xtremerat | a58eb70c9e826fad3872d70134cb945ef72d0865407b066090408cce53a38b23

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe
Size

3.9MB
MD5

a91a9b39b94464b44184730ddf5c9ea2
SHA1

0a07247bf87258f8205f6380819086f0c22d081d
SHA256

a58eb70c9e826fad3872d70134cb945ef72d0865407b066090408cce53a38b23
SHA512

3d4bdf2a1745f19d350f0b83d2491d155b3256ca5fe2e74a02bfcc099e906d90f6e1fdcecf13bdeb9689518ddde31584fa85b68c1bfb1b0f40e637440d698e26
SSDEEP

98304:eBXC0RWM6bbpdl6Jz1leThe1hJKS3cTcKlEJZL9TAgAI:elCHM6bbLl6JZlKheJKSMcDZL9TAA

Score

10^/10

xtremerat aspackv2 discovery evasion persistence phishing rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
asd3q2da211a

Extracted

Family

xtremerat

412341.sytes.net

Signatures

Detect XtremeRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023c86-29.dat	family_xtremerat
behavioral2/memory/2112-50-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1612-60-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exeUpdate.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe"	Update.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

Update.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Shell.exe restart"	Update.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Shell.exe restart"	svchost.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023cae-220.dat	aspack_v212_v242
behavioral2/files/0x0007000000023cb1-231.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exeGLB99A0.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	GLB99A0.tmp

Executes dropped EXE 6 IoCs

Processes:

Audio.exesetup.exeUpdate.exeGLB99A0.tmpEnt.exesrv64.exe

pid	Process
3700	Audio.exe
960	setup.exe
1612	Update.exe
1488	GLB99A0.tmp
748	Ent.exe
4740	srv64.exe

Loads dropped DLL 34 IoCs

Processes:

GLB99A0.tmpEnt.exe

pid	Process
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
1488	GLB99A0.tmp
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeUpdate.exeAudio.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Shell.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Shell.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Shell.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysAudio.exe"	Audio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Shell.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Ent.exe

description	ioc	Process
File opened (read-only)	\??\G:	Ent.exe
File opened (read-only)	\??\L:	Ent.exe
File opened (read-only)	\??\O:	Ent.exe
File opened (read-only)	\??\Q:	Ent.exe
File opened (read-only)	\??\W:	Ent.exe
File opened (read-only)	\??\X:	Ent.exe
File opened (read-only)	\??\Y:	Ent.exe
File opened (read-only)	\??\E:	Ent.exe
File opened (read-only)	\??\J:	Ent.exe
File opened (read-only)	\??\N:	Ent.exe
File opened (read-only)	\??\P:	Ent.exe
File opened (read-only)	\??\S:	Ent.exe
File opened (read-only)	\??\V:	Ent.exe
File opened (read-only)	\??\Z:	Ent.exe
File opened (read-only)	\??\B:	Ent.exe
File opened (read-only)	\??\H:	Ent.exe
File opened (read-only)	\??\I:	Ent.exe
File opened (read-only)	\??\K:	Ent.exe
File opened (read-only)	\??\M:	Ent.exe
File opened (read-only)	\??\R:	Ent.exe
File opened (read-only)	\??\A:	Ent.exe
File opened (read-only)	\??\T:	Ent.exe
File opened (read-only)	\??\U:	Ent.exe

Drops file in System32 directory 1 IoCs

Processes:

GLB99A0.tmp

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLB99A0.tmp

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Ent.exe

pid	Process
748	Ent.exe

Drops file in Program Files directory 61 IoCs

Processes:

