Analysis Overview
SHA256
5623a900a9d242177a0b737deb794982eb2c37d09dc1c4c9f0af76b20a0657b9
Threat Level: Known bad
The file f6502fe2f8d492436051cff7a249b961_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Modifies Installed Components in the registry
Adds policy Run key to start application
UPX packed file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-17 17:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 17:35
Reported
2024-04-17 17:37
Platform
win7-20240221-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV}\StubPath = "C:\\Windows\\system32\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV} | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV} | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\ | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Testing.exe
"C:\Users\Admin\AppData\Local\Temp\Testing.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\Testing.exe
"C:\Users\Admin\AppData\Local\Temp\Testing.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2168-1-0x0000000000A30000-0x0000000000A70000-memory.dmp
memory/2168-0-0x0000000074A00000-0x0000000074FAB000-memory.dmp
memory/2168-2-0x0000000074A00000-0x0000000074FAB000-memory.dmp
\Users\Admin\AppData\Local\Temp\Testing.exe
| MD5 | ee9b34767367aaa660049adb43c094de |
| SHA1 | 9884c5d7ef3eb03591515e6caac0ed70a62d7689 |
| SHA256 | 06d70401728ba068a54e4a1facf2a533f7b05530a433c4066175163094a29e8b |
| SHA512 | 455e326f24a7b388f32b5e742c8eef1148fef0387e35c403cfbe920b1dd6bec8362f0c95a5c7e87898b648d051f097efb76e523eb9ccdb79c63f3c95c9272d82 |
memory/1176-16-0x0000000002D80000-0x0000000002D81000-memory.dmp
memory/2944-311-0x0000000000690000-0x0000000000691000-memory.dmp
memory/2944-310-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2944-539-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 246a200ee8db2230455750e6becb3f2a |
| SHA1 | 547ef76d3eeef614a8a37baf03e462af21129fe6 |
| SHA256 | d719faea7ed8f1680e914b1ba2c5ed22962523ab3053f0bdc7a087d04c04d16d |
| SHA512 | 70f3b7b4536fbfa5d40c904ebe40ac52ffad918301c0303afd5757d98a3c0a8133d36733136e6e883113cd3d10b75f536261368cc930ed62e2e05c19ff624136 |
memory/2168-580-0x0000000074A00000-0x0000000074FAB000-memory.dmp
memory/2168-603-0x0000000000A30000-0x0000000000A70000-memory.dmp
memory/980-848-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2944-869-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a932e66a9e3b430908bea627fa69d8a3 |
| SHA1 | 415fb98f398d7f8d2fd2283a91aee6054c3aed30 |
| SHA256 | 4e21765d18aab245aef29236c7b6e3a9e31a5d6aaa4864b033e97926669b610e |
| SHA512 | 1be493d84bcc733fc91b20924ae62a75bebf6b12c572e1b45bceed0692514239d7527a802072947c57967d22274b779da481cbe922f4582abbf10fe2218805c4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 60e6b3d9586d7295b89e7e61c57d0497 |
| SHA1 | 3b6bbf6db8a56fc9c51596a1a51cab95cb086782 |
| SHA256 | 4632860f639e9d4dc91c0555b5a0d0106e911a35ad10e36c3bc21ac9e5c1130a |
| SHA512 | 8320ed70c399478cdab465677ec02566460e868219da0c1e2c27f7c4d344be6711770fa32481afef32682a63a3af69fc8eb519fc8e767a8e73b77515288b15c3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 40eaf928d0369e0f29092423510c29a9 |
| SHA1 | 6d9e259b8f1c7b92a24ec24b1ee884fb53493019 |
| SHA256 | b1af80668cd7aebc9bed8dbe590232fc7c89f733b0b73e8c62b4810de9e63663 |
| SHA512 | d90f64dea676f994498ad9054539d3e3ce6ba49951f139cc4e245a44f403202af66b43cb8fcb9e5fc6120eb4376b41a6d13aa63f46c2c90da382b21271e3115f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ee0cc6eb4643a60c2367e4ed157a1a2d |
| SHA1 | 1a08792d51482751ed5c4c422059dcce70fc7c65 |
| SHA256 | aaecad526247b5444f5baf7421fa611b47413d5c4ae28523e6cd2cdbbd42c62e |
| SHA512 | e599d305aafd7833ee67d5fdb4214d1d5706825a1f942e829b7ad540a64aa5c46a160ee7bb7f750b791675752b990f34a1d0b84be3f93c86a5d09a0db1ee216a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d7ea396d39fa7d9941f542dfa72b738e |
| SHA1 | 6adea0e35b6831b9bf16cc67ef90e6b57061c8fa |
| SHA256 | 6d7a127e5b9789ebefce5470188b83cb977f2914306637efe077311625708a82 |
| SHA512 | def6b1473b8883f7ffebdf60f669a6cc6737c5099b1fcbabe219221616af3cdd3d45181f0f42e7ef87cc2fac6227828225edbfa9302ba89b8cd77c016a86112e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 471ad42abf8c756e1acb3fee0fbcd915 |
| SHA1 | bd3da7ec30399779d9f8bd3ac899d9000e4ab313 |
| SHA256 | 52d83c569a6dd0dc03b08de57d5adb48bd9411296b815ac792ee761e543d3a53 |
| SHA512 | 60cb9f3037a1c95edb30025d8a50af657dc3b283cceed6ac5e0fc0981e418e4840c075126dd1594f06905646615a37c9a873d6079b86a14c81ae6f76cb4687e9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e63eb29dd2e3d73ef79256d3c4937cac |
| SHA1 | bfe62e9ada9ec19d6a2ff2c2d528e93ca0c6595a |
| SHA256 | 9fd33fd0c2dc0476e8fdb94b7853433fcde0e27b8998e84eedb73bb549424f83 |
| SHA512 | 9d513ae48bea3e419ef3f14569f01a49369af4ec75198b295d933452387a73045a9e7ef38d2e07ecb303be331246a508d3eaadad88007e534ce286870a38b91a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1cf8aa6624b5234bb3916b0f8b4f0971 |
| SHA1 | 9f4aeea3fed663a3ff678b6811d6f898eebffd87 |
| SHA256 | b026255540770d8ec70fb7f85c736b49dd3efdede9aa6790bd104b74c20c80d5 |
| SHA512 | 541600641ccc139de8c1b24bb5aa75758aad82ad20354532b3997baf457f162ed6732f9e194c36281d28ffd13998ac1999ecb1b796ce2f94ae30c596191a2144 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5a9b5e1b6afd48e45a9daa96cf816580 |
| SHA1 | d7bc516473b6d777dee841e8671f0d2a116b386c |
| SHA256 | 4c908b07a2a36acb500de253d80dd70fa9d483266d698bd84e458c316d200dbf |
| SHA512 | 9822da645112fc79cb4c03ca12fbbe58e55f11f56275496bb977cedbe02e38efd8631c881834f3b1dc4a0a0bf4f886a08211c4a06ef08150df6252b9dc708e68 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4be75c847a0488208738ddb1e17b6381 |
| SHA1 | f79f3df86a6581b93891c9ed29b4360548a1199a |
| SHA256 | 1dd6b93a12db99bdf685470e97f6b4f3d3e1638f7b71f35f2793315a55d499ba |
| SHA512 | 094b4b37eb44fec1eaeb1e043beb9e5dd0db1fbf7e9fb98a5f0662a8d83bc92abba948ca0e71a3461d15ccc3dd02199d094eb3cb8bd54419515a6d0b0db93b3c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5f7b9675433fa983fd1baf5db5219ca2 |
