Malware Analysis Report

2024-09-22 09:42

Sample ID 240421-j283csfb5y
Target fed62f18b8f0aca58596014b4faf3270_JaffaCakes118
SHA256 20604f1b548043558e282ea1b410e8ee4ef4e1d3de204d0c6854217e0122c79f
Tags
cybergate rat persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20604f1b548043558e282ea1b410e8ee4ef4e1d3de204d0c6854217e0122c79f

Threat Level: Known bad

The file fed62f18b8f0aca58596014b4faf3270_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate rat persistence stealer trojan upx

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

UPX packed file

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-21 08:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-21 08:11

Reported

2024-04-21 08:13

Platform

win7-20240215-en

Max time kernel

109s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Roaming\lshss.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFY8J8CU-882J-26LS-MBE5-UC0UVIA8D1A7} C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFY8J8CU-882J-26LS-MBE5-UC0UVIA8D1A7}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Roaming\lshss.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cbevn.exe C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Roaming\lshss.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Roaming\lshss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1540 set thread context of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1540 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1540 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1540 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2480 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2480 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2480 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2480 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 1540 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\go1gab0f.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DAF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1DAE.tmp"

C:\Users\Admin\AppData\Roaming\lshss.exe

C:\Users\Admin\AppData\Roaming\lshss.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\lshss.exe

"C:\Users\Admin\AppData\Roaming\lshss.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1540-0-0x0000000074950000-0x0000000074EFB000-memory.dmp

memory/1540-1-0x0000000002290000-0x00000000022D0000-memory.dmp

memory/1540-2-0x0000000074950000-0x0000000074EFB000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\go1gab0f.cmdline

MD5 02f4c1c404164205b331f19a497a7a8b
SHA1 0f3d893a1c3a69878fb5fa62753b596e62da9be6
SHA256 c970f071a1f532f669b762da509eab2ef6e28b99e51c9b999ca9660dceefa0a1
SHA512 7900e639f5b0120a519f186c0a941133c51152bbbcd9154fa3a041e2cc32b39d5afb06392737dfa779514e9bd95c8bbde5a9b49a81e5a521e4345abbab2ecd7b

\??\c:\Users\Admin\AppData\Local\Temp\go1gab0f.0.cs

MD5 b63430207638c1a36b9b27002e0da3da
SHA1 54356082f32c71498c4ac5f85f4588e0d1c57ad0
SHA256 fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193
SHA512 29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

\??\c:\Users\Admin\AppData\Local\Temp\CSC1DAE.tmp

MD5 1e5da92872b6a223c5de0ecf0419128a
SHA1 3d5b98451b230bfb31086b10076ff944b23b0810
SHA256 f59c899b3453b8171e010ce255c7cb0b652fe5fa4c15054cf1711acb2729afce
SHA512 b06c56b65c4603b282dedc9cea18f177bffe4759762c487cff6657537b992583bc556f6cb022e84336dd8375c968962aef4e0b3ea9292c0d175947bbc4a50740

C:\Users\Admin\AppData\Local\Temp\RES1DAF.tmp

MD5 653f37738139085ed8593abe5999d4b4
SHA1 7a2ce56ad6e964f75304926bdee6e4488a3e24fe
SHA256 1895a3e138798702925c3c4564649966b072e4281e21fdeb3e643e996d5fa9f7
SHA512 318fed5783c2f1543a7d359807ca53dffbe86c48c2cb09f94a67a86a8606d49852cba1b2edd05ac1a05f46749b71c871418e0c8bb9939d5be04afd4659c3b38d

C:\Users\Admin\AppData\Local\Temp\go1gab0f.dll

MD5 a22bbfa3218125938bdce4afba0c1c0e
SHA1 f0240b3443d157b3d5434d6eb0ac27de1ca057da
SHA256 b4d1353a928f4121c2e8e55f04a6bc1f33b19817d5b410a1f838a4036b66bad0
SHA512 5972c5a0673b98b18b4c62ae8921c5b22965dd70c5c0954f6b933dd108ba0b58de576ffc2f9a908058dcd7f62136efeae5064dd74c92f005e414a43fea5b2ed0

\Users\Admin\AppData\Roaming\lshss.exe

MD5 369f12dc43e4e422b1004082082b5dba
SHA1 1267e5fa9aac4c38b54356d8ff5dfef056fbddc6
SHA256 4a144bb8cc185c893fc0dcb71e595b01b4006f99171a88ec267e50f174e1cb77
SHA512 51ee58e6b96401f4465cbf142ac71696b1f0a2fbd32ce13fa72b98d2861960413496bd4de4b5c26517fe3ada25a5fe070a527b88687e7643f53501606553aba9

memory/2708-23-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-25-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-31-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-29-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-27-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-33-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-35-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-39-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2708-41-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-44-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-45-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-50-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2860-54-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2860-60-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2860-67-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2860-355-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2708-356-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 19a38f2cfb32f4609eecb8c4a4f776bb
SHA1 56d3ee61ee3c7d16abf0a68188dd901205885b3f
SHA256 dcedcfcb0f064d1fff4f7fb1b823ab524e8f3ef3be59624d643dddd5bb4544a8
SHA512 adbd013d5c72e18bd8d80a6791bdac5fa8e7eaf8b2fb0dd9760978ca1bb5b587fd13da5868ac481d6df457c7b471c871418595e563e58dd04cb11add9dc773e9

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1540-383-0x0000000074950000-0x0000000074EFB000-memory.dmp

memory/1540-384-0x0000000002290000-0x00000000022D0000-memory.dmp

memory/1540-385-0x0000000074950000-0x0000000074EFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2736e5cb342e9f26fa722ea28edfa975
SHA1 86e097ba99644565010c87d1bc9c980296976868
SHA256 812b487bda3534d22e6a6d42ddea25b018f818c8e1cf1f711bbda3deb4feaef8
SHA512 2bc70845a96a4b1194455aada0c861e730000c89646ca925e980d09bed2acb0c1e0f43551b1f3826fc49c461655706522338df505079bde43f8bbe83eff4abd5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c238c9e70c2fc4a7b26cb1599acbd3b7
SHA1 0e1fc5bb1e58c0c1e612338f30236e8ed13fd58e
SHA256 8b0fa314ecc5d52c684adc8a2f9e04a5066ba7b5dd96692c7e2f9533a2ce1691
SHA512 20220aabb1d53913b7aeefa20eb82cb28ad7bf12b20034e459773c0f5e4fead3b104af508f3544804a142577401a9a97a2635050a223aed69a1011e489d6878a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d66204f8a3080eedf44e47e0e3f024c0
SHA1 4d577063a39c131827b039267d1d08966012af9c
SHA256 85a9d634a85f585d20a8d8dd6aa449bb40ecd472ce5a035dc586c018607f5e1a
SHA512 b602be61a409ab061285ca070ac539f5d9eee92be98e319c012245ef007f0e2ef59573d8587092e0e14547a6593455ecb552c21c97f51dd6ca4501703d595e71

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b848b047a5b4d3c59e37ad281f6787b6
SHA1 0e6744a3d52e669bbe06b39f4f251e84970e69ee
SHA256 631cfa4c246ee78c6b868b65e2a6065a773e852444cd09ac944dfa1054f79712
SHA512 dcf6fa4f11f1917a516f6e91bbb9c1d7c33868f6d8e593a98105e86acb6e351ed1b0f5117b63c2ffa7fadb29af6e8c386810114e9f84587e2e0ba8300c58a2ff

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f25a5f41d6113bfea1f4c8a3b4da9617
SHA1 222826ab803472b8438e5871278048ff8163df35
SHA256 10d1edfcb107cc83238b1a4ca9bb54b4d8d816cd83820b6b4c4bec9a14545aa2
SHA512 366b1a05b15e284d74576945bca7bbd2db21a3be4d66ee817bdcfe787b6afae95f866c24a2b145ef236d62c8680acf0bc0c46b5e0bef004d59a24a0648aa564b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7f0080a6792944212f02595b66984f94
SHA1 e1dee6dcf58e5ce23a141f4fc21707f195b9a8fd
SHA256 a38a7252335949dc249182135f0e95cb28d0318761110775c3d1487712d31edb
SHA512 a573a093c639d414ea19a290c0c8b3b46f78a40dfd11bd8f119487700a3a238a9510bfc5de82d37c624e71354821f174869255038b18061488dfe2bd43e8b845

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5847254264eb178dc2d44863699adcb2
SHA1 54a69f6e33bb29ce1779cff52bd10884dc52a209
SHA256 3483042388c9a0e6d35ffaa66d25d2875ff454c22b578aa6d7384496e860a34f
SHA512 47a95b5f899113d2d9a33ac58db70a5d9fdaf42930bc192eb446c297e38f2857694b41502d6e2ecfeffb91975c64a27541ec7b44856f8edd7693f0d355e69c2a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f636e7ac3f324064e788dd87639a816a
SHA1 7de9334c34c32d9a39d4537dd2eb547ccaf0b8b8
SHA256 ee3117f225e92923a045853394b38067d6b1b32f5488a519e291ec3500932f93
SHA512 0d551ad8e4a6fe1ac27ed6326acbf8b2bc5f6fd70246ba7f564b8f5b3223a4d0e310f72eb2c34c823d59c0cac30007f271997d3dfe18b3d9eac9cbe9d3324e90

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 84e1d59e3b5163f35ac356b10fedced0
SHA1 d5503f243c497e8f0a00df87472366689ad15dc3
SHA256 ee5b08abde8cf7437c5a98d556b8536b834fb125a0347af1620cfbfe7a77119c
SHA512 351da843d7e88cc385c5e47fe70990ec281dccdaefd77277340c2ea3498b4ef92dc3c84b2a496ff153b6a47216b2572546b487abdc2fcea349e6149088ecb472

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fb4c14b3b8e9b2ffcbdcb2dd89322b72
SHA1 d0b10fa4dda15b7541e78444b7c66394f2ac9f33
SHA256 f88ecd4589f2e59e2b5920fb85c551697f26350116aeb433ef25035afb1a9d5c
SHA512 087b9280e751c6293b3ef4574a19d6f67960741f31ac6a9744c35806f6d737e47f393a8a62941016a810658ccec8eca7d4f896914c55be9c6e3493f25c549e11

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c5e38779c50335d5b9e184246e64bcd1
SHA1 1b215f2fe2dd6ef6ac708da09dd6159e4e0bcb65
SHA256 0895435b80dc097c83db6fdffd167b20927839e48270ca7ed16f244465d8248e
SHA512 0b883a5800ad4dcbb5e15a2f2c1ad7fbf68443a755886640a67e96e434ca62b3ecc2e8af026fab3b5cb6d056eedafc7a50c5c65a7f1600c080f06cc1f7617e28

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a5b82372f0471ddc0c495ddcc61293ee
SHA1 4a982fc36d5b0a50f634931c1c7a7e9e3d80ce68
SHA256 33ce428344e24d48742e2e00da5934c269c4e3cab7e2045835801151f14531fc
SHA512 3d2498409af8e19ac66937e992ed9b16ec5cc9ec18d57ec123c6cb5bb3938bd9b0dbc96ae50898e827e948f62270a94352efa9f908ba54c3ba16a2aa5c688888

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 557eb5fa265b31fbfd23a9863d117dfb
SHA1 463d240d53d79ce1c241f493408ed0ac19389100
SHA256 eec5da5d6e3f866cc507faaf8636ab5f52db4f45305a15ff314ccad642f21323
SHA512 945c24bdfa0439733327d48da2627ddb865f7c667a8cd8c77e78cc3e82a6157b228ffaa587746954b9d538d61823f3cb5b24f59af25daf2c71669698fd1e8986

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5fbe9076737c1bac5f76362cc960f99e
SHA1 f4a23459eabe2d1a0b515670b779c9c7f3fad32d
SHA256 be97aa6d7734771067ccdb756627fdbefbbd6d4f2ca8738e4c858f0191e54542
SHA512 b3a10609776a34a4194d8e8a992364853d4316433fce11419f0dd42a05c718f44973585153b149ca1a54ca81a98b9fd34fac7e6c7a19bf00d3274eeff9597ff0

memory/2860-1024-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1be6508ff9d37173374d6d93c87b56aa
SHA1 b1127cd8de3fb4eaa4d9b453bddcf60f0ca121be
SHA256 226d956b11a1c337b60a712cf0a0658b5580a04df23f2be0e874957ccea8126b
SHA512 d12810f1a11678d10038c4216cdc4f250b2708b388c886aee4f03d84f202ccef8434d61066497ecb6123304f51725c20bf24a6fb9d3a1870d8add0a3ffa26753

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 21904d1d53170b6e801d2941b54f1b0e
SHA1 401737632ad93739bbcc0d9734192fb89a712498
SHA256 19c99fc2b1d034947c50a64e52dd1623796d05b6382c4ba72e175ae78db4fb19
SHA512 c32dfacc55d7fdcdf18cc2f0736574ef9529b7389b5ef76bac19e3045f596dc6dd1bbb0ab682f3b48c8b65502c9fdd0e60a2478b5a05849e137861f008ff6969

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7b0f8980804b99af82ed7176ca258ecf
SHA1 fbf76dfa23828993b7ce05468934f9dee7cbe251
SHA256 ad457c080ac554cb2c8268b89910f047be8e6d3125754645d3c29510570f1f38
SHA512 a70f4639dd1fb5a8379548428c037745348f1d076121fe82e5f59f5ade830f878415ccc35bcf49ac9598bb3216774f4e2b171130dae387d61887f033bfc888da

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9c0d23239fefecfcf6490e79cc50c763
SHA1 ee341ace3f98f2f2fe12234d15cccdf32c7b0716
SHA256 d622c8d9e19e2bf618d5a0fbc5eb95f5da05f5d0c5b078108a107012f1b0de5d
SHA512 ee965ae5d47a28b561a8b6bd38af2976933b8b68b4b661bd950137125d8938abe9d1664e69358388396f197cda2318bf273ceb2b21dbb3b25f7c2cf1cfa8b184

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8609cdfb2d18278e831155aefe7f0ec1
SHA1 f0a9cc3b78094fe521e6003c04a08750ce64f2eb
SHA256 35a41f08a409d3bb4fe46269084354675501a6fdb89844d3ccd8032c26593ec2
SHA512 6699381d7820746e4bcb0e7dfac4672aefb87042334039f7680c3ee02d93ee6d8cc6ba778bf2379e8173f783be0b56a8336c00b66ae5a4c594b509351a49a27a

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-21 08:11

Reported

2024-04-21 08:13

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Roaming\lshss.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFY8J8CU-882J-26LS-MBE5-UC0UVIA8D1A7} C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFY8J8CU-882J-26LS-MBE5-UC0UVIA8D1A7}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Roaming\lshss.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\lshss.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cbevn.exe C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Roaming\lshss.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Roaming\lshss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4396 set thread context of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lshss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4396 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4396 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4396 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 752 wrote to memory of 3832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 752 wrote to memory of 3832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 752 wrote to memory of 3832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 4396 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\lshss.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3888 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\lshss.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rkbbbwqx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C70.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2C6F.tmp"

C:\Users\Admin\AppData\Roaming\lshss.exe

C:\Users\Admin\AppData\Roaming\lshss.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\lshss.exe

"C:\Users\Admin\AppData\Roaming\lshss.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.114:443 www.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 114.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 udp

Files

memory/4396-0-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/4396-1-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/4396-2-0x0000000001060000-0x0000000001070000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rkbbbwqx.cmdline

MD5 a904b9562e6726165637c0ecd81678c2
SHA1 db7268e986eb96cd1b2faa0b5b8b511ffeec0e3d
SHA256 fdb1ba96ea3992723c44ef6abc7bfa1e651ef168732d3f373ece433d2252259d
SHA512 f6cad7f03c7f2ca84a85d5e5a25d0948bde14d2c75a3b769f7d01097396257655313604a97f93d994e38611ea4bf18a9bcb107ca1a7665e3ff6053dab7ca929f

memory/752-9-0x0000000000C10000-0x0000000000C20000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rkbbbwqx.0.cs

MD5 b63430207638c1a36b9b27002e0da3da
SHA1 54356082f32c71498c4ac5f85f4588e0d1c57ad0
SHA256 fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193
SHA512 29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

\??\c:\Users\Admin\AppData\Local\Temp\CSC2C6F.tmp

MD5 9f693177fdc2c91278cc9406941dd8b7
SHA1 dba95a124de41443b8f9955e6e916fc9c03ef51b
SHA256 5d07da7f1f0155a43a0491670d65fa3f09542ddc10191da282ba7ecbd69c40f0
SHA512 302436258581302325211409364c585f896fe3257c066f29b6bb97a30f862e795a4a7f1358c9afc2babf06958fe4a5f97edf80d1c459161c24982951a2dd1688

C:\Users\Admin\AppData\Local\Temp\RES2C70.tmp

MD5 21241fc43cb2c2551410d8bd94e5176b
SHA1 d5f5dd1a1fa63cf0a6dcdac8025a74f517d761aa
SHA256 e8c645b7da663fe4077eaad3814d64d967f710e404b4975c58593c446de09685
SHA512 f7e1844ca1299c94b2aac894e81958d9ca76f43ef39101b7a551f11912faf728709577998e53442f50aae975a7907e9c32432c4f1a82e5809a1825e6bc742a36

C:\Users\Admin\AppData\Local\Temp\rkbbbwqx.dll

MD5 d94b41ada13685b737f017a2b9b2d825
SHA1 26d861aa2b421668bc8aa9c440325acc5ab59477
SHA256 f02f72474f134f55b67ed76dd7b5256403a3cce61c748fdd7c467b35a145f3d6
SHA512 e7dcaf6be31da64e2099ab31c5e2b1218f4a91b26a7a6e9b1d90319f22ea9d862e96260bbf9a0f9cec049b5de4a8b7837ef8bd552bfce77a47588715c58bf441

memory/3888-19-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3888-22-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Roaming\lshss.exe

MD5 369f12dc43e4e422b1004082082b5dba
SHA1 1267e5fa9aac4c38b54356d8ff5dfef056fbddc6
SHA256 4a144bb8cc185c893fc0dcb71e595b01b4006f99171a88ec267e50f174e1cb77
SHA512 51ee58e6b96401f4465cbf142ac71696b1f0a2fbd32ce13fa72b98d2861960413496bd4de4b5c26517fe3ada25a5fe070a527b88687e7643f53501606553aba9

memory/3888-24-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3888-26-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3888-30-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1176-34-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1176-35-0x0000000000570000-0x0000000000571000-memory.dmp

memory/3888-91-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/1176-97-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/3888-99-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 19a38f2cfb32f4609eecb8c4a4f776bb
SHA1 56d3ee61ee3c7d16abf0a68188dd901205885b3f
SHA256 dcedcfcb0f064d1fff4f7fb1b823ab524e8f3ef3be59624d643dddd5bb4544a8
SHA512 adbd013d5c72e18bd8d80a6791bdac5fa8e7eaf8b2fb0dd9760978ca1bb5b587fd13da5868ac481d6df457c7b471c871418595e563e58dd04cb11add9dc773e9

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/4396-124-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/4396-125-0x0000000074E20000-0x00000000753D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c238c9e70c2fc4a7b26cb1599acbd3b7
SHA1 0e1fc5bb1e58c0c1e612338f30236e8ed13fd58e
SHA256 8b0fa314ecc5d52c684adc8a2f9e04a5066ba7b5dd96692c7e2f9533a2ce1691
SHA512 20220aabb1d53913b7aeefa20eb82cb28ad7bf12b20034e459773c0f5e4fead3b104af508f3544804a142577401a9a97a2635050a223aed69a1011e489d6878a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d66204f8a3080eedf44e47e0e3f024c0
SHA1 4d577063a39c131827b039267d1d08966012af9c
SHA256 85a9d634a85f585d20a8d8dd6aa449bb40ecd472ce5a035dc586c018607f5e1a
SHA512 b602be61a409ab061285ca070ac539f5d9eee92be98e319c012245ef007f0e2ef59573d8587092e0e14547a6593455ecb552c21c97f51dd6ca4501703d595e71

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b848b047a5b4d3c59e37ad281f6787b6
SHA1 0e6744a3d52e669bbe06b39f4f251e84970e69ee
SHA256 631cfa4c246ee78c6b868b65e2a6065a773e852444cd09ac944dfa1054f79712
SHA512 dcf6fa4f11f1917a516f6e91bbb9c1d7c33868f6d8e593a98105e86acb6e351ed1b0f5117b63c2ffa7fadb29af6e8c386810114e9f84587e2e0ba8300c58a2ff

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f25a5f41d6113bfea1f4c8a3b4da9617
SHA1 222826ab803472b8438e5871278048ff8163df35
SHA256 10d1edfcb107cc83238b1a4ca9bb54b4d8d816cd83820b6b4c4bec9a14545aa2
SHA512 366b1a05b15e284d74576945bca7bbd2db21a3be4d66ee817bdcfe787b6afae95f866c24a2b145ef236d62c8680acf0bc0c46b5e0bef004d59a24a0648aa564b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7f0080a6792944212f02595b66984f94
SHA1 e1dee6dcf58e5ce23a141f4fc21707f195b9a8fd
SHA256 a38a7252335949dc249182135f0e95cb28d0318761110775c3d1487712d31edb
SHA512 a573a093c639d414ea19a290c0c8b3b46f78a40dfd11bd8f119487700a3a238a9510bfc5de82d37c624e71354821f174869255038b18061488dfe2bd43e8b845

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5847254264eb178dc2d44863699adcb2
SHA1 54a69f6e33bb29ce1779cff52bd10884dc52a209
SHA256 3483042388c9a0e6d35ffaa66d25d2875ff454c22b578aa6d7384496e860a34f
SHA512 47a95b5f899113d2d9a33ac58db70a5d9fdaf42930bc192eb446c297e38f2857694b41502d6e2ecfeffb91975c64a27541ec7b44856f8edd7693f0d355e69c2a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f636e7ac3f324064e788dd87639a816a
SHA1 7de9334c34c32d9a39d4537dd2eb547ccaf0b8b8
SHA256 ee3117f225e92923a045853394b38067d6b1b32f5488a519e291ec3500932f93
SHA512 0d551ad8e4a6fe1ac27ed6326acbf8b2bc5f6fd70246ba7f564b8f5b3223a4d0e310f72eb2c34c823d59c0cac30007f271997d3dfe18b3d9eac9cbe9d3324e90

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 84e1d59e3b5163f35ac356b10fedced0
SHA1 d5503f243c497e8f0a00df87472366689ad15dc3
SHA256 ee5b08abde8cf7437c5a98d556b8536b834fb125a0347af1620cfbfe7a77119c
SHA512 351da843d7e88cc385c5e47fe70990ec281dccdaefd77277340c2ea3498b4ef92dc3c84b2a496ff153b6a47216b2572546b487abdc2fcea349e6149088ecb472

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fb4c14b3b8e9b2ffcbdcb2dd89322b72
SHA1 d0b10fa4dda15b7541e78444b7c66394f2ac9f33
SHA256 f88ecd4589f2e59e2b5920fb85c551697f26350116aeb433ef25035afb1a9d5c
SHA512 087b9280e751c6293b3ef4574a19d6f67960741f31ac6a9744c35806f6d737e47f393a8a62941016a810658ccec8eca7d4f896914c55be9c6e3493f25c549e11

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c5e38779c50335d5b9e184246e64bcd1
SHA1 1b215f2fe2dd6ef6ac708da09dd6159e4e0bcb65
SHA256 0895435b80dc097c83db6fdffd167b20927839e48270ca7ed16f244465d8248e
SHA512 0b883a5800ad4dcbb5e15a2f2c1ad7fbf68443a755886640a67e96e434ca62b3ecc2e8af026fab3b5cb6d056eedafc7a50c5c65a7f1600c080f06cc1f7617e28

