Analysis Overview
SHA256
c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8
Threat Level: Known bad
The file f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Modifies Installed Components in the registry
Adds policy Run key to start application
Loads dropped DLL
Checks computer location settings
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-19 03:05
Signatures
Cybergate family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 03:05
Reported
2024-04-19 03:08
Platform
win7-20231129-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Services = "C:\\Windows\\system32\\Win32\\services.exe" | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Services = "C:\\Windows\\system32\\Win32\\services.exe" | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P}\StubPath = "C:\\Windows\\system32\\Win32\\services.exe Restart" | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P}\StubPath = "C:\\Windows\\system32\\Win32\\services.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P} | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Win32\services.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Win32\services.exe | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Win32\ | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\Win32\services.exe | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Win32\services.exe | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"
C:\Windows\SysWOW64\Win32\services.exe
"C:\Windows\system32\Win32\services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2512-0-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1372-4-0x0000000002A10000-0x0000000002A11000-memory.dmp
memory/676-249-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/676-307-0x0000000000100000-0x0000000000101000-memory.dmp
memory/676-543-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Windows\SysWOW64\Win32\services.exe
| MD5 | f95d0beafe5a035fb1cd6073ae4a76ae |
| SHA1 | 5969347c5b1f4156091b54edc834c997054cef82 |
| SHA256 | c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8 |
| SHA512 | 3205e94f491f6032b33aa00ec78a37a07b02e08c308a1172d6b7b5605d6acd9d07d8bb36bd86d60d27147cb9496d9d37aff84e81d79363e5d59385c5ca0579b0 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 57baee9c40963a02b29033e265168212 |
| SHA1 | f47e2dcd9e95b1186b2db2bab3ce79770a21db0b |
| SHA256 | 3be31be6ddb05484e59ead85d9aeda9bbd77ce4aae6a94c57b405a3de5cc382f |
| SHA512 | 77125bd0457624b519079a9e135e534633f6f2b8fae7986995d5d9cf15438c31848bd154b3cd3a92807f983bca78abe2d23954e571fc524a0425fb8b1a8cba04 |
memory/2512-562-0x0000000000460000-0x00000000004B7000-memory.dmp
memory/2784-563-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2784-846-0x00000000240F0000-0x0000000024152000-memory.dmp
memory/2512-847-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/2784-866-0x00000000053C0000-0x0000000005417000-memory.dmp
memory/2880-870-0x0000000000400000-0x0000000000457000-memory.dmp
memory/676-871-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | cd02f9659124f68eaef4c74513e25474 |
| SHA1 | b3fc803c8817fcca0afc193869cd1a03a0e81e2d |
| SHA256 | 9bad9ee5a0a9f917c4fcc77e1b2353ebd0961674f767fa6f36d7e24fde773527 |
| SHA512 | 6688b878ac6faed646405cc77045110a4574b00230f9376f2aafaa155f724dd9f28c82e2828967a17f6b132839ca5698d3ba1b926920044e2217325bef2f35fe |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 42be5d21734928f287c111cee6b5306e |
| SHA1 | df968c49a2e7bf4020f84edea7b86b00e8ec8faa |
| SHA256 | cb9345575c760218165f8f2ea6a38428627a630cadcd3f8f5bb14a4a0e067098 |
