xtremerat | 555ef2d263e0a0b6455d2aa88892fb24248dcd3b04db1de2f0a2fa3d616f2e07

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe
Size

348KB
MD5

2a630875dba12649bba9c75b14b22ec8
SHA1

d021ef443bee4a7c84baf123692f820fa8f4f7e1
SHA256

555ef2d263e0a0b6455d2aa88892fb24248dcd3b04db1de2f0a2fa3d616f2e07
SHA512

9d67e9032b494b9587cd8211dbd058729abb05017e52dfd1117f4a4d027890a2108b56e31928ee8372c45a079b120b1e4d8fc4d8c5bcda4be1577ac333a284f5
SSDEEP

6144:WLPXVSPapJNHJrmoq7tPW7spHWtksBTgtQEgO2qNEKwSd+3/twI8s6r:kXVSjPW7C2aATg9gUNlF+31j8Hr

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

xtrema.no-ip.org

Signatures

Detect XtremeRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2360-17-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2360-18-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/772-21-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2360-22-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/772-156-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 5 IoCs

pid	Process
300	fgbC330.tmp
3056	fghC340.tmp
2088	fghC340.tmp
2464	6r4C5AF.tmp
2360	explorer.exe

Loads dropped DLL 5 IoCs

pid	Process
2348	2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe
2348	2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe
3056	fghC340.tmp
3056	fghC340.tmp
3056	fghC340.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe\""	6r4C5AF.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "\"C"	6r4C5AF.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 2360	3056	fghC340.tmp	34

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-17-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2360-18-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2360-16-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2360-12-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/772-21-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2360-22-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/772-156-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fghC340.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fgbC330.tmp

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	fgbC330.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	fgbC330.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	fgbC330.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	fgbC330.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	fgbC330.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	fgbC330.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	fgbC330.tmp

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 300	2348	2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe	30
PID 2348 wrote to memory of 300	2348	2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe	30
PID 2348 wrote to memory of 300	2348	2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe	30
PID 2348 wrote to memory of 300	2348	2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe	30
PID 2348 wrote to memory of 3056	2348	2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe	31
PID 2348 wrote to memory of 3056	2348	2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe	31
PID 2348 wrote to memory of 3056	2348	2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe	31
PID 2348 wrote to memory of 3056	2348	2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe	31
PID 3056 wrote to memory of 2088	3056	fghC340.tmp	32
PID 3056 wrote to memory of 2088	3056	fghC340.tmp	32
PID 3056 wrote to memory of 2088	3056	fghC340.tmp	32
PID 3056 wrote to memory of 2088	3056	fghC340.tmp	32
PID 3056 wrote to memory of 2464	3056	fghC340.tmp	33
PID 3056 wrote to memory of 2464	3056	fghC340.tmp	33
PID 3056 wrote to memory of 2464	3056	fghC340.tmp	33
PID 3056 wrote to memory of 2464	3056	fghC340.tmp	33
PID 3056 wrote to memory of 2360	3056	fghC340.tmp	34
PID 3056 wrote to memory of 2360	3056	fghC340.tmp	34
PID 3056 wrote to memory of 2360	3056	fghC340.tmp	34
PID 3056 wrote to memory of 2360	3056	fghC340.tmp	34
PID 3056 wrote to memory of 2360	3056	fghC340.tmp	34
PID 3056 wrote to memory of 2360	3056	fghC340.tmp	34
PID 2360 wrote to memory of 772	2360	explorer.exe	35
PID 2360 wrote to memory of 772	2360	explorer.exe	35
PID 2360 wrote to memory of 772	2360	explorer.exe	35
PID 2360 wrote to memory of 772	2360	explorer.exe	35
PID 2360 wrote to memory of 772	2360	explorer.exe	35
PID 2360 wrote to memory of 2240	2360	explorer.exe	36
PID 2360 wrote to memory of 2240	2360	explorer.exe	36
PID 2360 wrote to memory of 2240	2360	explorer.exe	36
PID 2360 wrote to memory of 2240	2360	explorer.exe	36
PID 2360 wrote to memory of 2240	2360	explorer.exe	36

