Malware Analysis Report

2024-09-22 10:10

Sample ID 240419-dlhmksga3v
Target f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118
SHA256 c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8
Tags
upx powers cybergate persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8

Threat Level: Known bad

The file f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx powers cybergate persistence stealer trojan

Cybergate family

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

Loads dropped DLL

Checks computer location settings

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-19 03:05

Signatures

Cybergate family

cybergate

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 03:05

Reported

2024-04-19 03:08

Platform

win7-20231129-en

Max time kernel

150s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Services = "C:\\Windows\\system32\\Win32\\services.exe" C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Services = "C:\\Windows\\system32\\Win32\\services.exe" C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P}\StubPath = "C:\\Windows\\system32\\Win32\\services.exe Restart" C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P}\StubPath = "C:\\Windows\\system32\\Win32\\services.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P} C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Win32\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Win32\services.exe C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Win32\ C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Win32\services.exe C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Win32\services.exe C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2512 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\Win32\services.exe

"C:\Windows\system32\Win32\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2512-0-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1372-4-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/676-249-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/676-307-0x0000000000100000-0x0000000000101000-memory.dmp

memory/676-543-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\Win32\services.exe

MD5 f95d0beafe5a035fb1cd6073ae4a76ae
SHA1 5969347c5b1f4156091b54edc834c997054cef82
SHA256 c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8
SHA512 3205e94f491f6032b33aa00ec78a37a07b02e08c308a1172d6b7b5605d6acd9d07d8bb36bd86d60d27147cb9496d9d37aff84e81d79363e5d59385c5ca0579b0

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 57baee9c40963a02b29033e265168212
SHA1 f47e2dcd9e95b1186b2db2bab3ce79770a21db0b
SHA256 3be31be6ddb05484e59ead85d9aeda9bbd77ce4aae6a94c57b405a3de5cc382f
SHA512 77125bd0457624b519079a9e135e534633f6f2b8fae7986995d5d9cf15438c31848bd154b3cd3a92807f983bca78abe2d23954e571fc524a0425fb8b1a8cba04

memory/2512-562-0x0000000000460000-0x00000000004B7000-memory.dmp

memory/2784-563-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2784-846-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/2512-847-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/2784-866-0x00000000053C0000-0x0000000005417000-memory.dmp

memory/2880-870-0x0000000000400000-0x0000000000457000-memory.dmp

memory/676-871-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cd02f9659124f68eaef4c74513e25474
SHA1 b3fc803c8817fcca0afc193869cd1a03a0e81e2d
SHA256 9bad9ee5a0a9f917c4fcc77e1b2353ebd0961674f767fa6f36d7e24fde773527
SHA512 6688b878ac6faed646405cc77045110a4574b00230f9376f2aafaa155f724dd9f28c82e2828967a17f6b132839ca5698d3ba1b926920044e2217325bef2f35fe

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 42be5d21734928f287c111cee6b5306e
SHA1 df968c49a2e7bf4020f84edea7b86b00e8ec8faa
SHA256 cb9345575c760218165f8f2ea6a38428627a630cadcd3f8f5bb14a4a0e067098
SHA512 f01f28eaa0eddba464c23fc4e256ac3655423d4a2b21aeef86fb62027e70680117eb0f02f378bcd182614a2e1cf8c03109b0846c2c27349b45f8dc41c26fdc11

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 074b982b59f5d3cd454af59247ad8169
SHA1 ff3d2022b53c1adf6acb670737240a875dffb256
SHA256 8494d6a3f4a7e580d10226fc1ba5e28e87c9ecd658f8825aece80c7face3dac8
SHA512 d571af3cb49747e98d88dbbd6a3a24609f093f822cd93a9ead6f572aa6da897cd70a4b243c2a86df768a8f5a4f0877e37116605052908f5e23b84339ca5af8a0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dc9ce3db319142d81bbcb64a9450a06a
SHA1 2d4f8bce2e8949a575599348d33ff872608f9660
SHA256 4d298bca593ebdc8457ae3d53562e34ecd11faf0d7b8956b07ed06f6abf2488c
SHA512 6d6609af159763ffc0fea2be6ef63894cd4b95d1ff9a1ed8475b7b938e4aea01bebd92339016d2b60c658a6de5c21158c95b6f67bda180c458187179c0a5527d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ca7f5a4004f9e0855445df86b1f51a90
SHA1 4080c24e87c55440ec4d3c9b94e54f77702233bb
SHA256 f9af7c03699c04662b628d1851ec7cd981f2a1d35282d522ece4cd9bf4f884c1
SHA512 ca668d38f3b76924d3c76fa8e7feb520b9523efb8348f60f5774295c73e3b71c3a7f548eaef3e2236f512efe85f0b71acebe9ef282da0deb20c92ac18d033cf6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e94da00e3827c889f4479c340612c0f1
SHA1 9bfcc3080300a8a0d8da57f72ad7c03880634949
SHA256 2da63916206c28bce6c71d73fdc8cc5cf3206b07d76b114c03d6ed4d5b88a604
SHA512 65109182a1719505e78d8c1351081b573f6f52f4272970d99c27117ce077991a0a675de21056b64806bf009d8ff50f6ce57396bb6c083dddbd7aafc76b93fb03

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f9927255bf09fb75aee1261d51a74e24
SHA1 ae60b78b87f5f007ac0aa2579dffb8b7249a8f91
SHA256 a40cc19da6e80c6402b5f5cc91c372547d39d4a0cf1d3750d6fee73948155b24
SHA512 63bf9aa23964ba8050193a4ba8d052e4f829eb0278cd4d365fa09df5c8777f8a251939d5811ac01ab308b4d6259d3b8c36d99c24a204243deb18a6a106f2395a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3fe9727de3006525b31b42a305601c43
SHA1 6399bcd13d19f68c89f2e2d97bbe4a53af125474
SHA256 7f8d2fd30f735a1aad547cdfe98a1cdb42a3bfa654c104bf87c237aace7ee794
SHA512 a84757891931c488a58a194e6e2527b0650e7f22e7ac740f7218719669551c068d26131850749878fdbae802558e103f3a01a2146a6ed2ef6f5776e75d6c3812

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 57aa49514f026cca6b3c7d60e371e6ca
SHA1 858a2cd012cbfd7a57b06b2a33d33fc8c4fbf7f4
SHA256 a64e353f4e592fa6f4069ba40720746cfa18b7d7f4db6b4100a77c856e056cf0
SHA512 dc21e8c470b15b5e552f09f3cd0dc0108466d90590e33b2b859b8030e6bdb35264fa025e15ea08ea66563d0c19577665578fee814fc9c846e6d7dd52f482d4a1

memory/2784-1397-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6f2f6ac6e2f74ef8a5cfb4ea068f4c5a
SHA1 8c082e8704eb8f0bd8fdb3e0928ec5bed77b2df2
SHA256 974fae232046768f7d1d43ea96c057411c800ebaf5ed7fa66879f56f876bd65f
SHA512 92619a2bd384e1dcf0f57c34304c0794c9fcbf082ce6db94aa7bedfe36bbc476b11eb1e8ee31aa3fb5cd7a1fd6ebd2f2be0df5d9d5fc792a2b19c85d345f1718

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 04c075218a6190a3504974c4af8f46c1
SHA1 8c92c808575089d161b7b67f3fe5058ec826a8da
SHA256 66a086ea485ec1e033dd003e8b7bbdf4e70cd4e0ab792680c4ed7d9be7cf5136
SHA512 4423d3330c8ff5cddb894c82ef2fb0302c2d8b6569ed2430b7d36b71ab4f5a024c15347ad08def11a5636646ae1d7becd15728a2f86c574627576b4cf9f2c08b

memory/2784-1547-0x00000000053C0000-0x0000000005417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 796f6a1afad8feba1e545bd24e325b82
SHA1 37c31b65370888f4b5f2caf0a0d9d1cada7d00cc
SHA256 39e8e945081db463260e8f12b238b6d6d2801cf6fe6ab1756ff8bf201af31c08
SHA512 fc2da8598d6e904654828b132867f33a935c1a89f572b771a08b1c30b4689260c9a868c032106e960ed022e3e0bc41669347e0d90b3d5b032f9d9674d91b4858

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cf531f5aef0e28a380e618468f0ef544
SHA1 cc4f7ec429e9c231e76d8b79bafd47e49bcfb21a
SHA256 83aca2784e274e6978c40106b6c6ac8f0d0b8c3344bc578e045b05ba00d1af8a
SHA512 847dd2d54f3c6cf6a6b7f7367e3986e8ecbfa49f2e313f45cd1934f03635282ca6fec6f25be5c48e2ac0ea2908bc820762a8a2adf1e239fa9d779d61951f4b04

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d23c537b3f6f55753e521048d8868fff
SHA1 bdbb759a2b0c3e3d64a99cede816eb62abc658be
SHA256 c18d000fbeb149eeefaca8658466d47b93c2d01042577b6c480d51ede6322303
SHA512 ea66033b94d03761fd7b768edb79c3366a78177efffdcb26bddebe52635d86d1af45b9a5dae8c5f4746077241c8a290411b6e14d245c6259181ad59422801980

memory/2784-1712-0x0000000005410000-0x0000000005467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 461758c695e6084836ab6bad73de76fe
SHA1 d066aa11e6dbcf381d5ebbed1986f6cb6984f29d
SHA256 d9a54d1bb52c12ad02b58ae0b75d913623dbdecdf52de1d2dbc7d861ecab34e3
SHA512 27d54b7e216e13d582ed0d46c6facdf69ea994f51e10653fa336b0dbd8bcffb1fc3ae4ad73e5aaf619189ec8fa11350cf5c10303ec19affcd16e4bd485ab0cb1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e1c17d2a61355a70a67876a1857e719f
SHA1 8ef8d49008bb6f838227dda6e823e935e2f5301a
SHA256 ce58f19cee0edf1b9beed57a3808161e7dc39bbd191908ec7379528dabd16c6b
SHA512 ec0cd42544b84627ad94c93857b1be2c1931e5dc1ed6ca21e344dce4efc5109fa0a88582e14e836f60e8b3483da30ddf63c93046feb0bb7b281f9c6ea2d9ba0f

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 03:05

Reported

2024-04-19 03:08

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Services = "C:\\Windows\\system32\\Win32\\services.exe" C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Services = "C:\\Windows\\system32\\Win32\\services.exe" C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P}\StubPath = "C:\\Windows\\system32\\Win32\\services.exe Restart" C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P}\StubPath = "C:\\Windows\\system32\\Win32\\services.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P} C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Win32\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Win32\services.exe C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Win32\services.exe C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Win32\services.exe C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Win32\ C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Win32\services.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4092 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\Win32\services.exe

"C:\Windows\system32\Win32\services.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1564 -ip 1564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 572

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp

Files

memory/4092-0-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4092-4-0x0000000024010000-0x0000000024072000-memory.dmp

memory/2484-8-0x0000000000B30000-0x0000000000B31000-memory.dmp

memory/2484-9-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/4092-64-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2484-67-0x0000000003D20000-0x0000000003D21000-memory.dmp

memory/2484-68-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2484-69-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\Win32\services.exe

MD5 f95d0beafe5a035fb1cd6073ae4a76ae
SHA1 5969347c5b1f4156091b54edc834c997054cef82
SHA256 c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8
SHA512 3205e94f491f6032b33aa00ec78a37a07b02e08c308a1172d6b7b5605d6acd9d07d8bb36bd86d60d27147cb9496d9d37aff84e81d79363e5d59385c5ca0579b0

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 57baee9c40963a02b29033e265168212
SHA1 f47e2dcd9e95b1186b2db2bab3ce79770a21db0b
SHA256 3be31be6ddb05484e59ead85d9aeda9bbd77ce4aae6a94c57b405a3de5cc382f
SHA512 77125bd0457624b519079a9e135e534633f6f2b8fae7986995d5d9cf15438c31848bd154b3cd3a92807f983bca78abe2d23954e571fc524a0425fb8b1a8cba04

memory/1720-75-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4092-90-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1720-138-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/4092-137-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/1564-157-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2484-159-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3fe9727de3006525b31b42a305601c43
SHA1 6399bcd13d19f68c89f2e2d97bbe4a53af125474
SHA256 7f8d2fd30f735a1aad547cdfe98a1cdb42a3bfa654c104bf87c237aace7ee794
SHA512 a84757891931c488a58a194e6e2527b0650e7f22e7ac740f7218719669551c068d26131850749878fdbae802558e103f3a01a2146a6ed2ef6f5776e75d6c3812

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 57aa49514f026cca6b3c7d60e371e6ca
SHA1 858a2cd012cbfd7a57b06b2a33d33fc8c4fbf7f4
SHA256 a64e353f4e592fa6f4069ba40720746cfa18b7d7f4db6b4100a77c856e056cf0
SHA512 dc21e8c470b15b5e552f09f3cd0dc0108466d90590e33b2b859b8030e6bdb35264fa025e15ea08ea66563d0c19577665578fee814fc9c846e6d7dd52f482d4a1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6f2f6ac6e2f74ef8a5cfb4ea068f4c5a
SHA1 8c082e8704eb8f0bd8fdb3e0928ec5bed77b2df2
SHA256 974fae232046768f7d1d43ea96c057411c800ebaf5ed7fa66879f56f876bd65f
SHA512 92619a2bd384e1dcf0f57c34304c0794c9fcbf082ce6db94aa7bedfe36bbc476b11eb1e8ee31aa3fb5cd7a1fd6ebd2f2be0df5d9d5fc792a2b19c85d345f1718

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 04c075218a6190a3504974c4af8f46c1
SHA1 8c92c808575089d161b7b67f3fe5058ec826a8da
SHA256 66a086ea485ec1e033dd003e8b7bbdf4e70cd4e0ab792680c4ed7d9be7cf5136
SHA512 4423d3330c8ff5cddb894c82ef2fb0302c2d8b6569ed2430b7d36b71ab4f5a024c15347ad08def11a5636646ae1d7becd15728a2f86c574627576b4cf9f2c08b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 796f6a1afad8feba1e545bd24e325b82
SHA1 37c31b65370888f4b5f2caf0a0d9d1cada7d00cc
SHA256 39e8e945081db463260e8f12b238b6d6d2801cf6fe6ab1756ff8bf201af31c08
SHA512 fc2da8598d6e904654828b132867f33a935c1a89f572b771a08b1c30b4689260c9a868c032106e960ed022e3e0bc41669347e0d90b3d5b032f9d9674d91b4858

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cf531f5aef0e28a380e618468f0ef544
SHA1 cc4f7ec429e9c231e76d8b79bafd47e49bcfb21a
SHA256 83aca2784e274e6978c40106b6c6ac8f0d0b8c3344bc578e045b05ba00d1af8a
SHA512 847dd2d54f3c6cf6a6b7f7367e3986e8ecbfa49f2e313f45cd1934f03635282ca6fec6f25be5c48e2ac0ea2908bc820762a8a2adf1e239fa9d779d61951f4b04

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d23c537b3f6f55753e521048d8868fff
SHA1 bdbb759a2b0c3e3d64a99cede816eb62abc658be
SHA256 c18d000fbeb149eeefaca8658466d47b93c2d01042577b6c480d51ede6322303
SHA512 ea66033b94d03761fd7b768edb79c3366a78177efffdcb26bddebe52635d86d1af45b9a5dae8c5f4746077241c8a290411b6e14d245c6259181ad59422801980

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 461758c695e6084836ab6bad73de76fe
SHA1 d066aa11e6dbcf381d5ebbed1986f6cb6984f29d
SHA256 d9a54d1bb52c12ad02b58ae0b75d913623dbdecdf52de1d2dbc7d861ecab34e3
SHA512 27d54b7e216e13d582ed0d46c6facdf69ea994f51e10653fa336b0dbd8bcffb1fc3ae4ad73e5aaf619189ec8fa11350cf5c10303ec19affcd16e4bd485ab0cb1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e1c17d2a61355a70a67876a1857e719f
SHA1 8ef8d49008bb6f838227dda6e823e935e2f5301a
SHA256 ce58f19cee0edf1b9beed57a3808161e7dc39bbd191908ec7379528dabd16c6b
SHA512 ec0cd42544b84627ad94c93857b1be2c1931e5dc1ed6ca21e344dce4efc5109fa0a88582e14e836f60e8b3483da30ddf63c93046feb0bb7b281f9c6ea2d9ba0f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0b224c63e2a4e19c665215b671307127
SHA1 858585ff709ff3848e6362cefe6c5d457d9f8b4e
SHA256 b86454d1c4a90dc00be4a8aeb913de67cf4b95df3868790de7a78e1e062ed63a
SHA512 65f222686b76109ad6316bbd46bea73e4dd1017d4a3201a1151be7f36896b513851c4e32a130d600a5c2af803911088c981af5bc9acd52e24bc879138285c39b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d8fc2eb70b3c68f846cc3bf479a74487
SHA1 94659d10dbdc167b08f251aa475ed68a10be91d3
SHA256 bc1833986cc84cefdb73b29e52bcbff22e16fe76c076578ac2dde95f7eed40e3
SHA512 4335a95c97c5fc5ed17683576fb5f2352c80cc2103fc86d81bfb51aed2a4f2422b87b51d141b7d58a281ce8a6f95995f5e39ff3471fff2554606163ca510ec88

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7a0c116b6ffaed03f924a8163ff018c3
SHA1 6e4fd807fdff68a4c59353cc2fa431eb12069d3e
SHA256 35215a98bde83dc21a049901f92bff80be9bfbfb1386f996e347482010d4f03b
SHA512 f09f38668c2c5dcf8e0be147e30aa97a3a9078961e785f43e0a4b390a6effd2b9255c964068365e6fa3208d902cd6577d40c012c6b14fb135f97445872a88797

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4fb0a0c917c6461fc88fbd283700c597
SHA1 efd7784a0a695a8412252407bcde98ee65a4998f
SHA256 35b981b47e65250aa3f67b7efd8e6ff12d8dcac679b78b59c06c028dcc362811
SHA512 405a8f89b4ac7d39671b3c9c4ae0551f2a9b24a87e764e084a7a479a07655ef80fab9da508319a7540c7e4ee4716bda624f3996d381762a8182569f07f515ed8

memory/1720-1281-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4411608a726a822805ceaa5057f233c1
SHA1 d44d35f2089e2f5019037669844233040cccf932
SHA256 3e7b71b95f023fdfcae37fd4ad6bbccc9f8c9120afca1dff3126fe8b50157bf6
SHA512 24b17445dd730d7a15b503f2bd1c735d3c36fe3779fece9d232a1fd692eac47d1688680b3b95f23088f62ca06efaca36c047409e2cdacb1fa4b1321e71955baa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c07a95373d8e57ece4ed7c3b76081a45
SHA1 143e61fbea59f248e0a00bdf06ba4fcc571e5fa1
SHA256 fa08e0b0c9c3441f2731573f784a05e2c994fd6d3ae2e03668611b7a06fac245
SHA512 cf6e486656de9700573c6b8f22569ca5eabe249cf86149b979cbe0adf294d23ea3a3beb9fa5d7d5b56e4d3ccfe2455374008458c31441afde6541c439802f226

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2fdd68081cf7f5d15e2b8b365dc746c4
SHA1 1bff0b8e37f4ed1743f362ba3908fca7c051f8fd
SHA256 60523904008f301e580b786aec7998e310e43f40ea64b03215a4cfa99b0012d2
SHA512 7fc89869434a4aeb6b746f3d6edf13d171f3b41b0fc4bfecddafcf31064c60b5985ed6555583aef1fb2d42bc93fff675b9eac572fd8d20053bceac77abef6858

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 08db976670b354a30835611d4bfa4ac4
SHA1 b5ceba1db6e4de229548f9e7c21a8a5e2317a216
SHA256 1dadb25266433569412f0ac2624911e61fd959c4c04dab10751159d73753e78e
SHA512 3a63cb6f675c3e734a39638f9a6ee5b787dfd80dd8e49f6e0687df6c90e4ccca703cbf99d61cb5ccb57e87cb3fbd89c02f8bc1adb64180ade20a457be96743c7