| SHA512 | f01f28eaa0eddba464c23fc4e256ac3655423d4a2b21aeef86fb62027e70680117eb0f02f378bcd182614a2e1cf8c03109b0846c2c27349b45f8dc41c26fdc11 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 074b982b59f5d3cd454af59247ad8169 |
| SHA1 | ff3d2022b53c1adf6acb670737240a875dffb256 |
| SHA256 | 8494d6a3f4a7e580d10226fc1ba5e28e87c9ecd658f8825aece80c7face3dac8 |
| SHA512 | d571af3cb49747e98d88dbbd6a3a24609f093f822cd93a9ead6f572aa6da897cd70a4b243c2a86df768a8f5a4f0877e37116605052908f5e23b84339ca5af8a0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | dc9ce3db319142d81bbcb64a9450a06a |
| SHA1 | 2d4f8bce2e8949a575599348d33ff872608f9660 |
| SHA256 | 4d298bca593ebdc8457ae3d53562e34ecd11faf0d7b8956b07ed06f6abf2488c |
| SHA512 | 6d6609af159763ffc0fea2be6ef63894cd4b95d1ff9a1ed8475b7b938e4aea01bebd92339016d2b60c658a6de5c21158c95b6f67bda180c458187179c0a5527d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ca7f5a4004f9e0855445df86b1f51a90 |
| SHA1 | 4080c24e87c55440ec4d3c9b94e54f77702233bb |
| SHA256 | f9af7c03699c04662b628d1851ec7cd981f2a1d35282d522ece4cd9bf4f884c1 |
| SHA512 | ca668d38f3b76924d3c76fa8e7feb520b9523efb8348f60f5774295c73e3b71c3a7f548eaef3e2236f512efe85f0b71acebe9ef282da0deb20c92ac18d033cf6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e94da00e3827c889f4479c340612c0f1 |
| SHA1 | 9bfcc3080300a8a0d8da57f72ad7c03880634949 |
| SHA256 | 2da63916206c28bce6c71d73fdc8cc5cf3206b07d76b114c03d6ed4d5b88a604 |
| SHA512 | 65109182a1719505e78d8c1351081b573f6f52f4272970d99c27117ce077991a0a675de21056b64806bf009d8ff50f6ce57396bb6c083dddbd7aafc76b93fb03 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f9927255bf09fb75aee1261d51a74e24 |
| SHA1 | ae60b78b87f5f007ac0aa2579dffb8b7249a8f91 |
| SHA256 | a40cc19da6e80c6402b5f5cc91c372547d39d4a0cf1d3750d6fee73948155b24 |
| SHA512 | 63bf9aa23964ba8050193a4ba8d052e4f829eb0278cd4d365fa09df5c8777f8a251939d5811ac01ab308b4d6259d3b8c36d99c24a204243deb18a6a106f2395a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3fe9727de3006525b31b42a305601c43 |
| SHA1 | 6399bcd13d19f68c89f2e2d97bbe4a53af125474 |
| SHA256 | 7f8d2fd30f735a1aad547cdfe98a1cdb42a3bfa654c104bf87c237aace7ee794 |
| SHA512 | a84757891931c488a58a194e6e2527b0650e7f22e7ac740f7218719669551c068d26131850749878fdbae802558e103f3a01a2146a6ed2ef6f5776e75d6c3812 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 57aa49514f026cca6b3c7d60e371e6ca |
| SHA1 | 858a2cd012cbfd7a57b06b2a33d33fc8c4fbf7f4 |
| SHA256 | a64e353f4e592fa6f4069ba40720746cfa18b7d7f4db6b4100a77c856e056cf0 |
| SHA512 | dc21e8c470b15b5e552f09f3cd0dc0108466d90590e33b2b859b8030e6bdb35264fa025e15ea08ea66563d0c19577665578fee814fc9c846e6d7dd52f482d4a1 |
memory/2784-1397-0x00000000240F0000-0x0000000024152000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6f2f6ac6e2f74ef8a5cfb4ea068f4c5a |
| SHA1 | 8c082e8704eb8f0bd8fdb3e0928ec5bed77b2df2 |
| SHA256 | 974fae232046768f7d1d43ea96c057411c800ebaf5ed7fa66879f56f876bd65f |
| SHA512 | 92619a2bd384e1dcf0f57c34304c0794c9fcbf082ce6db94aa7bedfe36bbc476b11eb1e8ee31aa3fb5cd7a1fd6ebd2f2be0df5d9d5fc792a2b19c85d345f1718 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 04c075218a6190a3504974c4af8f46c1 |
| SHA1 | 8c92c808575089d161b7b67f3fe5058ec826a8da |
| SHA256 | 66a086ea485ec1e033dd003e8b7bbdf4e70cd4e0ab792680c4ed7d9be7cf5136 |
| SHA512 | 4423d3330c8ff5cddb894c82ef2fb0302c2d8b6569ed2430b7d36b71ab4f5a024c15347ad08def11a5636646ae1d7becd15728a2f86c574627576b4cf9f2c08b |
memory/2784-1547-0x00000000053C0000-0x0000000005417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 796f6a1afad8feba1e545bd24e325b82 |
| SHA1 | 37c31b65370888f4b5f2caf0a0d9d1cada7d00cc |
