Malware Analysis Report

2024-09-22 10:13

Sample ID 240417-v51qyagg97
Target f6502fe2f8d492436051cff7a249b961_JaffaCakes118
SHA256 5623a900a9d242177a0b737deb794982eb2c37d09dc1c4c9f0af76b20a0657b9
Tags
cybergate cyber persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5623a900a9d242177a0b737deb794982eb2c37d09dc1c4c9f0af76b20a0657b9

Threat Level: Known bad

The file f6502fe2f8d492436051cff7a249b961_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber persistence stealer trojan upx

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

UPX packed file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-17 17:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 17:35

Reported

2024-04-17 17:37

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV} C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV} C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe
PID 2168 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe
PID 2168 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe
PID 2168 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Testing.exe

"C:\Users\Admin\AppData\Local\Temp\Testing.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\Testing.exe

"C:\Users\Admin\AppData\Local\Temp\Testing.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2168-1-0x0000000000A30000-0x0000000000A70000-memory.dmp

memory/2168-0-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/2168-2-0x0000000074A00000-0x0000000074FAB000-memory.dmp

\Users\Admin\AppData\Local\Temp\Testing.exe

MD5 ee9b34767367aaa660049adb43c094de
SHA1 9884c5d7ef3eb03591515e6caac0ed70a62d7689
SHA256 06d70401728ba068a54e4a1facf2a533f7b05530a433c4066175163094a29e8b
SHA512 455e326f24a7b388f32b5e742c8eef1148fef0387e35c403cfbe920b1dd6bec8362f0c95a5c7e87898b648d051f097efb76e523eb9ccdb79c63f3c95c9272d82

memory/1176-16-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/2944-311-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2944-310-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2944-539-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 246a200ee8db2230455750e6becb3f2a
SHA1 547ef76d3eeef614a8a37baf03e462af21129fe6
SHA256 d719faea7ed8f1680e914b1ba2c5ed22962523ab3053f0bdc7a087d04c04d16d
SHA512 70f3b7b4536fbfa5d40c904ebe40ac52ffad918301c0303afd5757d98a3c0a8133d36733136e6e883113cd3d10b75f536261368cc930ed62e2e05c19ff624136

memory/2168-580-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/2168-603-0x0000000000A30000-0x0000000000A70000-memory.dmp

memory/980-848-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2944-869-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a932e66a9e3b430908bea627fa69d8a3
SHA1 415fb98f398d7f8d2fd2283a91aee6054c3aed30
SHA256 4e21765d18aab245aef29236c7b6e3a9e31a5d6aaa4864b033e97926669b610e
SHA512 1be493d84bcc733fc91b20924ae62a75bebf6b12c572e1b45bceed0692514239d7527a802072947c57967d22274b779da481cbe922f4582abbf10fe2218805c4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 60e6b3d9586d7295b89e7e61c57d0497
SHA1 3b6bbf6db8a56fc9c51596a1a51cab95cb086782
SHA256 4632860f639e9d4dc91c0555b5a0d0106e911a35ad10e36c3bc21ac9e5c1130a
SHA512 8320ed70c399478cdab465677ec02566460e868219da0c1e2c27f7c4d344be6711770fa32481afef32682a63a3af69fc8eb519fc8e767a8e73b77515288b15c3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 40eaf928d0369e0f29092423510c29a9
SHA1 6d9e259b8f1c7b92a24ec24b1ee884fb53493019
SHA256 b1af80668cd7aebc9bed8dbe590232fc7c89f733b0b73e8c62b4810de9e63663
SHA512 d90f64dea676f994498ad9054539d3e3ce6ba49951f139cc4e245a44f403202af66b43cb8fcb9e5fc6120eb4376b41a6d13aa63f46c2c90da382b21271e3115f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ee0cc6eb4643a60c2367e4ed157a1a2d
SHA1 1a08792d51482751ed5c4c422059dcce70fc7c65
SHA256 aaecad526247b5444f5baf7421fa611b47413d5c4ae28523e6cd2cdbbd42c62e
SHA512 e599d305aafd7833ee67d5fdb4214d1d5706825a1f942e829b7ad540a64aa5c46a160ee7bb7f750b791675752b990f34a1d0b84be3f93c86a5d09a0db1ee216a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d7ea396d39fa7d9941f542dfa72b738e
SHA1 6adea0e35b6831b9bf16cc67ef90e6b57061c8fa
SHA256 6d7a127e5b9789ebefce5470188b83cb977f2914306637efe077311625708a82
SHA512 def6b1473b8883f7ffebdf60f669a6cc6737c5099b1fcbabe219221616af3cdd3d45181f0f42e7ef87cc2fac6227828225edbfa9302ba89b8cd77c016a86112e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 471ad42abf8c756e1acb3fee0fbcd915
SHA1 bd3da7ec30399779d9f8bd3ac899d9000e4ab313
SHA256 52d83c569a6dd0dc03b08de57d5adb48bd9411296b815ac792ee761e543d3a53
SHA512 60cb9f3037a1c95edb30025d8a50af657dc3b283cceed6ac5e0fc0981e418e4840c075126dd1594f06905646615a37c9a873d6079b86a14c81ae6f76cb4687e9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e63eb29dd2e3d73ef79256d3c4937cac
SHA1 bfe62e9ada9ec19d6a2ff2c2d528e93ca0c6595a
SHA256 9fd33fd0c2dc0476e8fdb94b7853433fcde0e27b8998e84eedb73bb549424f83
SHA512 9d513ae48bea3e419ef3f14569f01a49369af4ec75198b295d933452387a73045a9e7ef38d2e07ecb303be331246a508d3eaadad88007e534ce286870a38b91a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1cf8aa6624b5234bb3916b0f8b4f0971
SHA1 9f4aeea3fed663a3ff678b6811d6f898eebffd87
SHA256 b026255540770d8ec70fb7f85c736b49dd3efdede9aa6790bd104b74c20c80d5
SHA512 541600641ccc139de8c1b24bb5aa75758aad82ad20354532b3997baf457f162ed6732f9e194c36281d28ffd13998ac1999ecb1b796ce2f94ae30c596191a2144

