Overview

overview

10

Static

static

3

JaffaCakes...da.exe

windows7-x64

10

JaffaCakes...da.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2025 16:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_5c356ac02bcc70dcc5088272a977d0da.exe

  • Size

    60KB

  • MD5

    5c356ac02bcc70dcc5088272a977d0da

  • SHA1

    3d66ab4f4bf989757dafcb6bc6672918bada6061

  • SHA256

    3dcd15f5c8518d2785f5f0707207f6bd213d782765e8985be30e483bdd738d8e

  • SHA512

    6547aa741b2f290e0a24eb24c80c284281b57fadbaaedc6ff0d1ed5b105342579b528822ede99ac0d6841ea1e5653198a98a99d86580c8bcb61b8c9ec75a0222

  • SSDEEP

    768:23s+6jFw90iYiW1jQU9zKgEFQDqklFnBnibh9fOgKHcIS8YzXBBS8YzXBBzolKK:MngZv1j1PEFQDqkdibT+UFruFr3oUK

Score
10/10
xtremeratdiscoverypersistenceratspyware

Malware Config

Signatures

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 28 IoCs
  • Loads dropped DLL 29 IoCs
  • Adds Run key to start application 2 TTPs 60 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c356ac02bcc70dcc5088272a977d0da.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c356ac02bcc70dcc5088272a977d0da.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2876
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2140
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2624
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1104
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3000
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2972
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2868
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1464
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1892
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2384
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:940
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2084
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1100
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1348
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3068
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1164
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1824
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:612
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:828
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1540
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2416
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:856
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2180
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3048
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1364
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2540
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2008
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1516
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2316
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2776
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2744
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2780
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3040
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2756
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2696
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2376
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:236
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1936
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2828
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2608
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2796
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1284
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2364
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2660
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2076
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2344
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2544
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1076
      • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
        "C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2224
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2816
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bgfHE.cfg
    Filesize

    1KB

    MD5

    fb6b883ed51c2bf814b68f7f121cbcb7

    SHA1

    ae47b613f89ba31040fffca5ab340d8404ce0003

    SHA256

    25d3673bf8684e6f34cae4baa765dd19d05a3707feb7812dc4c5cdc67faac812

    SHA512

    18b977aa174cc7d2f49cccb59c57fd3902faf764b3fe6ff117e916a173137df4b7ed8921822ee67b9deb7994f59a4c48f335a4c8a2827057f32292ff49ff9d10

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bgfHE.dat
    Filesize

    2B

    MD5

    84cad01fdb44ae58dbe6c3973dcd87f5

    SHA1

    4700b42849fb35be323774820bf1bc8019d26c80

    SHA256

    8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6

    SHA512

    6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\bouls\hkmg.exe
    Filesize

    60KB

    MD5

    5c356ac02bcc70dcc5088272a977d0da

    SHA1

    3d66ab4f4bf989757dafcb6bc6672918bada6061

    SHA256

    3dcd15f5c8518d2785f5f0707207f6bd213d782765e8985be30e483bdd738d8e

    SHA512

    6547aa741b2f290e0a24eb24c80c284281b57fadbaaedc6ff0d1ed5b105342579b528822ede99ac0d6841ea1e5653198a98a99d86580c8bcb61b8c9ec75a0222

    Download Submit

  • memory/772-48-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/940-91-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1100-99-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1104-49-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1104-47-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1164-107-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1164-109-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1348-100-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1348-98-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1464-73-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1464-75-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1692-57-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1892-82-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2000-9-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2000-12-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2084-90-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2084-92-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2140-32-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2140-30-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2268-10-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2340-5-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2340-4-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2384-81-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2384-83-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2624-41-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2624-39-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2736-31-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2748-22-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2868-74-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2876-24-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2876-21-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2896-40-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2916-65-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2972-66-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2972-64-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3000-58-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3000-56-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3068-108-0x0000000000C80000-0x0000000000C97000-memory.dmp

    Filesize

    92KB

    Download