Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 12:22
Static task
static1
Behavioral task
behavioral1
Sample
575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
-
Size
636KB
-
MD5
575be827aaf815b042eeb2f26256aa36
-
SHA1
0fbaac8c23c753087600ebb60d88156c0e879cf4
-
SHA256
7482550afd104fb717817aa4a366e6f5c91377b1add23dd3ee4986b6283589c7
-
SHA512
28a9767ee3ad3f260bafd4bd6cd30db3908fa63e6049df5b99e50f6cd5ec68d168a3cfa238fceba5e59626ea95b809cf0edebc5baa427ce1fcd989af8c958c52
-
SSDEEP
12288:LcR/C44VLG/8zwfVHQ8/teJhIDu8mHI8NMgzHQo:Lm/P4RG/8ziwGeJhC9S
Malware Config
Extracted
xtremerat
tr3x.tzo.cc
Signatures
-
Detect XtremeRAT payload 22 IoCs
Processes:
resource yara_rule behavioral2/memory/2192-3-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/2192-2-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/2192-4-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/2192-5-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3932-9-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/1476-11-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/2192-12-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/4524-19-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/4120-23-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/4348-34-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/1744-45-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/4928-56-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/2880-67-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3548-78-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3392-89-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3352-100-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3948-111-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/4220-122-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/1240-133-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/1752-144-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/2376-155-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/668-166-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
tr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exesvchost.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exe575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" tr3x.exe -
Executes dropped EXE 56 IoCs
Processes:
tr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exepid Process 3040 tr3x.exe 4524 tr3x.exe 3892 tr3x.exe 4828 tr3x.exe 3948 tr3x.exe 2952 tr3x.exe 4952 tr3x.exe 2940 tr3x.exe 2232 tr3x.exe 3896 tr3x.exe 4856 tr3x.exe 1316 tr3x.exe 5092 tr3x.exe 2192 tr3x.exe 1328 tr3x.exe 4888 tr3x.exe 5096 tr3x.exe 1376 tr3x.exe 224 tr3x.exe 2460 tr3x.exe 2008 tr3x.exe 1832 tr3x.exe 5080 tr3x.exe 4216 tr3x.exe 3100 tr3x.exe 3340 tr3x.exe 3804 tr3x.exe 2632 tr3x.exe 3964 tr3x.exe 1952 tr3x.exe 1888 tr3x.exe 4564 tr3x.exe 2668 tr3x.exe 3892 tr3x.exe 4072 tr3x.exe 5096 tr3x.exe 3448 tr3x.exe 2260 tr3x.exe 2992 tr3x.exe 2776 tr3x.exe 3004 tr3x.exe 4712 tr3x.exe 4636 tr3x.exe 3804 tr3x.exe 1552 tr3x.exe 4564 tr3x.exe 1696 tr3x.exe 4888 tr3x.exe 344 tr3x.exe 4064 tr3x.exe 2224 tr3x.exe 2248 tr3x.exe 2292 tr3x.exe 2776 tr3x.exe 2112 tr3x.exe 4036 tr3x.exe -
Adds Run key to start application 2 TTPs 60 IoCs
Processes:
tr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exe575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exesvchost.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" tr3x.exe -
Suspicious use of SetThreadContext 29 IoCs
Processes:
575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exedescription pid Process procid_target PID 4228 set thread context of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 3040 set thread context of 4524 3040 tr3x.exe 95 PID 3892 set thread context of 4828 3892 tr3x.exe 100 PID 3948 set thread context of 2952 3948 tr3x.exe 104 PID 4952 set thread context of 2940 4952 tr3x.exe 107 PID 2232 set thread context of 3896 2232 tr3x.exe 111 PID 4856 set thread context of 1316 4856 tr3x.exe 115 PID 5092 set thread context of 2192 5092 tr3x.exe 118 PID 1328 set thread context of 4888 1328 tr3x.exe 123 PID 5096 set thread context of 1376 5096 tr3x.exe 126 PID 224 set thread context of 2460 224 tr3x.exe 129 PID 2008 set thread context of 1832 2008 tr3x.exe 132 PID 5080 set thread context of 4216 5080 tr3x.exe 135 PID 3100 set thread context of 3340 3100 tr3x.exe 138 PID 3804 set thread context of 2632 3804 tr3x.exe 142 PID 3964 set thread context of 1952 3964 tr3x.exe 145 PID 1888 set thread context of 4564 1888 tr3x.exe 148 PID 2668 set thread context of 3892 2668 tr3x.exe 151 PID 4072 set thread context of 5096 4072 tr3x.exe 154 PID 3448 set thread context of 2260 3448 tr3x.exe 157 PID 2992 set thread context of 2776 2992 tr3x.exe 160 PID 3004 set thread context of 4712 3004 tr3x.exe 167 PID 4636 set thread context of 3804 4636 tr3x.exe 170 PID 1552 set thread context of 4564 1552 tr3x.exe 178 PID 1696 set thread context of 4888 1696 tr3x.exe 181 PID 344 set thread context of 4064 344 tr3x.exe 184 PID 2224 set thread context of 2248 2224 tr3x.exe 187 PID 2292 set thread context of 2776 2292 tr3x.exe 190 PID 2112 set thread context of 4036 2112 tr3x.exe 193 -
Drops file in Program Files directory 2 IoCs
Processes:
575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exedescription ioc Process File opened for modification C:\Program Files (x86)\InstallDir\tr3x.exe 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe File created C:\Program Files (x86)\InstallDir\tr3x.exe 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exetr3x.exepid Process 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 3040 tr3x.exe 3892 tr3x.exe 3948 tr3x.exe 4952 tr3x.exe 2232 tr3x.exe 4856 tr3x.exe 5092 tr3x.exe 1328 tr3x.exe 5096 tr3x.exe 224 tr3x.exe 2008 tr3x.exe 5080 tr3x.exe 3100 tr3x.exe 3804 tr3x.exe 3964 tr3x.exe 1888 tr3x.exe 2668 tr3x.exe 4072 tr3x.exe 3448 tr3x.exe 2992 tr3x.exe 3004 tr3x.exe 4636 tr3x.exe 1552 tr3x.exe 1696 tr3x.exe 344 tr3x.exe 2224 tr3x.exe 2292 tr3x.exe 2112 tr3x.