Analysis Overview
SHA256
7bef4696e728107bdefabea3bddad00c04e776fd783a74575b9e68b0b5bd351c
Threat Level: Known bad
The file ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Modifies Installed Components in the registry
Uses the VBS compiler for execution
Checks computer location settings
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops startup file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-21 13:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 13:53
Reported
2024-04-21 13:55
Platform
win7-20240221-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windir\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windir\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5O7CG6B5-713X-G21I-5G82-5SE320U4741T} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5O7CG6B5-713X-G21I-5G82-5SE320U4741T}\StubPath = "C:\\Windows\\system32\\windir\\svchost.exe Restart" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5O7CG6B5-713X-G21I-5G82-5SE320U4741T} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5O7CG6B5-713X-G21I-5G82-5SE320U4741T}\StubPath = "C:\\Windows\\system32\\windir\\svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\windir\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windir\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\windir\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\windir\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windir\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File created | C:\Windows\SysWOW64\windir\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windir\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2140 set thread context of 668 | N/A | C:\Users\Admin\AppData\Local\Temp\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hudigbn5.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD328.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD327.tmp"
C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe
"C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\windir\svchost.exe
"C:\Windows\system32\windir\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2140-0-0x00000000740A0000-0x000000007464B000-memory.dmp
memory/2140-1-0x00000000740A0000-0x000000007464B000-memory.dmp
memory/2140-2-0x0000000001FC0000-0x0000000002000000-memory.dmp
memory/668-3-0x0000000000400000-0x0000000000453000-memory.dmp
memory/668-5-0x0000000000400000-0x0000000000453000-memory.dmp
memory/668-6-0x0000000000400000-0x0000000000453000-memory.dmp
memory/668-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/668-10-0x0000000000400000-0x0000000000453000-memory.dmp
memory/668-13-0x0000000000400000-0x0000000000453000-memory.dmp
memory/668-14-0x0000000000400000-0x0000000000453000-memory.dmp
memory/668-15-0x0000000000020000-0x0000000000022000-memory.dmp
memory/668-17-0x0000000000400000-0x0000000000453000-memory.dmp
memory/668-16-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hudigbn5.cmdline
| MD5 | b5c3d636196a494d3e209bf7cf31ddba |
| SHA1 | f4052eca0dec021fe40eeb5347c03fa7dfe50532 |
| SHA256 | ffce2d6bf7930ac48155b818a5989b15099bf80e24c3641c6841f7c9b9a26c43 |
| SHA512 | 726a821e7f03925067f7d52d83675a76c99d4cfef11a42ae57b81d0f2b27f82f5eef9000f72648b34d42790a4c7861a8f48eaa8e395ad7b12e2dc693b5aefd36 |
memory/1332-22-0x0000000001F80000-0x0000000001FC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hudigbn5.0.vb
| MD5 | fa7f51d39dba0e32645fb562f7b040e7 |
| SHA1 | bde63673a86169584defd4ec03ea9aeb39b83cfa |
| SHA256 | 3e306be355eaf9bc1c7fff8971257cd54f65f6f12e7b27d856f93caf443f1f76 |
| SHA512 | 934b8cb8bfadd28253c575c447cd48b41d3f02ead14f561845bcf79de85175999b50abad70c392cc57300f9257d14191abb5ffd0eb2c31d1edcf1270b391d99a |
C:\Users\Admin\AppData\Local\Temp\vbcD327.tmp
| MD5 | ee2a36bd7ded2e3c2f9beb0f27f87cf4 |
| SHA1 | c95a02ed83a40db2c78fb77daea4a85ab7d8865e |
| SHA256 | f4aca1ca06c82be0a3a439440953e7cfeb2a152a934d3de6b8b6bdc35dee0986 |
| SHA512 | 2754d7bc26b8401c0fad4e3136463e6b1d040e94cef537d258aef34b452df4f7bf30f92e0127751a63bc4ad26cbe985ead55b7806793256e8b1f874e0b7ee02c |
C:\Users\Admin\AppData\Local\Temp\RESD328.tmp
| MD5 | 60592a809287489259a565ae560c119c |
| SHA1 | 1b1ccf08577dc3f905ff950c83e9becbdc790eb1 |
| SHA256 | 4833869bfcf8b7905a2ba0963791c433f9cff836f625bce3fc5ad4bd706ad925 |
| SHA512 | d1136121c9273128997834b12dc1a43f5861a94be9bba4f0114cfab871d67edd18b9b047da83cae90ee0527017c6e3ef6ac6643241b31db28447efcdbc4f2188 |
C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe
| MD5 | 31aefdb351c2d74f22b35bdb43ac6039 |
| SHA1 | 7cbeb0fc06fc9b211b07c4c34ab517d12abfc133 |
| SHA256 | 5654d97e7380868a9920ffbc6334bac453d01ae2d68a6bece5077fb78009b5e4 |
| SHA512 | dadf6a8119bb55c3e89f09a7eb94575358f22c0f74ac9bd114573270200fae35f9ec70fd7da251c03c4b04acd01f1198bd38418670cfba4b822c0ac61b802a44 |
memory/2140-36-0x00000000740A0000-0x000000007464B000-memory.dmp
memory/2856-40-0x0000000000D90000-0x0000000000DD0000-memory.dmp
C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe
| MD5 | ff6d047dd419eccbb0f0db2d1f82fbf4 |
| SHA1 | 30a621e24f99473891c4c622a80d777ba0ecfb4c |
| SHA256 | 7bef4696e728107bdefabea3bddad00c04e776fd783a74575b9e68b0b5bd351c |
| SHA512 | 7781e4c067883117a61c90eebe9d1fa2f34042313e60267b9b56a0f07582b4b7240f61f8a7d4c2d9303d9374effae9dda47514ebf53363ce0894dbc3b31c193a |
memory/2856-37-0x00000000740A0000-0x000000007464B000-memory.dmp
memory/2856-41-0x00000000740A0000-0x000000007464B000-memory.dmp
memory/2856-45-0x00000000740A0000-0x000000007464B000-memory.dmp
memory/1208-46-0x0000000002210000-0x0000000002211000-memory.dmp
memory/1808-290-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/1808-292-0x0000000000120000-0x0000000000121000-memory.dmp
memory/668-364-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1808-579-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\windir\svchost.exe
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | af504c7074b4c2e6d40c210594cae5ce |
| SHA1 | 261fde6630498da13e0271ffc90f7b7f0cadd89b |
| SHA256 | 914abe023ce834b557e1ed58718c512e5be71e8c56a1bf9b0fff5d95a5a1e183 |
| SHA512 | db9fc72612297cb145b7858157c009b3533bafd89f99990da84137a76099b5b993710a2b25521874b29e1f1bfe2244827b8ed2dd3e9247bcac5952e4fad3a7cd |
memory/668-604-0x0000000000400000-0x0000000000453000-memory.dmp
memory/668-605-0x0000000000020000-0x0000000000022000-memory.dmp
memory/2340-884-0x0000000010560000-0x00000000105C5000-memory.dmp
memory/668-885-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/1808-905-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5bb086a74fc6d10b4d6c065eb5978a82 |
| SHA1 | f89256c96c0d14778a30cd385e5213da4403f102 |
| SHA256 | 829481eb15efe059277af69e18aa036a6b8298ddbc6dfa088631098690351824 |
| SHA512 | 25b76a9855ef64788a9469e18a5c908afeace67d2fe0e0c3b712e53796b8add03339161852a96097a6e9e452b37042ff3530b5277cfacfea91689aa26521cb7f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e6581f6c0e297663d110cbe8b2405fed |
| SHA1 | bdbe3944f378d5cc18fd18c9b924480fa569bd89 |
| SHA256 | 6381b8efbbad71aa88663f953000a25b0c4dae5be9c37989faf26d858190e832 |
| SHA512 | 3e9051941da4e333038730ce42f5ad215427472bed043ee0af7a99dd68bc66f3848aacd26dbeb29efc21825077772d36c3f74a6a3bd0fc8b445e1f6c6980f52a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c038ea4c0c8533f93fbff7848a0c1a11 |