| SHA256 | 39e8e945081db463260e8f12b238b6d6d2801cf6fe6ab1756ff8bf201af31c08 |
| SHA512 | fc2da8598d6e904654828b132867f33a935c1a89f572b771a08b1c30b4689260c9a868c032106e960ed022e3e0bc41669347e0d90b3d5b032f9d9674d91b4858 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | cf531f5aef0e28a380e618468f0ef544 |
| SHA1 | cc4f7ec429e9c231e76d8b79bafd47e49bcfb21a |
| SHA256 | 83aca2784e274e6978c40106b6c6ac8f0d0b8c3344bc578e045b05ba00d1af8a |
| SHA512 | 847dd2d54f3c6cf6a6b7f7367e3986e8ecbfa49f2e313f45cd1934f03635282ca6fec6f25be5c48e2ac0ea2908bc820762a8a2adf1e239fa9d779d61951f4b04 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d23c537b3f6f55753e521048d8868fff |
| SHA1 | bdbb759a2b0c3e3d64a99cede816eb62abc658be |
| SHA256 | c18d000fbeb149eeefaca8658466d47b93c2d01042577b6c480d51ede6322303 |
| SHA512 | ea66033b94d03761fd7b768edb79c3366a78177efffdcb26bddebe52635d86d1af45b9a5dae8c5f4746077241c8a290411b6e14d245c6259181ad59422801980 |
memory/2784-1712-0x0000000005410000-0x0000000005467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 461758c695e6084836ab6bad73de76fe |
| SHA1 | d066aa11e6dbcf381d5ebbed1986f6cb6984f29d |
| SHA256 | d9a54d1bb52c12ad02b58ae0b75d913623dbdecdf52de1d2dbc7d861ecab34e3 |
| SHA512 | 27d54b7e216e13d582ed0d46c6facdf69ea994f51e10653fa336b0dbd8bcffb1fc3ae4ad73e5aaf619189ec8fa11350cf5c10303ec19affcd16e4bd485ab0cb1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e1c17d2a61355a70a67876a1857e719f |
| SHA1 | 8ef8d49008bb6f838227dda6e823e935e2f5301a |
| SHA256 | ce58f19cee0edf1b9beed57a3808161e7dc39bbd191908ec7379528dabd16c6b |
| SHA512 | ec0cd42544b84627ad94c93857b1be2c1931e5dc1ed6ca21e344dce4efc5109fa0a88582e14e836f60e8b3483da30ddf63c93046feb0bb7b281f9c6ea2d9ba0f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 03:05
Reported
2024-04-19 03:08
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Services = "C:\\Windows\\system32\\Win32\\services.exe" | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Services = "C:\\Windows\\system32\\Win32\\services.exe" | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P}\StubPath = "C:\\Windows\\system32\\Win32\\services.exe Restart" | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P}\StubPath = "C:\\Windows\\system32\\Win32\\services.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P} | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Win32\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Win32\services.exe | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Win32\services.exe | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Win32\services.exe | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Win32\ | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Win32\services.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"
C:\Windows\SysWOW64\Win32\services.exe
"C:\Windows\system32\Win32\services.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1564 -ip 1564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 572
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/4092-0-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4092-4-0x0000000024010000-0x0000000024072000-memory.dmp
memory/2484-8-0x0000000000B30000-0x0000000000B31000-memory.dmp
memory/2484-9-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/4092-64-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/2484-67-0x0000000003D20000-0x0000000003D21000-memory.dmp
memory/2484-68-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/2484-69-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Windows\SysWOW64\Win32\services.exe