GLB99A0.tmp

description	ioc	Process
File created	C:\Program Files (x86)\EssNetTools\~GLH000f.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\1049.tlf	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH001d.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0002.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0003.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\MSFT.MIB	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0011.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\client32.dll	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH001c.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH000c.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0013.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0015.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\enterprise-numbers.txt	GLB99A0.tmp
File created	C:\PROGRA~2\ESSNET~1\INSTALL.LOG	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0014.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\RFC1514-HOSTS.MIB	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH001e.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\prop.exe	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\Ent.chm	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH000d.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\RFC1213-MIB.MIB	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\RFC1155-SMI.MIB	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH000e.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0005.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\readme.txt	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0010.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\~GLH0017.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\UNWISE.EXE	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\entutil.dll	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\1034.tlf	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\LMALRT2.MIB	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\ntools.dll	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\swlaunch.dll	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\LMMIB2.MIB	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0006.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0008.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH0018.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\prop64.exe	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\INETSRV.MIB	GLB99A0.tmp
File opened for modification	C:\PROGRA~2\ESSNET~1\INSTALL.LOG	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\Ent.exe	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\userlist.txt	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\~GLH0016.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH001a.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH001b.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH000a.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\license.txt	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0012.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\1031.tlf	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\ss.dll	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\s1.wav	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\s2.wav	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\srv64.exe	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH0019.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0004.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0007.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0009.TMP	GLB99A0.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH000b.TMP	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\passlist.txt	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\system-oids.txt	GLB99A0.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\LANG.INI	GLB99A0.tmp

Drops file in Windows directory 3 IoCs

Processes:

Update.exe

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Shell.exe	Update.exe
File created	C:\Windows\InstallDir\Shell.exe	Update.exe
File opened for modification	C:\Windows\InstallDir\	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

setup.exeUpdate.exesvchost.exeEnt.exereg.exea91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exeAudio.exeGLB99A0.tmpcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLB99A0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 11 IoCs

Processes:

Ent.exeGLB99A0.tmp

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Ent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Ent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Ent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.E4L\ = "EssNetTools.License"	GLB99A0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License\ = "Essential NetTools License"	GLB99A0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License\shell	GLB99A0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License\shell\open	GLB99A0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License\shell\open\command\ = "C:\\PROGRA~2\\ESSNET~1\\Ent.exe \"%1\""	GLB99A0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.E4L	GLB99A0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License	GLB99A0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License\shell\open\command	GLB99A0.tmp

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2408	reg.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

Ent.exe

pid	Process
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Audio.exeEnt.exe

description	pid	Process
Token: SeDebugPrivilege	3700	Audio.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe
Token: SeDebugPrivilege	748	Ent.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Ent.exe

pid	Process
748	Ent.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Ent.exe

pid	Process
748	Ent.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Audio.exeUpdate.exeEnt.exe

pid	Process
3700	Audio.exe
1612	Update.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe
748	Ent.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exesetup.exeUpdate.exeAudio.execmd.exe

