Analysis Overview
SHA256
776627766f395ed035b1bbbf1f502fe70b35d2bd36769e067bb8699ddd1a063c
Threat Level: Known bad
The file 578a78ff215af0588458ddb15ac3428b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
XtremeRAT
Detect XtremeRAT payload
Boot or Logon Autostart Execution: Active Setup
Deletes itself
UPX packed file
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-18 13:16
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-18 13:16
Reported
2024-07-18 13:26
Platform
win7-20240705-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10YKD0R-08D6-7DCE-5O73-34AUE2W1CP46} | C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10YKD0R-08D6-7DCE-5O73-34AUE2W1CP46}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe restart" | C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10YKD0R-08D6-7DCE-5O73-34AUE2W1CP46} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10YKD0R-08D6-7DCE-5O73-34AUE2W1CP46}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe" | C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe" | C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cliupdate.sytes.net | udp |
| ES | 94.73.32.191:3321 | cliupdate.sytes.net | tcp |
| ES | 94.73.32.191:3321 | cliupdate.sytes.net | tcp |
| ES | 94.73.32.191:3321 | cliupdate.sytes.net | tcp |
| ES | 94.73.32.191:3321 | cliupdate.sytes.net | tcp |
| ES | 94.73.32.191:3321 | cliupdate.sytes.net | tcp |
| ES | 94.73.32.191:3321 | cliupdate.sytes.net | tcp |
Files
memory/1620-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1620-1-0x0000000000220000-0x0000000000226000-memory.dmp
memory/1620-2-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2448-8-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2448-10-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Roaming\MediaVisio\adobe.exe
| MD5 | 578a78ff215af0588458ddb15ac3428b |
| SHA1 | c460b5360f23e51d0aac0abea752fa0549bd43d1 |
| SHA256 | 776627766f395ed035b1bbbf1f502fe70b35d2bd36769e067bb8699ddd1a063c |
| SHA512 | aa16fefe2926fbf84748287b35b614fa0aa278f248220975b221607e072dddb36c39d69a84afd3a2ec10e4df38fdeb10eb0faf61a3192529d50760731be92fe9 |
memory/1704-14-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3056-17-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1620-18-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3056-21-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3056-22-0x0000000000400000-0x0000000000412000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-18 13:16
Reported
2024-07-18 13:26
Platform
win10v2004-20240709-en
Max time kernel
143s
Max time network
127s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3864-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3864-1-0x0000000000400000-0x0000000000424000-memory.dmp