| MD5 | f95d0beafe5a035fb1cd6073ae4a76ae |
| SHA1 | 5969347c5b1f4156091b54edc834c997054cef82 |
| SHA256 | c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8 |
| SHA512 | 3205e94f491f6032b33aa00ec78a37a07b02e08c308a1172d6b7b5605d6acd9d07d8bb36bd86d60d27147cb9496d9d37aff84e81d79363e5d59385c5ca0579b0 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 57baee9c40963a02b29033e265168212 |
| SHA1 | f47e2dcd9e95b1186b2db2bab3ce79770a21db0b |
| SHA256 | 3be31be6ddb05484e59ead85d9aeda9bbd77ce4aae6a94c57b405a3de5cc382f |
| SHA512 | 77125bd0457624b519079a9e135e534633f6f2b8fae7986995d5d9cf15438c31848bd154b3cd3a92807f983bca78abe2d23954e571fc524a0425fb8b1a8cba04 |
memory/1720-75-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4092-90-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1720-138-0x00000000240F0000-0x0000000024152000-memory.dmp
memory/4092-137-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/1564-157-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2484-159-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3fe9727de3006525b31b42a305601c43 |
| SHA1 | 6399bcd13d19f68c89f2e2d97bbe4a53af125474 |
| SHA256 | 7f8d2fd30f735a1aad547cdfe98a1cdb42a3bfa654c104bf87c237aace7ee794 |
| SHA512 | a84757891931c488a58a194e6e2527b0650e7f22e7ac740f7218719669551c068d26131850749878fdbae802558e103f3a01a2146a6ed2ef6f5776e75d6c3812 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 57aa49514f026cca6b3c7d60e371e6ca |
| SHA1 | 858a2cd012cbfd7a57b06b2a33d33fc8c4fbf7f4 |
| SHA256 | a64e353f4e592fa6f4069ba40720746cfa18b7d7f4db6b4100a77c856e056cf0 |
| SHA512 | dc21e8c470b15b5e552f09f3cd0dc0108466d90590e33b2b859b8030e6bdb35264fa025e15ea08ea66563d0c19577665578fee814fc9c846e6d7dd52f482d4a1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6f2f6ac6e2f74ef8a5cfb4ea068f4c5a |
| SHA1 | 8c082e8704eb8f0bd8fdb3e0928ec5bed77b2df2 |
| SHA256 | 974fae232046768f7d1d43ea96c057411c800ebaf5ed7fa66879f56f876bd65f |
| SHA512 | 92619a2bd384e1dcf0f57c34304c0794c9fcbf082ce6db94aa7bedfe36bbc476b11eb1e8ee31aa3fb5cd7a1fd6ebd2f2be0df5d9d5fc792a2b19c85d345f1718 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 04c075218a6190a3504974c4af8f46c1 |
| SHA1 | 8c92c808575089d161b7b67f3fe5058ec826a8da |
| SHA256 | 66a086ea485ec1e033dd003e8b7bbdf4e70cd4e0ab792680c4ed7d9be7cf5136 |
| SHA512 | 4423d3330c8ff5cddb894c82ef2fb0302c2d8b6569ed2430b7d36b71ab4f5a024c15347ad08def11a5636646ae1d7becd15728a2f86c574627576b4cf9f2c08b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 796f6a1afad8feba1e545bd24e325b82 |
| SHA1 | 37c31b65370888f4b5f2caf0a0d9d1cada7d00cc |
| SHA256 | 39e8e945081db463260e8f12b238b6d6d2801cf6fe6ab1756ff8bf201af31c08 |
| SHA512 | fc2da8598d6e904654828b132867f33a935c1a89f572b771a08b1c30b4689260c9a868c032106e960ed022e3e0bc41669347e0d90b3d5b032f9d9674d91b4858 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | cf531f5aef0e28a380e618468f0ef544 |
| SHA1 | cc4f7ec429e9c231e76d8b79bafd47e49bcfb21a |
| SHA256 | 83aca2784e274e6978c40106b6c6ac8f0d0b8c3344bc578e045b05ba00d1af8a |
| SHA512 | 847dd2d54f3c6cf6a6b7f7367e3986e8ecbfa49f2e313f45cd1934f03635282ca6fec6f25be5c48e2ac0ea2908bc820762a8a2adf1e239fa9d779d61951f4b04 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d23c537b3f6f55753e521048d8868fff |
| SHA1 | bdbb759a2b0c3e3d64a99cede816eb62abc658be |
| SHA256 | c18d000fbeb149eeefaca8658466d47b93c2d01042577b6c480d51ede6322303 |
| SHA512 | ea66033b94d03761fd7b768edb79c3366a78177efffdcb26bddebe52635d86d1af45b9a5dae8c5f4746077241c8a290411b6e14d245c6259181ad59422801980 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 461758c695e6084836ab6bad73de76fe |
