Analysis Overview
SHA256
1e6613f5ad9ca06c054888a8b581451bd98bd4032d779316ef75eb489f4c8ceb
Threat Level: Known bad
The file JaffaCakes118_352519755c4418e7db919f5def54f044 was found to be: Known bad.
Malicious Activity Summary
Latentbot family
Xtremerat family
Detect XtremeRAT payload
LatentBot
XtremeRAT
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
UPX packed file
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-28 23:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-28 23:02
Reported
2025-02-28 23:05
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
XtremeRAT
Xtremerat family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\InstallDir\Server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\InstallDir\Server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\InstallDir\Server.exe | N/A |
| N/A | N/A | C:\Windows\InstallDir\Server.exe | N/A |
| N/A | N/A | C:\Windows\InstallDir\Server.exe | N/A |
| N/A | N/A | C:\Windows\InstallDir\Server.exe | N/A |
| N/A | N/A | C:\Windows\InstallDir\Server.exe | N/A |
| N/A | N/A | C:\Windows\InstallDir\Server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1640 set thread context of 1328 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe |
| PID 5088 set thread context of 1216 | N/A | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe |
| PID 1216 set thread context of 5040 | N/A | C:\Windows\InstallDir\Server.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 1448 set thread context of 4856 | N/A | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe |
| PID 4856 set thread context of 1256 | N/A | C:\Windows\InstallDir\Server.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 1120 set thread context of 2480 | N/A | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\ | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | hussienashraf2020.zapto.org | udp |
| US | 8.8.8.8:53 | hussienashraf2020.zapto.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1640-0-0x0000000023240000-0x000000002326F000-memory.dmp
memory/1328-2-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/1328-8-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/1328-7-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/1328-6-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/1328-11-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/1328-4-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/1328-1-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/1328-12-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/1328-10-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2548-19-0x0000000000C80000-0x0000000000CEE000-memory.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 352519755c4418e7db919f5def54f044 |
| SHA1 | 756104d0d47d829fe81e9fa4dcf848706bed6694 |
| SHA256 | 1e6613f5ad9ca06c054888a8b581451bd98bd4032d779316ef75eb489f4c8ceb |
| SHA512 | b4196a53c03fa7a974f8cef74dbbb5e3fcd99b928edee4444f1e6b1bdd9d10ff7618654293924ec0ce23e56fccb1305e873d3add6f353d347712f4ceb5f4da90 |
memory/4448-21-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/1328-22-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/4448-24-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/4448-30-0x0000000000C80000-0x0000000000CEE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.xtr
| MD5 | 6426d400c96fb9ffef4eaa54f6647f4c |
| SHA1 | 70a37871aff432790b6adf7d3fc4eb929476e082 |
| SHA256 | 98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c |
| SHA512 | 2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5 |
memory/4448-35-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/1640-36-0x0000000023240000-0x000000002326F000-memory.dmp
memory/5088-38-0x0000000023240000-0x000000002326F000-memory.dmp
memory/1216-49-0x0000000000C80000-0x0000000000CEE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.cfg
| MD5 | 760b7be45845f276a5a1c8ce6caa28b0 |
| SHA1 | 62f4389d9ba9d4836ffc44b6d78fbedbc2310372 |
| SHA256 | 5bb67d0d9624fb733646e1070138b7254b14ec9adb8318ef426f4a805c12f99f |
| SHA512 | 36865b7501cf8b0a0d7c713d1ae2ee557c69060629418bfada54ce10e90c02921ffa747c9ce2c45c018a16a1e1b1b0d37e01c23d2e93729b3a698933e0f73a73 |
memory/5040-56-0x0000000001610000-0x0000000001712000-memory.dmp
memory/5040-55-0x0000000001610000-0x0000000001712000-memory.dmp
memory/5040-54-0x0000000001610000-0x0000000001712000-memory.dmp
memory/5040-58-0x0000000001610000-0x0000000001712000-memory.dmp
memory/5040-59-0x0000000001610000-0x0000000001712000-memory.dmp
memory/5040-60-0x0000000001610000-0x0000000001712000-memory.dmp
memory/5040-61-0x0000000001610000-0x0000000001712000-memory.dmp
memory/5040-62-0x0000000001610000-0x0000000001712000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.dat
| MD5 | 84cad01fdb44ae58dbe6c3973dcd87f5 |
| SHA1 | 4700b42849fb35be323774820bf1bc8019d26c80 |
| SHA256 | 8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6 |
| SHA512 | 6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab |
memory/5040-65-0x0000000001610000-0x0000000001712000-memory.dmp
memory/5040-64-0x0000000001610000-0x0000000001712000-memory.dmp
memory/5088-67-0x0000000023240000-0x000000002326F000-memory.dmp
memory/5040-68-0x0000000001610000-0x0000000001712000-memory.dmp
memory/5040-69-0x0000000001610000-0x0000000001712000-memory.dmp
memory/1256-91-0x0000000001610000-0x0000000001712000-memory.dmp
memory/1256-92-0x0000000001610000-0x0000000001712000-memory.dmp
memory/1256-94-0x0000000001610000-0x0000000001712000-memory.dmp
memory/1256-95-0x0000000001610000-0x0000000001712000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-28 23:02
Reported
2025-02-28 23:05
Platform
win7-20241010-en
Max time kernel
150s
Max time network
30s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
XtremeRAT
Xtremerat family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\InstallDir\Server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\InstallDir\Server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\InstallDir\Server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\InstallDir\Server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\InstallDir\Server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\InstallDir\Server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" | C:\Windows\InstallDir\Server.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\InstallDir\Server.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe | N/A |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Windows\InstallDir\Server.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Windows\InstallDir\Server.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\InstallDir\Server.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
C:\Windows\InstallDir\Server.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hussienashraf2020.zapto.org | udp |
Files
memory/2568-0-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2568-7-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2568-18-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2568-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2568-14-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2568-12-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2568-4-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2568-2-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2568-1-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2568-10-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2540-25-0x0000000023240000-0x000000002326F000-memory.dmp
memory/2884-28-0x0000000000C80000-0x0000000000CEE000-memory.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 352519755c4418e7db919f5def54f044 |
| SHA1 | 756104d0d47d829fe81e9fa4dcf848706bed6694 |
| SHA256 | 1e6613f5ad9ca06c054888a8b581451bd98bd4032d779316ef75eb489f4c8ceb |
| SHA512 | b4196a53c03fa7a974f8cef74dbbb5e3fcd99b928edee4444f1e6b1bdd9d10ff7618654293924ec0ce23e56fccb1305e873d3add6f353d347712f4ceb5f4da90 |
memory/2736-32-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2736-34-0x0000000000C80000-0x0000000000CEE000-memory.dmp
memory/2736-40-0x0000000000C80000-0x0000000000CEE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.xtr
| MD5 | 6426d400c96fb9ffef4eaa54f6647f4c |
| SHA1 | 70a37871aff432790b6adf7d3fc4eb929476e082 |
| SHA256 | 98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c |
| SHA512 | 2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5 |
memory/2736-47-0x0000000000C80000-0x0000000000CEE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.cfg
| MD5 | 760b7be45845f276a5a1c8ce6caa28b0 |
| SHA1 | 62f4389d9ba9d4836ffc44b6d78fbedbc2310372 |
| SHA256 | 5bb67d0d9624fb733646e1070138b7254b14ec9adb8318ef426f4a805c12f99f |
| SHA512 | 36865b7501cf8b0a0d7c713d1ae2ee557c69060629418bfada54ce10e90c02921ffa747c9ce2c45c018a16a1e1b1b0d37e01c23d2e93729b3a698933e0f73a73 |
memory/2972-74-0x0000000001610000-0x0000000001712000-memory.dmp
memory/2972-81-0x0000000001610000-0x0000000001712000-memory.dmp
memory/2972-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2972-77-0x0000000001610000-0x0000000001712000-memory.dmp
memory/2972-75-0x0000000001610000-0x0000000001712000-memory.dmp
memory/2972-82-0x0000000001610000-0x0000000001712000-memory.dmp
memory/2744-83-0x0000000023240000-0x000000002326F000-memory.dmp
memory/2972-84-0x0000000001610000-0x0000000001712000-memory.dmp
memory/2972-85-0x0000000001610000-0x0000000001712000-memory.dmp
memory/2972-86-0x0000000001610000-0x0000000001712000-memory.dmp
memory/2972-90-0x0000000001610000-0x0000000001712000-memory.dmp
memory/2972-89-0x0000000001610000-0x0000000001712000-memory.dmp
memory/2972-87-0x0000000001610000-0x0000000001712000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.dat
| MD5 | 84cad01fdb44ae58dbe6c3973dcd87f5 |
| SHA1 | 4700b42849fb35be323774820bf1bc8019d26c80 |
| SHA256 | 8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6 |
| SHA512 | 6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |