Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 10:29

General

  • Target

    d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe

  • Size

    699KB

  • MD5

    d69477dcdd44d6f9d0102329894a9d9c

  • SHA1

    123ee34e12767a0a5fbbf132a32321cdf3dbbae0

  • SHA256

    ef9ec4742f12bf579efb7d36c3d645fba6d67b91272ee5b34952c25184f0afd6

  • SHA512

    5b92c34293bdbad140450ed4732710ab9b5a4d25f45034f8a754cfb0bd55d7b24059c46cc8465786283a5124b88cc154d0840205023119271334dc0058a0781f

  • SSDEEP

    12288:q/ezny90hw8BFyqXTS1jMeo5DKI4EZNYbaDY9wL:lnyww8BFyqjSMb4aNnMW

Malware Config

Extracted

Family

xtremerat

C2

dejoui2.no-ip.info

Signatures

  • Detect XtremeRAT payload 5 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Xtremerat family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exe
        jk27ca.exe
        3⤵
          PID:2668
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exe
          jk27ca.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1908
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
              PID:2632
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              4⤵
                PID:2512
              • C:\Windows\SysWOW64\explorer.exe
                explorer.exe
                4⤵
                  PID:2560
                • C:\Windows\SysWOW64\explorer.exe
                  explorer.exe
                  4⤵
                    PID:2568
                  • C:\Windows\SysWOW64\explorer.exe
                    explorer.exe
                    4⤵
                      PID:2592
                    • C:\Windows\SysWOW64\explorer.exe
                      explorer.exe
                      4⤵
                        PID:2640
                      • C:\Windows\SysWOW64\explorer.exe
                        explorer.exe
                        4⤵
                          PID:3052
                        • C:\Windows\SysWOW64\explorer.exe
                          explorer.exe
                          4⤵
                            PID:2088
                          • C:\Windows\SysWOW64\explorer.exe
                            explorer.exe
                            4⤵
                              PID:2576
                            • C:\Windows\SysWOW64\explorer.exe
                              explorer.exe
                              4⤵
                                PID:2372
                              • C:\Windows\SysWOW64\explorer.exe
                                explorer.exe
                                4⤵
                                  PID:1676
                                • C:\Windows\SysWOW64\explorer.exe
                                  explorer.exe
                                  4⤵
                                    PID:3060
                                  • C:\Windows\SysWOW64\explorer.exe
                                    explorer.exe
                                    4⤵
                                      PID:760
                                    • C:\Windows\SysWOW64\explorer.exe
                                      explorer.exe
                                      4⤵
                                        PID:2768
                                      • C:\Windows\SysWOW64\explorer.exe
                                        explorer.exe
                                        4⤵
                                          PID:1264
                                        • C:\Windows\SysWOW64\explorer.exe
                                          explorer.exe
                                          4⤵
                                            PID:1472
                                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOOSTH~1.EXE
                                        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOOSTH~1.EXE
                                        2⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:2844

                                    Network

                                    • flag-us
                                      DNS
                                      thetradingeye.com
                                      jk27ca.exe
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      thetradingeye.com
                                      IN A
                                      Response
                                      thetradingeye.com
                                      IN A
                                      193.26.158.183
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:29:43 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:29:48 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:29:54 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:29:59 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:30:04 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:30:09 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:30:14 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:30:19 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:30:24 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:30:29 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:30:35 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:30:40 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:30:45 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:30:50 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:30:55 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:00 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:05 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:10 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:16 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:21 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:26 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:31 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:37 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:42 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:47 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:52 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:31:57 GMT
                                      Content-Length: 19
                                    • flag-de
                                      GET
                                      http://thetradingeye.com/plugin.xtr
                                      jk27ca.exe
                                      Remote address:
                                      193.26.158.183:80
                                      Request
                                      GET /plugin.xtr HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                      Host: thetradingeye.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Content-Type: text/plain; charset=utf-8
                                      X-Content-Type-Options: nosniff
                                      Date: Sun, 08 Dec 2024 10:32:02 GMT
                                      Content-Length: 19
                                    • flag-us
                                      DNS
                                      dejoui2.no-ip.info
                                      jk27ca.exe
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      dejoui2.no-ip.info
                                      IN A
                                      Response
                                      dejoui2.no-ip.info
                                      IN A
                                      0.0.0.0
                                    • 193.26.158.183:80
                                      http://thetradingeye.com/plugin.xtr
                                      http
                                      jk27ca.exe
                                      12.0kB
                                      6.2kB
                                      59
                                      32