| SHA1 | d9f4e9b376a78c179b639ca595ec7d4314fa01b0 |
| SHA256 | 84093636a666012d803756375105e6e8f0b13fde779f4e12d5acc3a4f83adb56 |
| SHA512 | 7eca92416d2949dc47d06340e3a484fe0c68ec87db5d38180c6b99684bb6a6dc7897bdae25bdb799a38f076ffcc8f369cb99c09554ef38421385360a63ce93a4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8b06bc695616e6daa2f917a15f283151 |
| SHA1 | 02372e1208fd332a94ed445d9cbffcde2da08f86 |
| SHA256 | d1d598eafee3b9170270fae0bd9ceaaeef943b1f1c8a6e7fd62ba6806f45cbaa |
| SHA512 | bd35bfb9860e41192280a02c74734d8756f3a2f51a22795eb32f22e19e2f69c8abe919426c4fbff1049f5f22b3b62fb02499179db10d4bb75cd9329fb6e406a5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | be3b8886f20ea6a3175bd69b9577c6f6 |
| SHA1 | 3f3ac37053eb310e4e79c0f7446d517a6b13f26d |
| SHA256 | 0b615216435a5130666646ada3189640df623419ddbf10f5b1acddf3a139ff24 |
| SHA512 | c0a451d993adf4d8b7e715531c947286fcc8463b74c8fa635d94fb80a3e00578ebe067729000ce7457985d6359a1123a77a6b4d9eea8979560f2788669d620ee |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b0838df9e181885aea7c6ed6d249f4cc |
| SHA1 | cfee3e54cc68f47928db5ad37b391ec8cf853b84 |
| SHA256 | 0c9b1d790b20cbb66298ba5c5252cf14759529f96f239195570c498b57bdd5d3 |
| SHA512 | 970c32f55b786d3e62941475290400d08b5fd2f00c4a7fa553252ada7ac987ae7d6da07985006d4794e7cc9f78762069d35e89e26d9ca89ceaed5f145fef6300 |
memory/980-1650-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 550fd4706d75cd367e4094e7a1331238 |
| SHA1 | 674f3b85a8bfd98d8f110dcb053b057f32a140f9 |
| SHA256 | 852dda9ce49dfb5c766a3e6d358010d97cd0578220c8d21efb0dd74c642ad925 |
| SHA512 | 2b68e806bbd732dc9658b239f7fa8d1515d9dc137118775e730d8021c61f72f4b945f61c8d0f4dbfe1d862ac7f9427d2d47cc23a03470a1667d201545b240e3e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0c27d3ced45a15f4bbf32d6c24e214fb |
| SHA1 | 651e2f5329709e5710b1ae674986a589c8cc03c3 |
| SHA256 | 1c273c523e7a53e4c330f0bbb70045a7583f035726d5025df4ffbbe75ef1a7ca |
| SHA512 | d7b185229eea03e5261976c0e7adc74f520a5eef10b8532ec8ff5c20390d27ec16c33ce239303b0e0505c4fbaa2bce87190eb94712f934775db47565394b56c8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5c7d33786dede428557dd3a20489db0e |
| SHA1 | 76f4fd93f30267ba2262a38949087899b1acf98d |
| SHA256 | 486f4d2af7199e48ac798a3ac529561b05fd69cd386e7540423d183bd82cffbe |
| SHA512 | 574a9ff825a17e74ba4cc99e1b2c985c538f3ec00ee466acf0fec7531d945698bc155a0a85ac3941a33632c57bf9e415df590f42579532cbb1b7683eb1cd5a41 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | df0fd03ca9f53b507c2bff763abde1e1 |
| SHA1 | fd0699b18727527758572caf154d3836299b046d |
| SHA256 | 9f15b8ae0188d1bab7bfc51753d6d093272f934f9da1983f97b404e4a4ae529a |
| SHA512 | 82522ea63a073474450438598cb9e74bb20edc559bb34c62125c1713f7e7037dd3e50dcdc81f24fc38907d6c8c429fa833772565d48bd9e83842c5eeeafe31d1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9d2fcd98ad22fb36a64edbca41e7c2a9 |
| SHA1 | e6cbe4b4a391a77c50e57dbe9fcf2ab65d8f8831 |
| SHA256 | 5b3364cc293542814b6f0a10ce92e5fd8d08b0e55a6c70600e29a831999eed14 |
| SHA512 | 33469bd42c0c15b85a3140c4fb6681ee52dc0283db80a0f885062f6f8758a9ed96e3d08f0672f7b58b5e176e882097a2b531335f0c294666b0df862a50db0006 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 17:35
Reported
2024-04-17 17:37
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV} | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV}\StubPath = "C:\\Windows\\system32\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\ | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\install\server.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Testing.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Testing.exe
"C:\Users\Admin\AppData\Local\Temp\Testing.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\Testing.exe
"C:\Users\Admin\AppData\Local\Temp\Testing.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 220 -ip 220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 592
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.166.213.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4420-0-0x0000000074DC0000-0x0000000075371000-memory.dmp
memory/4420-1-0x0000000074DC0000-0x0000000075371000-memory.dmp
memory/4420-2-0x0000000001A80000-0x0000000001A90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Testing.exe
| MD5 | ee9b34767367aaa660049adb43c094de |
| SHA1 | 9884c5d7ef3eb03591515e6caac0ed70a62d7689 |
| SHA256 | 06d70401728ba068a54e4a1facf2a533f7b05530a433c4066175163094a29e8b |
| SHA512 | 455e326f24a7b388f32b5e742c8eef1148fef0387e35c403cfbe920b1dd6bec8362f0c95a5c7e87898b648d051f097efb76e523eb9ccdb79c63f3c95c9272d82 |
memory/448-14-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2432-18-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/2432-19-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/448-74-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2432-77-0x00000000035B0000-0x00000000035B1000-memory.dmp
memory/2432-78-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2432-79-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 246a200ee8db2230455750e6becb3f2a |
| SHA1 | 547ef76d3eeef614a8a37baf03e462af21129fe6 |
| SHA256 | d719faea7ed8f1680e914b1ba2c5ed22962523ab3053f0bdc7a087d04c04d16d |
| SHA512 | 70f3b7b4536fbfa5d40c904ebe40ac52ffad918301c0303afd5757d98a3c0a8133d36733136e6e883113cd3d10b75f536261368cc930ed62e2e05c19ff624136 |
memory/4420-112-0x0000000074DC0000-0x0000000075371000-memory.dmp
memory/3956-151-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2432-171-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c44c942ee96a70a9e9561bcb83c80dec |
| SHA1 | 847ca80362721f0b5dd10edff794c1c6defba373 |
| SHA256 | 32e8499b5ee7fbb149b10b5b2141cabcf32d4697aa66130f94248657939db4e3 |
| SHA512 | 478f7d11f7ef3650363ca0ac4429d4a8327409b26535b9e1d3aef2cd6ab7555e74df6fc23503234f10b44141a677a2de391d9d11d6c2918f824468f20b52a83c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 398fdc6f9f6a4772e086a141517fc033 |
| SHA1 | 3dcf17d0a78ae669ec58310692e5755b3ca3bc6c |
| SHA256 | cee7eea49cf98365b7f638a39ca9df78bbad5f9b9f156e8f92a66868cd655a92 |
| SHA512 | 3f18189d3bbee9d56521f264f81f1f7746cc717e2acb1f4df14ace7c646dbdc233a234061bb2619d0304a0b3fe43c9966f2381ad4f3e582215beecc578fb0367 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 179ba186b21fa44ceab50b7d92b0828e |
| SHA1 | c57f049e00ced758f68a1fcdca867299eaeb65b0 |
| SHA256 | c7c2d62a8e6cb54daff3b80eb5574a000c4e46e871b201a9742c9e1606b240c3 |
| SHA512 | 4d8baf79b8f71018b865595a25847723818033e8ca9ca351356cbee81df808a9ccf7d334d804b834469717bc56a02dcb0b7f4e93246ae356bd672984f8afb2be |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 45e7defba5c0203ae1168f0ce056dfd5 |
| SHA1 | f09eeb6e1ef276b145bb915d4b6aea1584a613e3 |
| SHA256 | c11d8468976a0c39e209bc3006fb85205e821ca025662f852e4fab442971e876 |
| SHA512 | 8ecb08170b253259598c844cab270b5842666b1324f67b727d9550d19cc9e174559f1e053afa682298f7e0a042b1aec0d6148866b32f6f1e6ea1bfca58c7d933 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a932e66a9e3b430908bea627fa69d8a3 |
| SHA1 | 415fb98f398d7f8d2fd2283a91aee6054c3aed30 |
| SHA256 | 4e21765d18aab245aef29236c7b6e3a9e31a5d6aaa4864b033e97926669b610e |
| SHA512 | 1be493d84bcc733fc91b20924ae62a75bebf6b12c572e1b45bceed0692514239d7527a802072947c57967d22274b779da481cbe922f4582abbf10fe2218805c4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 60e6b3d9586d7295b89e7e61c57d0497 |
| SHA1 | 3b6bbf6db8a56fc9c51596a1a51cab95cb086782 |
| SHA256 | 4632860f639e9d4dc91c0555b5a0d0106e911a35ad10e36c3bc21ac9e5c1130a |
| SHA512 | 8320ed70c399478cdab465677ec02566460e868219da0c1e2c27f7c4d344be6711770fa32481afef32682a63a3af69fc8eb519fc8e767a8e73b77515288b15c3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 40eaf928d0369e0f29092423510c29a9 |
| SHA1 | 6d9e259b8f1c7b92a24ec24b1ee884fb53493019 |
| SHA256 | b1af80668cd7aebc9bed8dbe590232fc7c89f733b0b73e8c62b4810de9e63663 |
| SHA512 | d90f64dea676f994498ad9054539d3e3ce6ba49951f139cc4e245a44f403202af66b43cb8fcb9e5fc6120eb4376b41a6d13aa63f46c2c90da382b21271e3115f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ee0cc6eb4643a60c2367e4ed157a1a2d |
| SHA1 | 1a08792d51482751ed5c4c422059dcce70fc7c65 |
| SHA256 | aaecad526247b5444f5baf7421fa611b47413d5c4ae28523e6cd2cdbbd42c62e |
| SHA512 | e599d305aafd7833ee67d5fdb4214d1d5706825a1f942e829b7ad540a64aa5c46a160ee7bb7f750b791675752b990f34a1d0b84be3f93c86a5d09a0db1ee216a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d7ea396d39fa7d9941f542dfa72b738e |
| SHA1 | 6adea0e35b6831b9bf16cc67ef90e6b57061c8fa |
| SHA256 | 6d7a127e5b9789ebefce5470188b83cb977f2914306637efe077311625708a82 |
| SHA512 | def6b1473b8883f7ffebdf60f669a6cc6737c5099b1fcbabe219221616af3cdd3d45181f0f42e7ef87cc2fac6227828225edbfa9302ba89b8cd77c016a86112e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 471ad42abf8c756e1acb3fee0fbcd915 |
| SHA1 | bd3da7ec30399779d9f8bd3ac899d9000e4ab313 |
| SHA256 | 52d83c569a6dd0dc03b08de57d5adb48bd9411296b815ac792ee761e543d3a53 |
| SHA512 | 60cb9f3037a1c95edb30025d8a50af657dc3b283cceed6ac5e0fc0981e418e4840c075126dd1594f06905646615a37c9a873d6079b86a14c81ae6f76cb4687e9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e63eb29dd2e3d73ef79256d3c4937cac |
| SHA1 | bfe62e9ada9ec19d6a2ff2c2d528e93ca0c6595a |
| SHA256 | 9fd33fd0c2dc0476e8fdb94b7853433fcde0e27b8998e84eedb73bb549424f83 |
| SHA512 | 9d513ae48bea3e419ef3f14569f01a49369af4ec75198b295d933452387a73045a9e7ef38d2e07ecb303be331246a508d3eaadad88007e534ce286870a38b91a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1cf8aa6624b5234bb3916b0f8b4f0971 |
| SHA1 | 9f4aeea3fed663a3ff678b6811d6f898eebffd87 |
| SHA256 | b026255540770d8ec70fb7f85c736b49dd3efdede9aa6790bd104b74c20c80d5 |
| SHA512 | 541600641ccc139de8c1b24bb5aa75758aad82ad20354532b3997baf457f162ed6732f9e194c36281d28ffd13998ac1999ecb1b796ce2f94ae30c596191a2144 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5a9b5e1b6afd48e45a9daa96cf816580 |
| SHA1 | d7bc516473b6d777dee841e8671f0d2a116b386c |
| SHA256 | 4c908b07a2a36acb500de253d80dd70fa9d483266d698bd84e458c316d200dbf |
| SHA512 | 9822da645112fc79cb4c03ca12fbbe58e55f11f56275496bb977cedbe02e38efd8631c881834f3b1dc4a0a0bf4f886a08211c4a06ef08150df6252b9dc708e68 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4be75c847a0488208738ddb1e17b6381 |
| SHA1 | f79f3df86a6581b93891c9ed29b4360548a1199a |
| SHA256 | 1dd6b93a12db99bdf685470e97f6b4f3d3e1638f7b71f35f2793315a55d499ba |
| SHA512 | 094b4b37eb44fec1eaeb1e043beb9e5dd0db1fbf7e9fb98a5f0662a8d83bc92abba948ca0e71a3461d15ccc3dd02199d094eb3cb8bd54419515a6d0b0db93b3c |
memory/3956-1440-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5f7b9675433fa983fd1baf5db5219ca2 |
| SHA1 | d9f4e9b376a78c179b639ca595ec7d4314fa01b0 |
| SHA256 | 84093636a666012d803756375105e6e8f0b13fde779f4e12d5acc3a4f83adb56 |
| SHA512 | 7eca92416d2949dc47d06340e3a484fe0c68ec87db5d38180c6b99684bb6a6dc7897bdae25bdb799a38f076ffcc8f369cb99c09554ef38421385360a63ce93a4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8b06bc695616e6daa2f917a15f283151 |
| SHA1 | 02372e1208fd332a94ed445d9cbffcde2da08f86 |
| SHA256 | d1d598eafee3b9170270fae0bd9ceaaeef943b1f1c8a6e7fd62ba6806f45cbaa |
| SHA512 | bd35bfb9860e41192280a02c74734d8756f3a2f51a22795eb32f22e19e2f69c8abe919426c4fbff1049f5f22b3b62fb02499179db10d4bb75cd9329fb6e406a5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | be3b8886f20ea6a3175bd69b9577c6f6 |
| SHA1 | 3f3ac37053eb310e4e79c0f7446d517a6b13f26d |
| SHA256 | 0b615216435a5130666646ada3189640df623419ddbf10f5b1acddf3a139ff24 |
| SHA512 | c0a451d993adf4d8b7e715531c947286fcc8463b74c8fa635d94fb80a3e00578ebe067729000ce7457985d6359a1123a77a6b4d9eea8979560f2788669d620ee |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b0838df9e181885aea7c6ed6d249f4cc |
| SHA1 | cfee3e54cc68f47928db5ad37b391ec8cf853b84 |
| SHA256 | 0c9b1d790b20cbb66298ba5c5252cf14759529f96f239195570c498b57bdd5d3 |
| SHA512 | 970c32f55b786d3e62941475290400d08b5fd2f00c4a7fa553252ada7ac987ae7d6da07985006d4794e7cc9f78762069d35e89e26d9ca89ceaed5f145fef6300 |