description	pid	Process	procid_target
PID 3184 wrote to memory of 3700	3184	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	85
PID 3184 wrote to memory of 3700	3184	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	85
PID 3184 wrote to memory of 3700	3184	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	85
PID 3184 wrote to memory of 960	3184	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	86
PID 3184 wrote to memory of 960	3184	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	86
PID 3184 wrote to memory of 960	3184	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	86
PID 3184 wrote to memory of 1612	3184	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	87
PID 3184 wrote to memory of 1612	3184	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	87
PID 3184 wrote to memory of 1612	3184	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	87
PID 960 wrote to memory of 1488	960	setup.exe	88
PID 960 wrote to memory of 1488	960	setup.exe	88
PID 960 wrote to memory of 1488	960	setup.exe	88
PID 1612 wrote to memory of 2112	1612	Update.exe	89
PID 1612 wrote to memory of 2112	1612	Update.exe	89
PID 1612 wrote to memory of 2112	1612	Update.exe	89
PID 1612 wrote to memory of 2112	1612	Update.exe	89
PID 1612 wrote to memory of 1976	1612	Update.exe	90
PID 1612 wrote to memory of 1976	1612	Update.exe	90
PID 1612 wrote to memory of 1976	1612	Update.exe	90
PID 1612 wrote to memory of 3156	1612	Update.exe	91
PID 1612 wrote to memory of 3156	1612	Update.exe	91
PID 1612 wrote to memory of 3156	1612	Update.exe	91
PID 1612 wrote to memory of 2252	1612	Update.exe	92
PID 1612 wrote to memory of 2252	1612	Update.exe	92
PID 1612 wrote to memory of 2252	1612	Update.exe	92
PID 1612 wrote to memory of 3652	1612	Update.exe	93
PID 1612 wrote to memory of 3652	1612	Update.exe	93
PID 1612 wrote to memory of 3652	1612	Update.exe	93
PID 1612 wrote to memory of 4328	1612	Update.exe	94
PID 1612 wrote to memory of 4328	1612	Update.exe	94
PID 1612 wrote to memory of 4328	1612	Update.exe	94
PID 1612 wrote to memory of 4960	1612	Update.exe	95
PID 1612 wrote to memory of 4960	1612	Update.exe	95
PID 1612 wrote to memory of 4960	1612	Update.exe	95
PID 1612 wrote to memory of 4576	1612	Update.exe	96
PID 1612 wrote to memory of 4576	1612	Update.exe	96
PID 1612 wrote to memory of 4576	1612	Update.exe	96
PID 3700 wrote to memory of 1464	3700	Audio.exe	97
PID 3700 wrote to memory of 1464	3700	Audio.exe	97
PID 3700 wrote to memory of 1464	3700	Audio.exe	97
PID 1464 wrote to memory of 2408	1464	cmd.exe	99
PID 1464 wrote to memory of 2408	1464	cmd.exe	99
PID 1464 wrote to memory of 2408	1464	cmd.exe	99
PID 1612 wrote to memory of 2932	1612	Update.exe	101
PID 1612 wrote to memory of 2932	1612	Update.exe	101
PID 1612 wrote to memory of 2932	1612	Update.exe	101
PID 1612 wrote to memory of 3936	1612	Update.exe	104
PID 1612 wrote to memory of 3936	1612	Update.exe	104
PID 1612 wrote to memory of 3936	1612	Update.exe	104
PID 1612 wrote to memory of 1356	1612	Update.exe	105
PID 1612 wrote to memory of 1356	1612	Update.exe	105
PID 1612 wrote to memory of 1356	1612	Update.exe	105
PID 1612 wrote to memory of 3656	1612	Update.exe	106
PID 1612 wrote to memory of 3656	1612	Update.exe	106
PID 1612 wrote to memory of 3656	1612	Update.exe	106
PID 1612 wrote to memory of 412	1612	Update.exe	110
PID 1612 wrote to memory of 412	1612	Update.exe	110
PID 1612 wrote to memory of 412	1612	Update.exe	110
PID 1612 wrote to memory of 3272	1612	Update.exe	111
PID 1612 wrote to memory of 3272	1612	Update.exe	111
PID 1612 wrote to memory of 3272	1612	Update.exe	111
PID 1612 wrote to memory of 4152	1612	Update.exe	112
PID 1612 wrote to memory of 4152	1612	Update.exe	112
PID 1612 wrote to memory of 4152	1612	Update.exe	112

C:\Users\Admin\AppData\Local\Temp\a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\Audio.exe
  "C:\Users\Admin\AppData\Local\Temp\Audio.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2408
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\GLB99A0.tmp
    C:\Users\Admin\AppData\Local\Temp\GLB99A0.tmp 4736 C:\Users\Admin\AppData\Local\Temp\setup.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1488
  - - C:\PROGRA~2\ESSNET~1\Ent.exe
      "C:\PROGRA~2\ESSNET~1\Ent.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:748
    - - C:\PROGRA~2\ESSNET~1\srv64.exe
        
        "C:\PROGRA~2\ESSNET~1\srv64.exe"
        5⤵
        Executes dropped EXE
        
        PID:4740
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Update.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies WinLogon for persistence
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:412
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\ESSNET~1\Ent.exe

Filesize
1.2MB

MD5
ce259027520abb925afd1452f60e1a54

SHA1
13b3008bc72f4999353c2d46a5de9ae502ce2df6

SHA256
61128469387bee5b868c52e6227936aaf5917eb4182fabc48068d68fac0518ab

SHA512
bce48fc0784f12dc180a2b3fe2543a0a0644dbbb925166b5d4f7578a1e4947cc09cf6e007dbae7a3ccd9a5f4caaf5b96dbbe11b811a0f33c4b2365029429a1ef