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5a9b5e1b6afd48e45a9daa96cf816580
SHA1 d7bc516473b6d777dee841e8671f0d2a116b386c
SHA256 4c908b07a2a36acb500de253d80dd70fa9d483266d698bd84e458c316d200dbf
SHA512 9822da645112fc79cb4c03ca12fbbe58e55f11f56275496bb977cedbe02e38efd8631c881834f3b1dc4a0a0bf4f886a08211c4a06ef08150df6252b9dc708e68

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4be75c847a0488208738ddb1e17b6381
SHA1 f79f3df86a6581b93891c9ed29b4360548a1199a
SHA256 1dd6b93a12db99bdf685470e97f6b4f3d3e1638f7b71f35f2793315a55d499ba
SHA512 094b4b37eb44fec1eaeb1e043beb9e5dd0db1fbf7e9fb98a5f0662a8d83bc92abba948ca0e71a3461d15ccc3dd02199d094eb3cb8bd54419515a6d0b0db93b3c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5f7b9675433fa983fd1baf5db5219ca2
SHA1 d9f4e9b376a78c179b639ca595ec7d4314fa01b0
SHA256 84093636a666012d803756375105e6e8f0b13fde779f4e12d5acc3a4f83adb56
SHA512 7eca92416d2949dc47d06340e3a484fe0c68ec87db5d38180c6b99684bb6a6dc7897bdae25bdb799a38f076ffcc8f369cb99c09554ef38421385360a63ce93a4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8b06bc695616e6daa2f917a15f283151
SHA1 02372e1208fd332a94ed445d9cbffcde2da08f86
SHA256 d1d598eafee3b9170270fae0bd9ceaaeef943b1f1c8a6e7fd62ba6806f45cbaa
SHA512 bd35bfb9860e41192280a02c74734d8756f3a2f51a22795eb32f22e19e2f69c8abe919426c4fbff1049f5f22b3b62fb02499179db10d4bb75cd9329fb6e406a5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 be3b8886f20ea6a3175bd69b9577c6f6
SHA1 3f3ac37053eb310e4e79c0f7446d517a6b13f26d
SHA256 0b615216435a5130666646ada3189640df623419ddbf10f5b1acddf3a139ff24
SHA512 c0a451d993adf4d8b7e715531c947286fcc8463b74c8fa635d94fb80a3e00578ebe067729000ce7457985d6359a1123a77a6b4d9eea8979560f2788669d620ee

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b0838df9e181885aea7c6ed6d249f4cc
SHA1 cfee3e54cc68f47928db5ad37b391ec8cf853b84
SHA256 0c9b1d790b20cbb66298ba5c5252cf14759529f96f239195570c498b57bdd5d3
SHA512 970c32f55b786d3e62941475290400d08b5fd2f00c4a7fa553252ada7ac987ae7d6da07985006d4794e7cc9f78762069d35e89e26d9ca89ceaed5f145fef6300

memory/980-1650-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 550fd4706d75cd367e4094e7a1331238
SHA1 674f3b85a8bfd98d8f110dcb053b057f32a140f9
SHA256 852dda9ce49dfb5c766a3e6d358010d97cd0578220c8d21efb0dd74c642ad925
SHA512 2b68e806bbd732dc9658b239f7fa8d1515d9dc137118775e730d8021c61f72f4b945f61c8d0f4dbfe1d862ac7f9427d2d47cc23a03470a1667d201545b240e3e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0c27d3ced45a15f4bbf32d6c24e214fb
SHA1 651e2f5329709e5710b1ae674986a589c8cc03c3
SHA256 1c273c523e7a53e4c330f0bbb70045a7583f035726d5025df4ffbbe75ef1a7ca
SHA512 d7b185229eea03e5261976c0e7adc74f520a5eef10b8532ec8ff5c20390d27ec16c33ce239303b0e0505c4fbaa2bce87190eb94712f934775db47565394b56c8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5c7d33786dede428557dd3a20489db0e
SHA1 76f4fd93f30267ba2262a38949087899b1acf98d
SHA256 486f4d2af7199e48ac798a3ac529561b05fd69cd386e7540423d183bd82cffbe
SHA512 574a9ff825a17e74ba4cc99e1b2c985c538f3ec00ee466acf0fec7531d945698bc155a0a85ac3941a33632c57bf9e415df590f42579532cbb1b7683eb1cd5a41

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 df0fd03ca9f53b507c2bff763abde1e1
SHA1 fd0699b18727527758572caf154d3836299b046d
SHA256 9f15b8ae0188d1bab7bfc51753d6d093272f934f9da1983f97b404e4a4ae529a
SHA512 82522ea63a073474450438598cb9e74bb20edc559bb34c62125c1713f7e7037dd3e50dcdc81f24fc38907d6c8c429fa833772565d48bd9e83842c5eeeafe31d1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9d2fcd98ad22fb36a64edbca41e7c2a9
SHA1 e6cbe4b4a391a77c50e57dbe9fcf2ab65d8f8831
SHA256 5b3364cc293542814b6f0a10ce92e5fd8d08b0e55a6c70600e29a831999eed14
SHA512 33469bd42c0c15b85a3140c4fb6681ee52dc0283db80a0f885062f6f8758a9ed96e3d08f0672f7b58b5e176e882097a2b531335f0c294666b0df862a50db0006

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 17:35

Reported

2024-04-17 17:37

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV} C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\install\server.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4420 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe
PID 4420 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe
PID 4420 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Testing.exe
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE
PID 448 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Testing.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Testing.exe

"C:\Users\Admin\AppData\Local\Temp\Testing.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\Testing.exe

"C:\Users\Admin\AppData\Local\Temp\Testing.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 220 -ip 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 592

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 60.166.213.23.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 udp

Files

memory/4420-0-0x0000000074DC0000-0x0000000075371000-memory.dmp

memory/4420-1-0x0000000074DC0000-0x0000000075371000-memory.dmp

memory/4420-2-0x0000000001A80000-0x0000000001A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Testing.exe

MD5 ee9b34767367aaa660049adb43c094de
SHA1 9884c5d7ef3eb03591515e6caac0ed70a62d7689
SHA256 06d70401728ba068a54e4a1facf2a533f7b05530a433c4066175163094a29e8b
SHA512 455e326f24a7b388f32b5e742c8eef1148fef0387e35c403cfbe920b1dd6bec8362f0c95a5c7e87898b648d051f097efb76e523eb9ccdb79c63f3c95c9272d82

memory/448-14-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2432-18-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/2432-19-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/448-74-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2432-77-0x00000000035B0000-0x00000000035B1000-memory.dmp

memory/2432-78-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2432-79-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 246a200ee8db2230455750e6becb3f2a
SHA1 547ef76d3eeef614a8a37baf03e462af21129fe6
SHA256 d719faea7ed8f1680e914b1ba2c5ed22962523ab3053f0bdc7a087d04c04d16d
SHA512 70f3b7b4536fbfa5d40c904ebe40ac52ffad918301c0303afd5757d98a3c0a8133d36733136e6e883113cd3d10b75f536261368cc930ed62e2e05c19ff624136

memory/4420-112-0x0000000074DC0000-0x0000000075371000-memory.dmp

memory/3956-151-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2432-171-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c44c942ee96a70a9e9561bcb83c80dec
SHA1 847ca80362721f0b5dd10edff794c1c6defba373
SHA256 32e8499b5ee7fbb149b10b5b2141cabcf32d4697aa66130f94248657939db4e3
SHA512 478f7d11f7ef3650363ca0ac4429d4a8327409b26535b9e1d3aef2cd6ab7555e74df6fc23503234f10b44141a677a2de391d9d11d6c2918f824468f20b52a83c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 398fdc6f9f6a4772e086a141517fc033
SHA1 3dcf17d0a78ae669ec58310692e5755b3ca3bc6c
SHA256 cee7eea49cf98365b7f638a39ca9df78bbad5f9b9f156e8f92a66868cd655a92
SHA512 3f18189d3bbee9d56521f264f81f1f7746cc717e2acb1f4df14ace7c646dbdc233a234061bb2619d0304a0b3fe43c9966f2381ad4f3e582215beecc578fb0367

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 179ba186b21fa44ceab50b7d92b0828e
SHA1 c57f049e00ced758f68a1fcdca867299eaeb65b0
SHA256 c7c2d62a8e6cb54daff3b80eb5574a000c4e46e871b201a9742c9e1606b240c3
SHA512 4d8baf79b8f71018b865595a25847723818033e8ca9ca351356cbee81df808a9ccf7d334d804b834469717bc56a02dcb0b7f4e93246ae356bd672984f8afb2be

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 45e7defba5c0203ae1168f0ce056dfd5
SHA1 f09eeb6e1ef276b145bb915d4b6aea1584a613e3
SHA256 c11d8468976a0c39e209bc3006fb85205e821ca025662f852e4fab442971e876
SHA512 8ecb08170b253259598c844cab270b5842666b1324f67b727d9550d19cc9e174559f1e053afa682298f7e0a042b1aec0d6148866b32f6f1e6ea1bfca58c7d933

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a932e66a9e3b430908bea627fa69d8a3
SHA1 415fb98f398d7f8d2fd2283a91aee6054c3aed30
SHA256 4e21765d18aab245aef29236c7b6e3a9e31a5d6aaa4864b033e97926669b610e
SHA512 1be493d84bcc733fc91b20924ae62a75bebf6b12c572e1b45bceed0692514239d7527a802072947c57967d22274b779da481cbe922f4582abbf10fe2218805c4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 60e6b3d9586d7295b89e7e61c57d0497
SHA1 3b6bbf6db8a56fc9c51596a1a51cab95cb086782
SHA256 4632860f639e9d4dc91c0555b5a0d0106e911a35ad10e36c3bc21ac9e5c1130a
SHA512 8320ed70c399478cdab465677ec02566460e868219da0c1e2c27f7c4d344be6711770fa32481afef32682a63a3af69fc8eb519fc8e767a8e73b77515288b15c3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 40eaf928d0369e0f29092423510c29a9
SHA1 6d9e259b8f1c7b92a24ec24b1ee884fb53493019
SHA256 b1af80668cd7aebc9bed8dbe590232fc7c89f733b0b73e8c62b4810de9e63663
SHA512 d90f64dea676f994498ad9054539d3e3ce6ba49951f139cc4e245a44f403202af66b43cb8fcb9e5fc6120eb4376b41a6d13aa63f46c2c90da382b21271e3115f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ee0cc6eb4643a60c2367e4ed157a1a2d
SHA1 1a08792d51482751ed5c4c422059dcce70fc7c65
SHA256 aaecad526247b5444f5baf7421fa611b47413d5c4ae28523e6cd2cdbbd42c62e
SHA512 e599d305aafd7833ee67d5fdb4214d1d5706825a1f942e829b7ad540a64aa5c46a160ee7bb7f750b791675752b990f34a1d0b84be3f93c86a5d09a0db1ee216a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d7ea396d39fa7d9941f542dfa72b738e
SHA1 6adea0e35b6831b9bf16cc67ef90e6b57061c8fa
SHA256 6d7a127e5b9789ebefce5470188b83cb977f2914306637efe077311625708a82
SHA512 def6b1473b8883f7ffebdf60f669a6cc6737c5099b1fcbabe219221616af3cdd3d45181f0f42e7ef87cc2fac6227828225edbfa9302ba89b8cd77c016a86112e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 471ad42abf8c756e1acb3fee0fbcd915
SHA1 bd3da7ec30399779d9f8bd3ac899d9000e4ab313
SHA256 52d83c569a6dd0dc03b08de57d5adb48bd9411296b815ac792ee761e543d3a53
SHA512 60cb9f3037a1c95edb30025d8a50af657dc3b283cceed6ac5e0fc0981e418e4840c075126dd1594f06905646615a37c9a873d6079b86a14c81ae6f76cb4687e9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e63eb29dd2e3d73ef79256d3c4937cac
SHA1 bfe62e9ada9ec19d6a2ff2c2d528e93ca0c6595a
SHA256 9fd33fd0c2dc0476e8fdb94b7853433fcde0e27b8998e84eedb73bb549424f83
SHA512 9d513ae48bea3e419ef3f14569f01a49369af4ec75198b295d933452387a73045a9e7ef38d2e07ecb303be331246a508d3eaadad88007e534ce286870a38b91a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1cf8aa6624b5234bb3916b0f8b4f0971
SHA1 9f4aeea3fed663a3ff678b6811d6f898eebffd87
SHA256 b026255540770d8ec70fb7f85c736b49dd3efdede9aa6790bd104b74c20c80d5
SHA512 541600641ccc139de8c1b24bb5aa75758aad82ad20354532b3997baf457f162ed6732f9e194c36281d28ffd13998ac1999ecb1b796ce2f94ae30c596191a2144