| SHA1 | d066aa11e6dbcf381d5ebbed1986f6cb6984f29d |
| SHA256 | d9a54d1bb52c12ad02b58ae0b75d913623dbdecdf52de1d2dbc7d861ecab34e3 |
| SHA512 | 27d54b7e216e13d582ed0d46c6facdf69ea994f51e10653fa336b0dbd8bcffb1fc3ae4ad73e5aaf619189ec8fa11350cf5c10303ec19affcd16e4bd485ab0cb1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e1c17d2a61355a70a67876a1857e719f |
| SHA1 | 8ef8d49008bb6f838227dda6e823e935e2f5301a |
| SHA256 | ce58f19cee0edf1b9beed57a3808161e7dc39bbd191908ec7379528dabd16c6b |
| SHA512 | ec0cd42544b84627ad94c93857b1be2c1931e5dc1ed6ca21e344dce4efc5109fa0a88582e14e836f60e8b3483da30ddf63c93046feb0bb7b281f9c6ea2d9ba0f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0b224c63e2a4e19c665215b671307127 |
| SHA1 | 858585ff709ff3848e6362cefe6c5d457d9f8b4e |
| SHA256 | b86454d1c4a90dc00be4a8aeb913de67cf4b95df3868790de7a78e1e062ed63a |
| SHA512 | 65f222686b76109ad6316bbd46bea73e4dd1017d4a3201a1151be7f36896b513851c4e32a130d600a5c2af803911088c981af5bc9acd52e24bc879138285c39b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d8fc2eb70b3c68f846cc3bf479a74487 |
| SHA1 | 94659d10dbdc167b08f251aa475ed68a10be91d3 |
| SHA256 | bc1833986cc84cefdb73b29e52bcbff22e16fe76c076578ac2dde95f7eed40e3 |
| SHA512 | 4335a95c97c5fc5ed17683576fb5f2352c80cc2103fc86d81bfb51aed2a4f2422b87b51d141b7d58a281ce8a6f95995f5e39ff3471fff2554606163ca510ec88 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7a0c116b6ffaed03f924a8163ff018c3 |
| SHA1 | 6e4fd807fdff68a4c59353cc2fa431eb12069d3e |
| SHA256 | 35215a98bde83dc21a049901f92bff80be9bfbfb1386f996e347482010d4f03b |
| SHA512 | f09f38668c2c5dcf8e0be147e30aa97a3a9078961e785f43e0a4b390a6effd2b9255c964068365e6fa3208d902cd6577d40c012c6b14fb135f97445872a88797 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4fb0a0c917c6461fc88fbd283700c597 |
| SHA1 | efd7784a0a695a8412252407bcde98ee65a4998f |
| SHA256 | 35b981b47e65250aa3f67b7efd8e6ff12d8dcac679b78b59c06c028dcc362811 |
| SHA512 | 405a8f89b4ac7d39671b3c9c4ae0551f2a9b24a87e764e084a7a479a07655ef80fab9da508319a7540c7e4ee4716bda624f3996d381762a8182569f07f515ed8 |
memory/1720-1281-0x00000000240F0000-0x0000000024152000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4411608a726a822805ceaa5057f233c1 |
| SHA1 | d44d35f2089e2f5019037669844233040cccf932 |
| SHA256 | 3e7b71b95f023fdfcae37fd4ad6bbccc9f8c9120afca1dff3126fe8b50157bf6 |
| SHA512 | 24b17445dd730d7a15b503f2bd1c735d3c36fe3779fece9d232a1fd692eac47d1688680b3b95f23088f62ca06efaca36c047409e2cdacb1fa4b1321e71955baa |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c07a95373d8e57ece4ed7c3b76081a45 |
| SHA1 | 143e61fbea59f248e0a00bdf06ba4fcc571e5fa1 |
| SHA256 | fa08e0b0c9c3441f2731573f784a05e2c994fd6d3ae2e03668611b7a06fac245 |
| SHA512 | cf6e486656de9700573c6b8f22569ca5eabe249cf86149b979cbe0adf294d23ea3a3beb9fa5d7d5b56e4d3ccfe2455374008458c31441afde6541c439802f226 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2fdd68081cf7f5d15e2b8b365dc746c4 |
| SHA1 | 1bff0b8e37f4ed1743f362ba3908fca7c051f8fd |
| SHA256 | 60523904008f301e580b786aec7998e310e43f40ea64b03215a4cfa99b0012d2 |
| SHA512 | 7fc89869434a4aeb6b746f3d6edf13d171f3b41b0fc4bfecddafcf31064c60b5985ed6555583aef1fb2d42bc93fff675b9eac572fd8d20053bceac77abef6858 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 08db976670b354a30835611d4bfa4ac4 |
| SHA1 | b5ceba1db6e4de229548f9e7c21a8a5e2317a216 |
| SHA256 | 1dadb25266433569412f0ac2624911e61fd959c4c04dab10751159d73753e78e |
| SHA512 | 3a63cb6f675c3e734a39638f9a6ee5b787dfd80dd8e49f6e0687df6c90e4ccca703cbf99d61cb5ccb57e87cb3fbd89c02f8bc1adb64180ade20a457be96743c7 |