Download Submit
C:\PROGRA~2\ESSNET~1\srv64.exe

Filesize
83KB

MD5
e029d26a0cc2ca3a527742cccdd1aa79

SHA1
2809c750725bc254750af847cf91e7eae7157f9b

SHA256
dadf2b2d00e26635ae9b58235fd4ce9849d543a9e1bfd57a2b156241d8290625

SHA512
0aafc95cfe3a1e1ecafb43a380efcccc13eee0d5c2200254708b5d2fceb0144e0a8ed1cf4dfb78ab78efba4c3480ce89732040e80ab9051119f1526b1d9473be

Download Submit
C:\Program Files (x86)\EssNetTools\LANG.INI

Filesize
23B

MD5
1ffa7c3866e90bd9bdae07241ac73afd

SHA1
8a5219053a0fec8ed1cc625b51c5367671720d6f

SHA256
945cb27070511c81b25394ba66b336ed01ff6f7545bd41d6bffbfb761c33bbd5

SHA512
91e4dd9039b9de7ec9d69dcb6d510e1239b27cba14c07fa2c6abc3f5a0ed48993a35421f61aca8f336a8d68a23becb3f2bd9a8155df4f3f4a9c8a743efa04b24

Download Submit
C:\Program Files (x86)\EssNetTools\client32.dll

Filesize
44KB

MD5
d56b88426dfcf5b7f7dcb91f2c815d26

SHA1
33584bc890ea1210c632e433d0996984ac83a27e

SHA256
659204ea1640fb2241cae1cca227788c600780627b949bd70798af5e83bf1ff3

SHA512
fa45db376f29e4d3460b5cc7fc7c66ad10154709f675dc5f2cb16bdc968dceffa0bec277495aa9842f462dce4d53d9657833afe7c7d8a018ba15ea50cd53675d

Download Submit
C:\Program Files (x86)\EssNetTools\entutil.dll

Filesize
26KB

MD5
99c62c1b2288747369121598667698ca

SHA1
b79c6f40c4994c0f0417f66282d9c1777785228c

SHA256
31728d3bb4cb38d91815bed65bc20f7362e28a1cb5f6667af20777bd69f8ca4b

SHA512
5968c1e2dcd05079c3d3c6e54ae0af05368ec8c7974752b99aa546519fda253ec761ee6a040cc7a297f408a6981eb557756a4820602c163f5890c041960e91a7

Download Submit
C:\Program Files (x86)\EssNetTools\license.txt

Filesize
2KB

MD5
e497a7368b157f0a67979be2b2a4237d

SHA1
574e3e9b26a1c3f7b995ab7b5adfd9d1e0277573

SHA256
ad57c29b63626dcdedf9f26735f402cb0e310013684910ce1d5bc11cf89dc89f

SHA512
d5de4033c6ed4aa27a2689e69347ba0fb603761ce3a785af13ab8053a3d1037be034d55aacd86f797e9bc54347876fb9425910088773e0f00cf19cf690504a33

Download Submit
C:\Program Files (x86)\EssNetTools\ntools.dll

Filesize
11KB

MD5
bda8787a4a296f5178c4e2fbe4c09770

SHA1
3873c48d6c9360cfe46645685949139a68011348

SHA256
37433da15a318cb8d6e46f6f14c013a7ff4b90a41eca9ea1d5c950501631c506

SHA512
4f7813de55289ce57b242bc27943ad4a29fa20495eccc7090aa197ba15be16e2fd34bb6ff1d3c1bf5fc53e8f81304adc25f6da43bc2b9d3a44b3c4290c5717fe

Download Submit
C:\Program Files (x86)\EssNetTools\ss.dll

Filesize
466KB

MD5
1a1078ff177fc65fe8ff8dde49ffb697

SHA1
eef25860a9376f6b45c80c50e8906600a901c1ec

SHA256
8b070dc40d1f3869fe8d0d86ac82dcad8b6b8988bd46f96beb4b35ea7499a60a

SHA512
a63f2d8a4f3122dcde0d58a9fbe29411431dc6b07722a974dda17f7050df68bb5251e6aa50f4dd473fe64b418081913ccfa9b132a5c30149dfb9f53dd424ad5d