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5a9b5e1b6afd48e45a9daa96cf816580
SHA1 d7bc516473b6d777dee841e8671f0d2a116b386c
SHA256 4c908b07a2a36acb500de253d80dd70fa9d483266d698bd84e458c316d200dbf
SHA512 9822da645112fc79cb4c03ca12fbbe58e55f11f56275496bb977cedbe02e38efd8631c881834f3b1dc4a0a0bf4f886a08211c4a06ef08150df6252b9dc708e68

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4be75c847a0488208738ddb1e17b6381
SHA1 f79f3df86a6581b93891c9ed29b4360548a1199a
SHA256 1dd6b93a12db99bdf685470e97f6b4f3d3e1638f7b71f35f2793315a55d499ba
SHA512 094b4b37eb44fec1eaeb1e043beb9e5dd0db1fbf7e9fb98a5f0662a8d83bc92abba948ca0e71a3461d15ccc3dd02199d094eb3cb8bd54419515a6d0b0db93b3c

memory/3956-1440-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5f7b9675433fa983fd1baf5db5219ca2
SHA1 d9f4e9b376a78c179b639ca595ec7d4314fa01b0
SHA256 84093636a666012d803756375105e6e8f0b13fde779f4e12d5acc3a4f83adb56
SHA512 7eca92416d2949dc47d06340e3a484fe0c68ec87db5d38180c6b99684bb6a6dc7897bdae25bdb799a38f076ffcc8f369cb99c09554ef38421385360a63ce93a4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8b06bc695616e6daa2f917a15f283151
SHA1 02372e1208fd332a94ed445d9cbffcde2da08f86
SHA256 d1d598eafee3b9170270fae0bd9ceaaeef943b1f1c8a6e7fd62ba6806f45cbaa
SHA512 bd35bfb9860e41192280a02c74734d8756f3a2f51a22795eb32f22e19e2f69c8abe919426c4fbff1049f5f22b3b62fb02499179db10d4bb75cd9329fb6e406a5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 be3b8886f20ea6a3175bd69b9577c6f6
SHA1 3f3ac37053eb310e4e79c0f7446d517a6b13f26d
SHA256 0b615216435a5130666646ada3189640df623419ddbf10f5b1acddf3a139ff24
SHA512 c0a451d993adf4d8b7e715531c947286fcc8463b74c8fa635d94fb80a3e00578ebe067729000ce7457985d6359a1123a77a6b4d9eea8979560f2788669d620ee

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b0838df9e181885aea7c6ed6d249f4cc
SHA1 cfee3e54cc68f47928db5ad37b391ec8cf853b84
SHA256 0c9b1d790b20cbb66298ba5c5252cf14759529f96f239195570c498b57bdd5d3
SHA512 970c32f55b786d3e62941475290400d08b5fd2f00c4a7fa553252ada7ac987ae7d6da07985006d4794e7cc9f78762069d35e89e26d9ca89ceaed5f145fef6300