C:\Users\Admin\AppData\Local\Temp\2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\fgbC330.tmp
  C:\Users\Admin\AppData\Local\Temp\fgbC330.tmp Q7nfG4I99a3L63fuFjl24pXqLfJANM2s
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:300
- C:\Users\Admin\AppData\Local\Temp\fghC340.tmp
  C:\Users\Admin\AppData\Local\Temp\fghC340.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\fghC340.tmp
    C:\Users\Admin\AppData\Local\Temp\fghC340.tmp
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Users\Admin\AppData\Local\Temp\6r4C5AF.tmp
    C:\Users\Admin\AppData\Local\Temp\6r4C5AF.tmp C:\Users\Admin\AppData\Local\Temp\2a630875dba12649bba9c75b14b22ec8_JaffaCakes118.exe 3 update update
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:772
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eba0e43675988515434c2e6dc44ee67

SHA1
89c33b23c1054e8191ca160a70462f22b8500ebb

SHA256
656723eb5de5f6254703e94feea8bd7d1164d4aa879eedc5b9318ab15ec3a954

SHA512
5ce724852fddc789cc8ebaeed68b5e0ea1e614b3d59b5aa12a117a9114dbd7358205991cb0abe371cafac333181dd3a2f91ea0e53a2f2d2965856441821a52ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD0C9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD0EB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\6r4C5AF.tmp

Filesize
34KB

MD5
6952846751ca9499279a23ffc0d025c8

SHA1
f74d6439e256f893619bc5fb5a2302ce14a98da2

SHA256
c9f3e01ef2e6c1890ed8fef335342bad3c3e22dbc3e50a9f3e50837fec7ccee0

SHA512
e098c0f5e409f7d1f0643b18de198626638d8685ee81823c0cf91cd6d705fdd10be252e296df694cd14ef35690ee501bfda1c3a1aecc0b83b5d0e861addd34f3

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
40KB

MD5
3ede86e285c7ace4723a1bfe1c9517f0

SHA1
bf690ffc66dc6f225475608883a2991295d271b4

SHA256
24357e47f97dafe2df9e0870cbe9061f167450fdac239ffa0f3f0d2539050ff1

SHA512
34507944688b2f8f0ea74933cb0c70f97940aa609a8d0e359c54a6dc9097d9bf607b9aad5d3c6c115e0576ee8dea8e12baf3a98630666f66dae5a3a2b1e92319

Download Submit
\Users\Admin\AppData\Local\Temp\fgbC330.tmp

Filesize
75KB

MD5
f2539500eef046fe8f32f0906b815dc1

SHA1
3648bce5225d500af4505b96c200ce10bd9dfc51

SHA256
f7944d7f0f2907122106fab673265807e152ef8637c1b45a56c9f4502274be1d

SHA512
fed5d399a9355a1750d9df45105c4f6eba3e09be6a1bc59445889e1aa4860e86091d0fe96fcc2acd9733fd30ba6200b3cd48824db38398768394a23b4d1044ec

Download Submit
\Users\Admin\AppData\Local\Temp\fghC340.tmp

Filesize
75KB

MD5
69b9f529fd1350680788725dd2215f74

SHA1
14eff38ddc0aed2022efda9916943ac2794aa191

SHA256
58ad5caa642a0cb2933e00e8bd589b327a623d1459389568ce9897f3b681395f

SHA512
e8cea4eebc9e83e23945fa5a2e2e9cbcb5f203992868829245fae3effcb4cc0642c081f16e3e41d62a74cf93877c2b9d8b37ac6164b5acf0146f6d8d85a6302a

Download Submit
memory/772-21-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/772-156-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2360-18-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2360-12-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2360-16-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2360-22-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2360-17-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2360-11-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2360-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3056-14-0x0000000001200000-0x0000000001211000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads