Malware Analysis Report

2024-12-07 21:57

Sample ID 240718-pqrlts1hqb
Target 576451579cdafea43c2061ab41728187_JaffaCakes118
SHA256 602ae1b840761cda082940ead7a025aa9e2d28d570d86d9cdfaf79e5ea466544
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

602ae1b840761cda082940ead7a025aa9e2d28d570d86d9cdfaf79e5ea466544

Threat Level: Known bad

The file 576451579cdafea43c2061ab41728187_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

XtremeRAT

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 12:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 12:32

Reported

2024-07-18 12:34

Platform

win7-20240708-en

Max time kernel

147s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe"

Signatures

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe restart" C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe" C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe" C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe" C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2072 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2072 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2072 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2628 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2628 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2628 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2628 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2628 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2628 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2628 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2628 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2628 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
PID 2628 wrote to memory of 0 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A
PID 2628 wrote to memory of 0 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A
PID 2628 wrote to memory of 0 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A
PID 2628 wrote to memory of 0 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A
PID 2628 wrote to memory of 0 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe N/A
PID 3068 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Windows\SysWOW64\svchost.exe
PID 3068 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Windows\SysWOW64\svchost.exe
PID 3068 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Windows\SysWOW64\svchost.exe
PID 3068 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Windows\SysWOW64\svchost.exe
PID 3068 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Windows\SysWOW64\svchost.exe
PID 3068 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe

"C:\Users\Admin\AppData\Local\Temp\seri7.exe"

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe

"C:\Users\Admin\AppData\Local\Temp\seri7.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

N/A

Files

memory/2072-7-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-5-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-3-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-1-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-0-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-9-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-11-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-31-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-29-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-27-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-25-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-23-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-21-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-19-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-17-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-15-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-13-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-33-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-35-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-63-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-61-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-59-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-57-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-55-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-53-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-51-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-49-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-47-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-45-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-43-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-41-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-39-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-37-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-205-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-259-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-307-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-306-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-305-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-304-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-293-0x0000000000370000-0x00000000003DC000-memory.dmp

\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe

MD5 91b04c9117ab49ef8f8cf4150bec9f1d
SHA1 c919eed86b9c692441c516cf130d2fd97bde505b
SHA256 dc7eef8ef6640cfcafdc3aa0b7a2b3b86b6952b018e405f0efe89aea400af446
SHA512 db11be15ac6662cf89c1f0aed7ddee2f2c2ad2f261d2bb57dc7fe21fba5746158215a8d42e4b03b43e0c8d6fb7fd59568a8ff48a63c064a7bcbc433aa3540373

memory/2072-282-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-273-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-243-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-218-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-191-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-623-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/2072-185-0x00000000776A0000-0x00000000776A1000-memory.dmp

memory/2072-151-0x00000000776A0000-0x00000000776A1000-memory.dmp

memory/2072-150-0x0000000000370000-0x00000000003DC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 12:32

Reported

2024-07-18 12:34

Platform

win10v2004-20240709-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3844 -ip 3844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 272

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3844-51-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-47-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-63-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-140-0x0000000077952000-0x0000000077953000-memory.dmp

memory/3844-188-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-163-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-155-0x0000000077952000-0x0000000077953000-memory.dmp

memory/3844-154-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-139-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-61-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-59-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-57-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-55-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-53-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-49-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-45-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-43-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-41-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-39-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-37-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-35-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-33-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-29-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-23-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-21-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-17-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-15-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-11-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-9-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-7-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-5-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-3-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-0-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-31-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-27-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-25-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-19-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-13-0x0000000000770000-0x00000000007DC000-memory.dmp

memory/3844-1-0x0000000000770000-0x00000000007DC000-memory.dmp