xtremerat | 6d9c56da19bbd740c69ef0f36517e0b398fbee1bd5bab0d1e5e87c7bfea76225

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Size

1.5MB
MD5

ffbab9517e714bc602e6bfcea36b5c19
SHA1

eaf51aa3339794074b1ae032a8e7dbcf2b3c20a8
SHA256

6d9c56da19bbd740c69ef0f36517e0b398fbee1bd5bab0d1e5e87c7bfea76225
SHA512

8af37d66ba78e940a30580f64bedd2baccafaddb09ce9c5a3cb3e63b1a8e259c1857ced7f530f677f8dbe8283bea458adede91edc7c239ecc51a2ca166436095
SSDEEP

24576:lP2PU8hQzGNtWtR440slkQ6sgm7M+unMpbFbU67BzJi20+/emgeNfaPqcqbXJitR:Rq1NIR4fOtf7zpb9Ji20+NGqQDuEpIK

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	explorer.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Adds policy Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3056	pidginutily.exe
5096	pidginutily.exe
3508	pidginutily.exe
3600	pidginutily.exe
2404	pidginutily.exe
4524	pidginutily.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	explorer.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3252 set thread context of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3056 set thread context of 2404	3056	pidginutily.exe	140
PID 5096 set thread context of 3600	5096	pidginutily.exe	139
PID 3508 set thread context of 4524	3508	pidginutily.exe	142
PID 3600 set thread context of 3912	3600	pidginutily.exe	144

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3252-0-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral2/memory/3252-2-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral2/memory/3252-9-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral2/files/0x000a000000023bad-18.dat	upx
behavioral2/memory/3056-33-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral2/memory/5096-34-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral2/memory/5096-39-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral2/memory/3056-38-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral2/memory/3056-51-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral2/memory/5096-49-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral2/memory/3508-59-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral2/memory/3508-64-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral2/memory/3912-74-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral2/memory/3912-72-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral2/memory/3912-73-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral2/memory/3912-78-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral2/memory/3912-77-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral2/memory/3912-79-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral2/memory/3912-81-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral2/memory/3912-82-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral2/memory/3912-83-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral2/memory/3912-76-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral2/memory/3912-87-0x0000000001610000-0x0000000001720000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	explorer.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3912	explorer.exe
3912	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
3912	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3252 wrote to memory of 3840	3252	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	86
PID 3840 wrote to memory of 5012	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	97
PID 3840 wrote to memory of 5012	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	97
PID 3840 wrote to memory of 5012	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	97
PID 3840 wrote to memory of 5012	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	97
PID 3840 wrote to memory of 228	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	98
PID 3840 wrote to memory of 228	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	98
PID 3840 wrote to memory of 1736	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	99
PID 3840 wrote to memory of 1736	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	99
PID 3840 wrote to memory of 1736	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	99
PID 3840 wrote to memory of 952	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	100
PID 3840 wrote to memory of 952	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	100
PID 3840 wrote to memory of 952	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	100
PID 3840 wrote to memory of 1472	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	101
PID 3840 wrote to memory of 1472	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	101
PID 3840 wrote to memory of 432	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	102
PID 3840 wrote to memory of 432	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	102
PID 3840 wrote to memory of 432	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	102
PID 3840 wrote to memory of 3696	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	103
PID 3840 wrote to memory of 3696	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	103
PID 3840 wrote to memory of 4508	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	104
PID 3840 wrote to memory of 4508	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	104
PID 3840 wrote to memory of 4508	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	104
PID 3840 wrote to memory of 2772	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	105
PID 3840 wrote to memory of 2772	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	105
PID 3840 wrote to memory of 1856	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	106
PID 3840 wrote to memory of 1856	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	106
PID 3840 wrote to memory of 1856	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	106
PID 3840 wrote to memory of 2700	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	107
PID 3840 wrote to memory of 2700	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	107
PID 3840 wrote to memory of 3952	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	108
PID 3840 wrote to memory of 3952	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	108
PID 3840 wrote to memory of 3952	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	108
PID 3840 wrote to memory of 1212	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	109
PID 3840 wrote to memory of 1212	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	109
PID 3840 wrote to memory of 4052	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	110
PID 3840 wrote to memory of 4052	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	110
PID 3840 wrote to memory of 4052	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	110
PID 3840 wrote to memory of 3464	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	111
PID 3840 wrote to memory of 3464	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	111
PID 3840 wrote to memory of 2636	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	112
PID 3840 wrote to memory of 2636	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	112
PID 3840 wrote to memory of 2636	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	112
PID 3840 wrote to memory of 4892	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	113
PID 3840 wrote to memory of 4892	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	113
PID 3840 wrote to memory of 924	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	114
PID 3840 wrote to memory of 924	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	114
PID 3840 wrote to memory of 924	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	114
PID 3840 wrote to memory of 4324	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	115
PID 3840 wrote to memory of 4324	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	115
PID 3840 wrote to memory of 5020	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	116
PID 3840 wrote to memory of 5020	3840	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Users\Admin\AppData\Local\Temp\ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:5012
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5096
    - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
        
