-0x0000000000B40000-0x0000000000B50000-memory.dmp
memory/788-5-0x00000000025F0000-0x0000000002600000-memory.dmp
memory/788-4-0x0000000077042000-0x0000000077043000-memory.dmp
memory/788-3-0x0000000000B40000-0x0000000000B50000-memory.dmp
memory/788-1-0x00000000005F0000-0x000000000063D000-memory.dmp
memory/788-0-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/788-8-0x0000000075970000-0x0000000075A60000-memory.dmp
memory/788-9-0x0000000000C80000-0x0000000000C9E000-memory.dmp
memory/788-10-0x0000000075970000-0x0000000075A60000-memory.dmp
memory/788-11-0x0000000075970000-0x0000000075A60000-memory.dmp
memory/788-15-0x0000000000C80000-0x0000000000C9E000-memory.dmp
memory/788-17-0x00000000005F0000-0x000000000063D000-memory.dmp
memory/788-21-0x0000000000B40000-0x0000000000B50000-memory.dmp
memory/788-20-0x00000000025F0000-0x0000000002600000-memory.dmp
memory/788-19-0x0000000000B40000-0x0000000000B50000-memory.dmp
memory/788-18-0x00000000005D0000-0x00000000005E0000-memory.dmp
memory/788-22-0x0000000075970000-0x0000000075A60000-memory.dmp
memory/788-23-0x0000000000C80000-0x0000000000C9E000-memory.dmp
memory/788-24-0x0000000075970000-0x0000000075A60000-memory.dmp
memory/788-26-0x0000000075970000-0x0000000075A60000-memory.dmp