7239e7c701944b48f9d6fb8a29dbee0e941dcbe07f9bcb1bf50cb97269a62525

Modify Registry

Processes:

f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6UD61T00-Q26U-7025-0OM6-T148V4WUPRRG}	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6UD61T00-Q26U-7025-0OM6-T148V4WUPRRG}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3076-3-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe"	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe"	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe

pid process

3076 f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe
3076 f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe

pid	process
3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe
3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe

description	pid	process	target process
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe
PID 3076 wrote to memory of 1268	3076	f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f001b910bdfec9b9546830efe1ce8710_JaffaCakes118.exe"
2⤵
PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry