latentbot | 516a16adb1641127e455c30ddb243c853057e5d0f5a2d7918a52e0e0ca570d33

Analysis

max time kernel
148s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Size

712KB
MD5

65c7200faac8b0de62432214cc3a0629
SHA1

0ad44042ddcf2b9ad73a99fe6fecc3fdb7bc6362
SHA256

516a16adb1641127e455c30ddb243c853057e5d0f5a2d7918a52e0e0ca570d33
SHA512

2b52aae864b764d4142f0a7ba5a944167568ad128445742e8ac92db45b0819246a8f51a93efba1741709e60f5a37f59d11489e0107dd2f2314b4b1c1204f5ae2
SSDEEP

12288:fOqBStmJ7uD4vqQOqCg/0+cdEuH8uitp4xieV31K93+:GCS8OTRdEuUpJGln

Score

10^/10

latentbot xtremerat discovery persistence rat spyware trojan upx

Malware Config

Extracted

Family

xtremerat

imaistroextr.zapto.org

Extracted

Family

latentbot

imaistroextr.zapto.org

Signatures

Detect XtremeRAT payload 14 IoCs

resource	yara_rule
behavioral2/memory/3032-3-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/3032-7-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/3032-9-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/3032-6-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/3032-5-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/3032-10-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/3032-0-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/3032-11-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/3032-1-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/412-18-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/3032-23-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/3032-29-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/3032-33-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral2/memory/4820-47-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3084	Server.exe
1660	Server.exe
4428	Server.exe
4820	Server.exe
4376	Server.exe
5032	Server.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 3084 set thread context of 4820	3084	Server.exe	133
PID 4820 set thread context of 4900	4820	Server.exe	135
PID 1660 set thread context of 4376	1660	Server.exe	139
PID 4428 set thread context of 5032	4428	Server.exe	142

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4900-53-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral2/memory/4900-54-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral2/memory/4900-52-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral2/memory/4900-56-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral2/memory/4900-58-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral2/memory/4900-57-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral2/memory/4900-59-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral2/memory/4900-61-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral2/memory/4900-63-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral2/memory/4900-62-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral2/memory/4900-65-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral2/memory/4900-81-0x0000000001610000-0x0000000001712000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\InstallDir\Server.exe	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	explorer.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4900	explorer.exe
4900	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
4900	explorer.exe
4900	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 2524 wrote to memory of 3032	2524	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	96
PID 3032 wrote to memory of 412	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	97
PID 3032 wrote to memory of 412	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	97
PID 3032 wrote to memory of 412	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	97
PID 3032 wrote to memory of 412	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	97
PID 3032 wrote to memory of 5024	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	98
PID 3032 wrote to memory of 5024	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	98
PID 3032 wrote to memory of 3184	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	99
PID 3032 wrote to memory of 3184	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	99
PID 3032 wrote to memory of 3184	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	99
PID 3032 wrote to memory of 960	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	100
PID 3032 wrote to memory of 960	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	100
PID 3032 wrote to memory of 4972	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	101
PID 3032 wrote to memory of 4972	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	101
PID 3032 wrote to memory of 4972	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	101
PID 3032 wrote to memory of 1640	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	102
PID 3032 wrote to memory of 1640	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	102
PID 3032 wrote to memory of 1536	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	103
PID 3032 wrote to memory of 1536	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	103
PID 3032 wrote to memory of 1536	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	103
PID 3032 wrote to memory of 2340	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	104
PID 3032 wrote to memory of 2340	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	104
PID 3032 wrote to memory of 2324	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	105
PID 3032 wrote to memory of 2324	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	105
PID 3032 wrote to memory of 2324	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	105
PID 3032 wrote to memory of 5000	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	106
PID 3032 wrote to memory of 5000	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	106
PID 3032 wrote to memory of 2380	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	107
PID 3032 wrote to memory of 2380	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	107
PID 3032 wrote to memory of 2380	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	107
PID 3032 wrote to memory of 4400	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	108
PID 3032 wrote to memory of 4400	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	108
PID 3032 wrote to memory of 3968	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	109
PID 3032 wrote to memory of 3968	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	109
PID 3032 wrote to memory of 3968	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	109
PID 3032 wrote to memory of 2452	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	110
PID 3032 wrote to memory of 2452	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	110
PID 3032 wrote to memory of 4952	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	111
PID 3032 wrote to memory of 4952	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	111
PID 3032 wrote to memory of 4952	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	111
PID 3032 wrote to memory of 3604	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	114
PID 3032 wrote to memory of 3604	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	114
PID 3032 wrote to memory of 1688	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	115
PID 3032 wrote to memory of 1688	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	115
PID 3032 wrote to memory of 1688	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	115
PID 3032 wrote to memory of 2760	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	116
PID 3032 wrote to memory of 2760	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	116
PID 3032 wrote to memory of 1464	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	117
PID 3032 wrote to memory of 1464	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	117
PID 3032 wrote to memory of 1464	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	117
PID 3032 wrote to memory of 4872	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	118
PID 3032 wrote to memory of 4872	3032	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	118

C:\Users\Admin\AppData\Local\Temp\65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:412
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1660
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        
        PID:4376
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4428
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        
        PID:5032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:960
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:8
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:216
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3084
  - - C:\Windows\InstallDir\Server.exe
      C:\Windows\InstallDir\Server.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\jzyGf9e.cfg

Filesize
1KB

MD5
1f6e7e4cd377b79455e89ab9a7b7bac9

SHA1
aa88d75bd20f5a1ea37ee23c3f4bcb9e2ed8f111

SHA256
e26885e1b0a063bcb9d3cd88dab6e7e8298d00df6ff9417f17483eb41ab87897

SHA512
6847159db97675ba766ba5c63ef956a7672537f972d3feba2782144ec32ab707aec95bf42f1ddb161b20321b463096cd275ef54da3986c31206ffc4f20911980

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\jzyGf9e.dat

Filesize
2B

MD5
84cad01fdb44ae58dbe6c3973dcd87f5

SHA1
4700b42849fb35be323774820bf1bc8019d26c80

SHA256
8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6

SHA512
6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\jzyGf9e.xtr

Filesize
343KB

MD5
6426d400c96fb9ffef4eaa54f6647f4c

SHA1
70a37871aff432790b6adf7d3fc4eb929476e082

SHA256
98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c

SHA512
2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
712KB

MD5
65c7200faac8b0de62432214cc3a0629

SHA1
0ad44042ddcf2b9ad73a99fe6fecc3fdb7bc6362

SHA256
516a16adb1641127e455c30ddb243c853057e5d0f5a2d7918a52e0e0ca570d33

SHA512
2b52aae864b764d4142f0a7ba5a944167568ad128445742e8ac92db45b0819246a8f51a93efba1741709e60f5a37f59d11489e0107dd2f2314b4b1c1204f5ae2

Download Submit
memory/412-18-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/1660-79-0x0000000023240000-0x000000002326F000-memory.dmp

Filesize
188KB

Download
memory/2524-20-0x0000000023240000-0x000000002326F000-memory.dmp

Filesize
188KB

Download
memory/3032-1-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3032-11-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3032-0-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3032-10-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3032-5-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3032-23-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3032-6-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3032-29-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3032-33-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3032-3-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3032-9-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3032-7-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/3084-36-0x0000000023240000-0x000000002326F000-memory.dmp

Filesize
188KB

Download
memory/3084-80-0x0000000023240000-0x000000002326F000-memory.dmp

Filesize
188KB

Download
memory/4428-83-0x0000000023240000-0x000000002326F000-memory.dmp

Filesize
188KB

Download
memory/4820-47-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/4900-61-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/4900-57-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/4900-59-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/4900-54-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/4900-63-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/4900-53-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/4900-62-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/4900-65-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/4900-58-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/4900-56-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/4900-81-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/4900-52-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download