        "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2312
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3912
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3508
    - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
        
        "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
        5⤵
        Executes dropped EXE
        
        PID:4524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:228
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:5020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:676
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:5112
- - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
    "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3056
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Q1j3hCKCyxW\Q1j3hCKCyxW.dat

Filesize
2B

MD5
93e00066d099c0485cfffa1359246d26

SHA1
bc69a773f37b2f2071e25f755a66d47b871e5d98

SHA256
3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

SHA512
d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Q1j3hCKCyxW\Q1j3hCKCyxW.nfo

Filesize
3KB

MD5
14bb0770b00759a393067240244bf690

SHA1
419344adff151fa951ccb604b8a55ca8c3197732

SHA256
a4d73a576f88e0fc979a501a406146227f2f9294384585472b41f9acb338c7b1

SHA512
354a5ae937325e8710881591b90ccfdc5e0c423e87bd2c13ca1168b998deae31225f036468d73cf023b8a5164bd3f0c15e7a54b3d0af378d53a35edcf9ccc4ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Q1j3hCKCyxW\Q1j3hCKCyxW.svr

Filesize
357KB

MD5
28c66465338c1740d341e2c4427fb065

SHA1
1b9c40c1046c08e4cb63e5be9076f38386142161

SHA256
97a5caded2fe081539eb7102c13b62c6ea5a55257f04333eec12aff8ae272a46

SHA512
3e6ea31f69fed2c2732bbb98158899d5e2c657b2653ebf857652d67a3925bfeab4245f8dda14d63a90cfe7eb15f3089fead00583f1e7641cd69e9007577ce0c9

Download Submit
C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe

Filesize
1.5MB

MD5
ffbab9517e714bc602e6bfcea36b5c19

SHA1
eaf51aa3339794074b1ae032a8e7dbcf2b3c20a8

SHA256
6d9c56da19bbd740c69ef0f36517e0b398fbee1bd5bab0d1e5e87c7bfea76225

SHA512
8af37d66ba78e940a30580f64bedd2baccafaddb09ce9c5a3cb3e63b1a8e259c1857ced7f530f677f8dbe8283bea458adede91edc7c239ecc51a2ca166436095

Download Submit
memory/2404-58-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3056-33-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/3056-38-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/3056-51-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/3252-9-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/3252-2-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/3252-3-0x00000000004CC000-0x00000000004D5000-memory.dmp

Filesize
36KB

Download
memory/3252-0-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/3252-1-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/3508-59-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/3508-64-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/3600-71-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3840-5-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3840-29-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3840-22-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3840-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3840-7-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3840-6-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3840-4-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3912-73-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/3912-77-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/3912-87-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/3912-76-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/3912-83-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/3912-74-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/3912-72-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/3912-82-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/3912-78-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/3912-81-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/3912-79-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/4524-69-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5012-19-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5012-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5096-49-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/5096-34-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/5096-39-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download