xtremerat | e74d8e70050e4b107cc18b363f9830c289fff64e60c6dd98e598c3096825645e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Size

4.3MB
MD5

82515a842317ff8ee1c35812b0433634
SHA1

3ea612a37abd791f616d5fd39f2e2acfef64e24f
SHA256

e74d8e70050e4b107cc18b363f9830c289fff64e60c6dd98e598c3096825645e
SHA512

d940e7c9a812e30d3854b5084469d28baa351b451fe7c5b77915383772333eacdfa774d3711075712c9ad152caf7f1e678a57bad86f983d489301ac5aec9d0c2
SSDEEP

98304:M++l/rWoxd5mBSqRxc60fhAMDubWhkYI+TOvQN:M3Soxd5wRxc6FAbqYI07N

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

youssvf.no-ip.biz

Řyoussvf.no-ip.biz

Signatures

Detect XtremeRAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2608-20-0x0000000000C80000-0x0000000001063000-memory.dmp	family_xtremerat
behavioral2/memory/2608-21-0x0000000000C80000-0x0000000001063000-memory.dmp	family_xtremerat
behavioral2/memory/2608-18-0x0000000000C80000-0x0000000001063000-memory.dmp	family_xtremerat
behavioral2/memory/3912-51-0x0000000000C80000-0x0000000001063000-memory.dmp	family_xtremerat
behavioral2/memory/4888-53-0x0000000000C80000-0x0000000001063000-memory.dmp	family_xtremerat
behavioral2/memory/1516-55-0x0000000000C80000-0x0000000001063000-memory.dmp	family_xtremerat
behavioral2/memory/3428-57-0x0000000000C80000-0x0000000001063000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{340331OF-5454-GXI1-8LC0-RH8SGT247631}	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{340331OF-5454-GXI1-8LC0-RH8SGT247631}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

427Proxy Finder Enterprise.exe427Proxy Finder Enterprise.exee4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

pid	Process
1920	427Proxy Finder Enterprise.exe
1624	427Proxy Finder Enterprise.exe
4308	e4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

Loads dropped DLL 2 IoCs

Processes:

427Proxy Finder Enterprise.exe

pid	Process
1624	427Proxy Finder Enterprise.exe
1624	427Proxy Finder Enterprise.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe427Proxy Finder Enterprise.exe427Proxy Finder Enterprise.exe

description	pid	Process	procid_target
PID 1356 set thread context of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1920 set thread context of 1624	1920	427Proxy Finder Enterprise.exe	123
PID 1624 set thread context of 4308	1624	427Proxy Finder Enterprise.exe	124

Drops file in Windows directory 3 IoCs

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4776	4888	WerFault.exe	93
3812	4888	WerFault.exe	93
1848	1516	WerFault.exe	103
3384	1516	WerFault.exe	103
2796	3428	WerFault.exe	112
4208	3428	WerFault.exe	112
4140	1624	WerFault.exe	123
3692	4308	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe427Proxy Finder Enterprise.exe427Proxy Finder Enterprise.exee4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	427Proxy Finder Enterprise.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	427Proxy Finder Enterprise.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

Modifies registry class 41 IoCs

Processes:

427Proxy Finder Enterprise.exe82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	427Proxy Finder Enterprise.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}\ = "UpdateDeployment"	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}\InprocServer32\ThreadingModel = "Both"	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 74003100000000001e3d9186100050527e5633325a5300005c0009000400efbe1e3d91861e3d91862e00000000000000000000000000000000000000000000000000ccd19300500072006f0078007900460069006e0064006500720045006e0074006500720070007200690073006500000018000000	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	427Proxy Finder Enterprise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}\InprocServer32	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}\InprocServer32\ = "C:\\Windows\\SysWOW64\\UpdateDeploymentProvider.dll"	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 980031000000000047593b4b110050524f4752417e320000800009000400efbe874fdb495f593d3d2e000000c3040000000001000000000000000000560000000000cfd25e00500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	427Proxy Finder Enterprise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	427Proxy Finder Enterprise.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

427Proxy Finder Enterprise.exe

pid	Process
1624	427Proxy Finder Enterprise.exe
1624	427Proxy Finder Enterprise.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

427Proxy Finder Enterprise.exe

pid	Process
1624	427Proxy Finder Enterprise.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

427Proxy Finder Enterprise.exe427Proxy Finder Enterprise.exe

pid	Process
1920	427Proxy Finder Enterprise.exe
1624	427Proxy Finder Enterprise.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	pid	Process
Token: 33	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Token: 33	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe427Proxy Finder Enterprise.exe

pid	Process
1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
2608	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
1624	427Proxy Finder Enterprise.exe
1624	427Proxy Finder Enterprise.exe
1624	427Proxy Finder Enterprise.exe
1624	427Proxy Finder Enterprise.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	pid	Process	procid_target
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 1356 wrote to memory of 2608	1356	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	89
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 884 wrote to memory of 1356	884	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	84
PID 2608 wrote to memory of 3912	2608	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	90
PID 2608 wrote to memory of 3912	2608	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4508
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4888
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 200
        5⤵
        Program crash
        
        PID:4776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 208
        5⤵
        Program crash
        
        PID:3812
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:452
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 200
        5⤵
        Program crash
        
        PID:1848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 208
        5⤵
        Program crash
        
        PID:3384
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4272
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3456
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3428
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 200
        5⤵
        Program crash
        
        PID:2796
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 208
        5⤵
        Program crash
        
        PID:4208
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\427Proxy Finder Enterprise.exe
      "C:\Users\Admin\AppData\Local\Temp\427Proxy Finder Enterprise.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\427Proxy Finder Enterprise.exe
        
        "C:\Program Files (x86)\ProxyFinderEnterprise\ProxyFinder.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:1624
      - C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\SKEL\e4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE
        
        "C:\Program Files (x86)\ThinstallPlugins\QualityAgent.exe" -Report "Proxy Finder Enterprise Edition" "C:\Users\Admin\AppData\Local\Temp"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1532
        7⤵
        Program crash
        
        PID:3692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1632
        6⤵
        Program crash
        
        PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4888 -ip 4888
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4888 -ip 4888
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1516 -ip 1516
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1516 -ip 1516
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3428 -ip 3428
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3428 -ip 3428
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1624 -ip 1624
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4308 -ip 4308
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\427Proxy Finder Enterprise.exe

Filesize
3.8MB

MD5
9c8926f5976018c2f57b84930ac6bc68

SHA1
a04699c4305f35db7114dc1d71449000079a4b3c

SHA256
a00dae1931890c63824bfc89bd8ed94c0c45696ea5807b4020b40811e6814b4c

SHA512
e9a50d01a707a5cc287ef58e99506c657c822e1b8689f945c794a65f671da65bf04d32dc7260bed80667b6b3421900e9a6e8834572753f2ba866b242872d92d2

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\Registry.rw.tvr

Filesize
4KB

MD5
cca9ecd5e2612e2a8164dcef159a700b

SHA1
a3f824db1f59242e7308bdd46f5bfdeba2640915

SHA256
cf0f005037ed5628c131e0340af7f2d0617d4eca182e6fb842aa7994ec1080c0

SHA512
2f836fa951613a1a3ac16cfb807aa922c126db1ee6a723571d1f8f33cb63f8464e3947a4929672b8ba9b6f8d157be0944462bbd3402cb16a00be0d10c9329296

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\Registry.rw.tvr.lck

Filesize
60B

MD5
7663419c6f96030ca62349bef78c1c5f

SHA1
04534156253ac7b3a982bcf941381592769114c5

SHA256
fafda7868b8c1f0b8d685b620c4ddd49b3d674c6099b9500970c8ed07c098aa4

SHA512
284a933064b5980b730a4444fc30c154f96a5d227cb3723d52bb771a930e8c78fe4795484b70e452e1d4a9be31a7a2cceba380830950c31d6ef7a98b7e3a6de2

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\Registry.rw.tvr.transact

Filesize
4KB

MD5
303331b575ae3c571c97fa0812b75779

SHA1
353a6c96403b507d89d4ba96a7ec5738e6c05847

SHA256
380c3c539f1bb0e1349b990ea6f306c50037da9a00dabdb3c8aeb9e09446015e

SHA512
4198387b68084c04c3f45230a233e245fe2615b0c73110194c403b370d3b4174553cdcac950ce2bf994e28f209abeb449f6261094661801e6b94280f786fc245

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\SKEL\e4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

Filesize
16KB

MD5
8c9dcac3b17dd5365b76942428219382

SHA1
0e04e308edfd6e5abbd18dc7e90a1e1879bb4e89

SHA256
4b77030d9baedccac0c9192cd52723d335e375f64035c360d5dce68f50d770e6

SHA512
e32592fcc4515747378cec846171afb7462222f0c198057c707d28d67b27e6b024a8706ade7fa293af6403dd1e5d69e2b84c6407079b538310e5c2711c7efe95

Download Submit
memory/884-0-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/884-43-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1356-16-0x0000000000980000-0x00000000009CB000-memory.dmp

Filesize
300KB

Download
memory/1356-11-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1356-13-0x0000000000980000-0x00000000009CB000-memory.dmp

Filesize
300KB

Download
memory/1356-12-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1356-26-0x0000000000980000-0x00000000009CB000-memory.dmp

Filesize
300KB

Download
memory/1356-10-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1356-9-0x0000000000980000-0x00000000009CB000-memory.dmp

Filesize
300KB

Download
memory/1356-4-0x0000000000980000-0x00000000009CB000-memory.dmp

Filesize
300KB

Download
memory/1356-3-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1516-55-0x0000000000C80000-0x0000000001063000-memory.dmp

Filesize
3.9MB

Download
memory/1624-146-0x00000000027C0000-0x00000000027C4000-memory.dmp

Filesize
16KB

Download
memory/1624-106-0x0000000079BF0000-0x0000000079BF5000-memory.dmp

Filesize
20KB

Download
memory/1920-91-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-84-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-78-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-77-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-76-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-75-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-74-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-73-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-79-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-80-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-83-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-82-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-81-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-72-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-71-0x0000000079BF0000-0x0000000079BF5000-memory.dmp

Filesize
20KB

Download
memory/1920-92-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-90-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-190-0x0000000079BF0000-0x0000000079BF5000-memory.dmp

Filesize
20KB

Download
memory/1920-88-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-89-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/1920-87-0x0000000001F00000-0x0000000002060000-memory.dmp

Filesize
1.4MB

Download
memory/2608-18-0x0000000000C80000-0x0000000001063000-memory.dmp

Filesize
3.9MB

Download
memory/2608-21-0x0000000000C80000-0x0000000001063000-memory.dmp

Filesize
3.9MB

Download
memory/2608-20-0x0000000000C80000-0x0000000001063000-memory.dmp

Filesize
3.9MB

Download
memory/3428-57-0x0000000000C80000-0x0000000001063000-memory.dmp

Filesize
3.9MB

Download
memory/3912-51-0x0000000000C80000-0x0000000001063000-memory.dmp

Filesize
3.9MB

Download
memory/4308-150-0x0000000079BF0000-0x0000000079BF4000-memory.dmp

Filesize
16KB

Download
memory/4888-53-0x0000000000C80000-0x0000000001063000-memory.dmp

Filesize
3.9MB

Download