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a5b82372f0471ddc0c495ddcc61293ee
SHA1 4a982fc36d5b0a50f634931c1c7a7e9e3d80ce68
SHA256 33ce428344e24d48742e2e00da5934c269c4e3cab7e2045835801151f14531fc
SHA512 3d2498409af8e19ac66937e992ed9b16ec5cc9ec18d57ec123c6cb5bb3938bd9b0dbc96ae50898e827e948f62270a94352efa9f908ba54c3ba16a2aa5c688888

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 557eb5fa265b31fbfd23a9863d117dfb
SHA1 463d240d53d79ce1c241f493408ed0ac19389100
SHA256 eec5da5d6e3f866cc507faaf8636ab5f52db4f45305a15ff314ccad642f21323
SHA512 945c24bdfa0439733327d48da2627ddb865f7c667a8cd8c77e78cc3e82a6157b228ffaa587746954b9d538d61823f3cb5b24f59af25daf2c71669698fd1e8986

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5fbe9076737c1bac5f76362cc960f99e
SHA1 f4a23459eabe2d1a0b515670b779c9c7f3fad32d
SHA256 be97aa6d7734771067ccdb756627fdbefbbd6d4f2ca8738e4c858f0191e54542
SHA512 b3a10609776a34a4194d8e8a992364853d4316433fce11419f0dd42a05c718f44973585153b149ca1a54ca81a98b9fd34fac7e6c7a19bf00d3274eeff9597ff0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1be6508ff9d37173374d6d93c87b56aa
SHA1 b1127cd8de3fb4eaa4d9b453bddcf60f0ca121be
SHA256 226d956b11a1c337b60a712cf0a0658b5580a04df23f2be0e874957ccea8126b
SHA512 d12810f1a11678d10038c4216cdc4f250b2708b388c886aee4f03d84f202ccef8434d61066497ecb6123304f51725c20bf24a6fb9d3a1870d8add0a3ffa26753

memory/1176-1386-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 21904d1d53170b6e801d2941b54f1b0e
SHA1 401737632ad93739bbcc0d9734192fb89a712498
SHA256 19c99fc2b1d034947c50a64e52dd1623796d05b6382c4ba72e175ae78db4fb19
SHA512 c32dfacc55d7fdcdf18cc2f0736574ef9529b7389b5ef76bac19e3045f596dc6dd1bbb0ab682f3b48c8b65502c9fdd0e60a2478b5a05849e137861f008ff6969

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7b0f8980804b99af82ed7176ca258ecf
SHA1 fbf76dfa23828993b7ce05468934f9dee7cbe251
SHA256 ad457c080ac554cb2c8268b89910f047be8e6d3125754645d3c29510570f1f38
SHA512 a70f4639dd1fb5a8379548428c037745348f1d076121fe82e5f59f5ade830f878415ccc35bcf49ac9598bb3216774f4e2b171130dae387d61887f033bfc888da

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9c0d23239fefecfcf6490e79cc50c763
SHA1 ee341ace3f98f2f2fe12234d15cccdf32c7b0716
SHA256 d622c8d9e19e2bf618d5a0fbc5eb95f5da05f5d0c5b078108a107012f1b0de5d
SHA512 ee965ae5d47a28b561a8b6bd38af2976933b8b68b4b661bd950137125d8938abe9d1664e69358388396f197cda2318bf273ceb2b21dbb3b25f7c2cf1cfa8b184

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8609cdfb2d18278e831155aefe7f0ec1
SHA1 f0a9cc3b78094fe521e6003c04a08750ce64f2eb
SHA256 35a41f08a409d3bb4fe46269084354675501a6fdb89844d3ccd8032c26593ec2
SHA512 6699381d7820746e4bcb0e7dfac4672aefb87042334039f7680c3ee02d93ee6d8cc6ba778bf2379e8173f783be0b56a8336c00b66ae5a4c594b509351a49a27a