Analysis Overview
SHA256
3a5cb713b00c3cda6c0e003067053b3375aed4797e6ad45ccd02d8faa548647a
Threat Level: Known bad
The file JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9 was found to be: Known bad.
Malicious Activity Summary
Latentbot family
LatentBot
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Loads dropped DLL
Deletes itself
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
UPX packed file
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-26 17:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-26 17:43
Reported
2025-02-26 17:46
Platform
win7-20241010-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
LatentBot
Latentbot family
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08C9E5JF-4KJB-16CP-AAA5-00401C6FV500} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08C9E5JF-4KJB-16CP-AAA5-00401C6FV500}\StubPath = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe s" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Xtreme\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1980 set thread context of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe |
| PID 2548 set thread context of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
| PID 2248 set thread context of 2848 | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | C:\Windows\SysWOW64\Xtreme\Xtreme.exe |
| PID 2564 set thread context of 2988 | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | C:\Windows\SysWOW64\Xtreme\Xtreme.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
"C:\Windows\system32\Xtreme\Xtreme.exe"
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
"C:\Windows\system32\Xtreme\Xtreme.exe"
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\794567.bat
C:\Windows\SysWOW64\attrib.exe
Attrib -A -S -H -R "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
Files
memory/1980-10-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2548-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2548-6-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/2548-4-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/2548-2-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/2548-1-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/2548-11-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/2548-12-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/2548-13-0x0000000013400000-0x00000000134AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XtremeServerSource.dat
| MD5 | 53a44552ee88fd6d2b5063e409482aa8 |
| SHA1 | f669bb3c778473ec8302563b003f608003787637 |
| SHA256 | 767a4c79ce1eadbbf80c0bf6fcc1e546a5bd31c5f1cf453cac15bbefeb6153cf |
| SHA512 | c909d3e585206f7beb3c38c579ba1bbfdb6bf97e36ed53d42cfa2848c0544790805e9f274a1c3a4fbc387c7f1ae4d9e8d6b3f8fc4590034722c09fc51b94f5dd |
\Windows\SysWOW64\Xtreme\Xtreme.exe
| MD5 | 279331a98b85ffc8ce6862bdd1860aa9 |
| SHA1 | fc50d3471d8fb34a6b4d9fcb4bab6b96a587a9d4 |
| SHA256 | 3a5cb713b00c3cda6c0e003067053b3375aed4797e6ad45ccd02d8faa548647a |
| SHA512 | cd553dd48d7ac263fa7a6246af05b693168815a3aae99034b568687b27d6403a910c9f3316ee6911f012d0c1a091e759d1c697c5886246654a80038cf622a8bb |
memory/2248-35-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1908-41-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/2816-65-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/2564-59-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\794567.bat
| MD5 | 658a7361176128daa2e574400235995e |
| SHA1 | 3509e729f2e53dd34090414bcb795c80d26499e3 |
| SHA256 | 972e5bb59d486a541b88f20667b81d09bc814329ed236d6f43322a78d99d86fd |
| SHA512 | abd13b850809d3823fa0877d56fee97ad36482114166f3120842d9bdb880d82be4f6ef8c89c46081d78e7c79c37a5a725e264c9d11d7faeeeb518df4d2d72b0f |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-26 17:43
Reported
2025-02-26 17:46
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
LatentBot
Latentbot family
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08C9E5JF-4KJB-16CP-AAA5-00401C6FV500} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08C9E5JF-4KJB-16CP-AAA5-00401C6FV500}\StubPath = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe s" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xtreme = "C:\\Windows\\system32\\Xtreme\\Xtreme.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Xtreme\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1500 set thread context of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe |
| PID 832 set thread context of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
| PID 4216 set thread context of 3332 | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | C:\Windows\SysWOW64\Xtreme\Xtreme.exe |
| PID 4396 set thread context of 3920 | N/A | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | C:\Windows\SysWOW64\Xtreme\Xtreme.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Xtreme\Xtreme.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
"C:\Windows\system32\Xtreme\Xtreme.exe"
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 208
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
"C:\Windows\system32\Xtreme\Xtreme.exe"
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3400 -ip 3400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3400 -ip 3400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 240
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\879317.bat
C:\Windows\SysWOW64\attrib.exe
Attrib -A -S -H -R "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_279331a98b85ffc8ce6862bdd1860aa9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
| US | 8.8.8.8:53 | infoupdator.zapto.org | udp |
Files
memory/832-1-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/832-2-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/832-3-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/1500-5-0x0000000000400000-0x0000000000441000-memory.dmp
memory/832-6-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/832-8-0x0000000013400000-0x00000000134AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XtremeServerSource.dat
| MD5 | 53a44552ee88fd6d2b5063e409482aa8 |
| SHA1 | f669bb3c778473ec8302563b003f608003787637 |
| SHA256 | 767a4c79ce1eadbbf80c0bf6fcc1e546a5bd31c5f1cf453cac15bbefeb6153cf |
| SHA512 | c909d3e585206f7beb3c38c579ba1bbfdb6bf97e36ed53d42cfa2848c0544790805e9f274a1c3a4fbc387c7f1ae4d9e8d6b3f8fc4590034722c09fc51b94f5dd |
C:\Windows\SysWOW64\Xtreme\Xtreme.exe
| MD5 | 279331a98b85ffc8ce6862bdd1860aa9 |
| SHA1 | fc50d3471d8fb34a6b4d9fcb4bab6b96a587a9d4 |
| SHA256 | 3a5cb713b00c3cda6c0e003067053b3375aed4797e6ad45ccd02d8faa548647a |
| SHA512 | cd553dd48d7ac263fa7a6246af05b693168815a3aae99034b568687b27d6403a910c9f3316ee6911f012d0c1a091e759d1c697c5886246654a80038cf622a8bb |
memory/3644-26-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/4216-27-0x0000000000400000-0x0000000000441000-memory.dmp
memory/832-7-0x0000000013400000-0x00000000134AC000-memory.dmp
memory/4396-41-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3400-40-0x0000000013400000-0x00000000134AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\879317.bat
| MD5 | ab6d86a02984f726046976e7efbec1ca |
| SHA1 | d570144530f9bfe2e35cc795658df79842c7cf51 |
| SHA256 | b14b8259503df5af27d2b80a2407f757d515e4623384289c8c36047c9a9d8dde |
| SHA512 | eab10091f9436bce320744fb1767aa34a7ca8fe3d0015367d9872816035ce661df3453bd3de9777969de8f96ac1837d9e8c9af338a288ed4b37f889d33074af3 |