Download Submit
C:\Program Files (x86)\EssNetTools\swlaunch.dll

Filesize
16KB

MD5
eaceabaa685a464309359b26811bef05

SHA1
05545e6f8ceb0ecef4196d08e6b332cd739d1d2b

SHA256
bdbc4501bd1b0f0bdb0b8d01df11d3a9aa59a3d3f77ec269d6e909073c845459

SHA512
ed1a0868aa562c688eaa2bb071fd8997c47771c9006b9dae141c8a68244d49f1ecaae82e1db097fe46c271a158372c2d3250e3ee2ec962337711660f9578da1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Audio.exe

Filesize
179KB

MD5
1da15a41d35b860551f79024d786f519

SHA1
860bc51df0029cff0532659943d696009b894771

SHA256
30812fdfa5b8becc827a632c55f61876ab6b8cd86b9046631a4083bb7290e399

SHA512
1d292f1d6566afde75a367e63f64ee7e9fc6a7bf7137e6c7c2dfa3cd11e7271455926bcd8d98653454e9af0695ac4afa765b70e2f6e6b7d8c12b420a8606cb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLB99A0.tmp

Filesize
70KB

MD5
9c4e4277bf7f56318301bcf62452c8e6

SHA1
2092162aada654516ae70b1cf75d0b36964f8716

SHA256
2aba4c054e4145d684c4814b9311a1fdcf42485a268c945a589afddbec006246

SHA512
480576de39cd31529546e6f06eea6fea415d55ec54c1b835493ea23ed220ebf43cff2ab6301d39aed275a4664a7bb47bb9bce3bc37256d31dc1bb7e724e19b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC9AAA.tmp

Filesize
161KB

MD5
263e81631fb67194dc968dc3f4bdb4e7

SHA1
2998697c503a542d5cf1e25a0d0df18fcd38d66c

SHA256
9200949ab6f777df957fc524d4733e2cb47b89a209c07d2be57b4c63cecbf766

SHA512
2eb6fd28ba87f193a35f1c4bd4c6ff29495a3c10fea8bfa0506df97fcae5ca16f2617703137ecb32cf6b7dbd3048507dd4d0c7418845cfdce5c43896aec45dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLF9E27.tmp

Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
45KB

MD5
76ba75a7ce68516f5e2a76031e5ec185

SHA1
399bed8aef82a85702c48ef3f15c46005fc15979

SHA256
8070c926913db533326ef061dffca76550bfe9139a60365be604ca2fcef766eb

SHA512
e7caf3284e2668cc52b976b063ac87ffb09b46ec7b2900dfee87a9d0ea95110b3cc11751de942f254f8962b320be49a5866a120dbc971600a60f3f55ecbc4f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
3.8MB

MD5
185c5f195d51214fdb80d1672e59d57a

SHA1
09a02913e68065a37e0f87148702f9a8cccb4088

SHA256
7b0123cf0b310370eaaea949a9d788ce9c624a10756376abef82ee897a66d7cc

SHA512
e9c8a68e038ee9a86d31562daf117adeb43b36d50f18c9dbcb17c0001774b0e54579c4557c09e1175d019b50d58d986376ffe116ee224c5099d8e912ae766eaa

Download Submit
memory/748-242-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/748-250-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/748-222-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/748-280-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/748-274-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/748-269-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/748-264-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/748-259-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/748-255-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/748-223-0x0000000042300000-0x0000000042310000-memory.dmp

Filesize
64KB

Download
memory/748-234-0x0000000003790000-0x000000000379A000-memory.dmp

Filesize
40KB

Download
memory/748-238-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/748-245-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/748-240-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/748-241-0x0000000050FE0000-0x0000000051139000-memory.dmp

Filesize
1.3MB

Download
memory/1612-60-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2112-50-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3700-26-0x0000000073E32000-0x0000000073E33000-memory.dmp

Filesize
4KB

Download
memory/3700-35-0x0000000073E30000-0x00000000743E1000-memory.dmp

Filesize
5.7MB

Download
memory/3700-39-0x0000000073E30000-0x00000000743E1000-memory.dmp

Filesize
5.7MB

Download
memory/3700-58-0x0000000073E32000-0x0000000073E33000-memory.dmp

Filesize
4KB

Download
memory/3700-59-0x0000000073E30000-0x00000000743E1000-memory.dmp

Filesize
5.7MB

Download
memory/3700-61-0x0000000073E30000-0x00000000743E1000-memory.dmp

Filesize
5.7MB

Download