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404

                                      HTTP Request

                                      GET http://thetradingeye.com/plugin.xtr

                                      HTTP Response

                                      404
                                    • 8.8.8.8:53
                                      thetradingeye.com
                                      dns
                                      jk27ca.exe
                                      63 B
                                      79 B
                                      1
                                      1

                                      DNS Request

                                      thetradingeye.com

                                      DNS Response

                                      193.26.158.183

                                    • 8.8.8.8:53
                                      dejoui2.no-ip.info
                                      dns
                                      jk27ca.exe
                                      64 B
                                      80 B
                                      1
                                      1

                                      DNS Request

                                      dejoui2.no-ip.info

                                      DNS Response

                                      0.0.0.0

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\BOOSTH~1.EXE

                                      Filesize

                                      467KB

                                      MD5

                                      0715c843b7a3251e30b1032441b72a16

                                      SHA1

                                      8200877a5671f14accec609d62f5a481b8dec598

                                      SHA256

                                      24db9327aa259fb2b7ce9bde4a56c1abc7ca545637b1b9bd117221943957a311

                                      SHA512

                                      e681dbbcfd7516860deb685eb2d368f431aa2ecddd078e1350dd06b6d808cf15041e7307d1f5ea520770b0489fd6105979d2266f27adb7ad58cdde6ef832d271

                                    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exe

                                      Filesize

                                      197KB

                                      MD5

                                      29e01606b4f35126333767f1fd7712fe

                                      SHA1

                                      25699a15402be8674f6a04592e51c3a1bffd2805

                                      SHA256

                                      05129e5a49b13ec8e8f0098c927fbaf8b8b19a38e65aef20773d56f2c734833f

                                      SHA512

                                      dfd3eca7cdfe7b97d12882e192ad85a57da938a5761a44d07aa85b386a0a4b20655c823341cb82b78585f1996ca3be9d8c7843e4a3fc9c132b1f56992ba1a405

                                    • memory/1908-44-0x0000000000C80000-0x0000000000CAD000-memory.dmp

                                      Filesize

                                      180KB

                                    • memory/2368-12-0x0000000074632000-0x0000000074634000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/2732-29-0x0000000000C80000-0x0000000000CAD000-memory.dmp

                                      Filesize

                                      180KB

                                    • memory/2732-28-0x0000000000C80000-0x0000000000CAD000-memory.dmp

                                      Filesize

                                      180KB

                                    • memory/2732-27-0x0000000000C80000-0x0000000000CAD000-memory.dmp

                                      Filesize

                                      180KB

                                    • memory/2732-24-0x0000000000C80000-0x0000000000CAD000-memory.dmp

                                      Filesize

                                      180KB

                                    • memory/2732-21-0x0000000000C80000-0x0000000000CAD000-memory.dmp

                                      Filesize

                                      180KB

                                    • memory/2732-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2732-15-0x0000000000C80000-0x0000000000CAD000-memory.dmp

                                      Filesize

                                      180KB

                                    • memory/2732-17-0x0000000000C80000-0x0000000000CAD000-memory.dmp

                                      Filesize

                                      180KB

                                    • memory/2732-16-0x0000000000C80000-0x0000000000CAD000-memory.dmp

                                      Filesize

                                      180KB

                                    • memory/2732-48-0x0000000000C80000-0x0000000000CAD000-memory.dmp

                                      Filesize

                                      180KB

                                    • memory/2732-49-0x0000000000C80000-0x0000000000CAD000-memory.dmp

                                      Filesize

                                      180KB

                                    • memory/2844-46-0x00000000002F0000-0x000000000036C000-memory.dmp

                                      Filesize

                                      496KB

                                    We care about your privacy.

                                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.