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exesvchost.exetr3x.exetr3x.exetr3x.exetr3x.exedescription pid Process procid_target PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 4228 wrote to memory of 2192 4228 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 84 PID 2192 wrote to memory of 3932 2192 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 86 PID 2192 wrote to memory of 3932 2192 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 86 PID 2192 wrote to memory of 3932 2192 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 86 PID 2192 wrote to memory of 3932 2192 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 86 PID 2192 wrote to memory of 1476 2192 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 88 PID 2192 wrote to memory of 1476 2192 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 88 PID 2192 wrote to memory of 1476 2192 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 88 PID 2192 wrote to memory of 1476 2192 575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe 88 PID 3932 wrote to memory of 3040 3932 svchost.exe 94 PID 3932 wrote to memory of 3040 3932 svchost.exe 94 PID 3932 wrote to memory of 3040 3932 svchost.exe 94 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 3040 wrote to memory of 4524 3040 tr3x.exe 95 PID 4524 wrote to memory of 4120 4524 tr3x.exe 96 PID 4524 wrote to memory of 4120 4524 tr3x.exe 96 PID 4524 wrote to memory of 4120 4524 tr3x.exe 96 PID 4524 wrote to memory of 4120 4524 tr3x.exe 96 PID 3932 wrote to memory of 3892 3932 svchost.exe 98 PID 3932 wrote to memory of 3892 3932 svchost.exe 98 PID 3932 wrote to memory of 3892 3932 svchost.exe 98 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 3892 wrote to memory of 4828 3892 tr3x.exe 100 PID 4828 wrote to memory of 4348 4828 tr3x.exe 101 PID 4828 wrote to memory of 4348 4828 tr3x.exe 101 PID 4828 wrote to memory of 4348 4828 tr3x.exe 101 PID 4828 wrote to memory of 4348 4828 tr3x.exe 101 PID 3932 wrote to memory of 3948 3932 svchost.exe 103 PID 3932 wrote to memory of 3948 3932 svchost.exe 103 PID 3932 wrote to memory of 3948 3932 svchost.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4120
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4348
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3948 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2952 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:1744
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4952 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2940 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4928
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2232 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3896 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2880
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4856 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1316 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:3548
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5092 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2192 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:3392
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1328 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:4888 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:3352
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5096 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1376 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:3948
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:224 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2460 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4220
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2008 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1832 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:1240
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5080 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:4216 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:1752
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3100 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3340 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2376
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3804 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2632 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:668
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3964 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1952 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2860
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1888 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:4564 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4784
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2668 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3892 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:3352
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4072 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:5096 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2732
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3448 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2260 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2248
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2776 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:3272
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3004 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:4712 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:1316
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4636 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3804 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4504
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1552 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:4564 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2936
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:4888 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:644
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:344 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:4064 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2628
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2224 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2248 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:940
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2292 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2776 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:3480
-
-
-
-
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2112 -
C:\Program Files (x86)\InstallDir\tr3x.exe"C:\Program Files (x86)\InstallDir\tr3x.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:4036 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4928
-
-
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1476
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
636KB
MD5575be827aaf815b042eeb2f26256aa36
SHA10fbaac8c23c753087600ebb60d88156c0e879cf4
SHA2567482550afd104fb717817aa4a366e6f5c91377b1add23dd3ee4986b6283589c7
SHA51228a9767ee3ad3f260bafd4bd6cd30db3908fa63e6049df5b99e50f6cd5ec68d168a3cfa238fceba5e59626ea95b809cf0edebc5baa427ce1fcd989af8c958c52
-
Filesize
1KB
MD567b9ff6cf1683ec9b451c1d928b18f61
SHA12c54b6f9723228610e03ac1103d7f11294640e82
SHA2562219b80ad57c2a072336f7d0ac0c06a30cbf2a35e953b277f53802ca31c80628
SHA512e75b7e0ce8b51c19cf035adb2a28a730d8c8d81994afcb27f4815a09e83c779da6a468bc412f700540df229b7fc64ddaf7ef27df1492c0f1038466095dbbe7ca