| SHA1 | 2e2df1f7043a465a1ffc072962f6ab6f2646fc67 |
| SHA256 | de56a7b9dcaf55d93ebe2f46ac2c650087f0023508fd1be6cd611a2fe507ad65 |
| SHA512 | a6e06b5ee9f01d1bd324741fd2ab7bd25bc97aefa54d307d1ba298f568ec2c6bd5408ac7d4c0954a187a5042ead0bf5761cf9df3023ba9b65ece654cc0954251 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 91e175c86f6f67972c2ee73fa52d7345 |
| SHA1 | 1fc9e81eaf2ba0438c3edf00b7c76aaf6f5b1efe |
| SHA256 | eeec4e739df1047a797ba1a7cec40c0ae3fbca1b255865ea17ade550886461ac |
| SHA512 | b21f6f1be84c138fcea877d6da44d028a1abb147161c72dcf4436f439a7548e6fdc00b264d217bf0941b863fba55a8f77799f438fdccdbd2df1972df0f3aeac7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 690a0c9299abbe7b4da137c3c18519d1 |
| SHA1 | 0e6f234f93b7c945169908539e432a6b17ee31fb |
| SHA256 | b6a1441bb53cba9f1223f5444dbf03b679b842ffaaf792cfd533d353fdaf02ef |
| SHA512 | 43e46930c09119df09b054a179dd23166ae1ef41b576b0e6486d9e24a45843e30bb434910da786ae3951c1840abc48e90c3b691e63df363456c662833c3bead9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b8e235c8a1ac953fca6a07eba784bed0 |
| SHA1 | e4d8ac9212f51e96083046487344cd14eee8e2be |
| SHA256 | 8e06f21c392cc0eefe3e9bc1f7421b7a135f7e5f1134722ed0e5a65faf3c67ec |
| SHA512 | f8a16b0ee19925dec24c30449ec2454e276a96ee34498a1c444d51364a6e71988311579a264a680fdfa1091b01a021749a92a16c587a4558b0c6229d7da4a136 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8f4977f9884f5d82d004717f33840835 |
| SHA1 | 8ea9017a10ae4c2ff7ef647db76a87904d882a5a |
| SHA256 | ad798ac8b990f8366b601476632629693a75a73a84540f47e58723e662a23df6 |
| SHA512 | 22b0462061665403b323d1c7a2326c9be1cd8f84e3756aa110d8970ee6d80197df5a2bd8a9ce995946ae54da1ad0f2981114bcb68f74bb7dedc5d93ab7185efa |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 354a4c1d94ca9e35b8a1fa34cc0f7176 |
| SHA1 | 8f15ecebb33647fb8bb0c0cf929875f0f9002c85 |
| SHA256 | 84137a8ae6d82f64e2c5606987d51c23daba386bcd9e055e9c5b6c6415ff7554 |
| SHA512 | 14822419a15d79e5e9a2fc448ddd70dceada4a8d318ec064868dfe07fb2b32891f089e2a7aa76414439b3dd6d149760a7e2834f46b1e1495fd1e09a94ab33508 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 850384efbdd48025cf4a7046b45a66bb |
| SHA1 | ee3702f8b6304d4c4d3a0db8a1f808365981bc06 |
| SHA256 | 269fee7f4c8cedc565041be366d79dfb07b7af869bdfcf201b4825cb653fb78d |
| SHA512 | 8a8c561f78231db9eef0d85738d21b9c1920fbf270b66dbe6b2ee57a39f676905c7b06bb7d8805b1bcc4d155a19e7450e2611717fb3c331412ea166451c4c615 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c1a46a4787d7b7520a675cc3b276d11f |
| SHA1 | 2a559d0bebc5f6011385338154de688577b3e989 |
| SHA256 | 330fb69ffd96617259b7e0eb022bacb8177c4c689f0521f6eca3020e816afcba |
| SHA512 | 55fe8dc060b93c0443c9a947df6eb14d937f6655869dc11e482fad1c5ba34bcc66dff0b8cca56baa654c795b06d2b6acd95da22f0b4d4ffcdda8c398939e9a89 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bcf06a0d06ecc42afccf73f35bb42d6b |
| SHA1 | cd27aaff389505e11f3964b09e271ef5798a7e5c |
| SHA256 | 81900aeadc4dc0762853cd6a876643c325f7436bd463f6a91c1187913d1be00f |
| SHA512 | bc10a8ac7de9aabe478cf8626f38ad8e6976315eeb71810d46d3a9f4b8925a3d68a0b86eec9a50171bf8d41dc66d4718f05f545ac59586024ac008458c5058e1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | df6afbcd47df3592af880cf4dae29276 |
| SHA1 | bb485f9c4f3685595b0e58fb8584057460b15010 |
| SHA256 | 2c4c032f502dd3e8abf6ae0304243cdc1ebfe6a28272ec539054bea944a7adf3 |
| SHA512 | a0b101217fa9e348ba3bd0313d872eac7fc3cddae15d331daa243adea3895fad30fd57f8caf68d2f8a32c865eb304f0e852935824885b20014fe1bbd06b5f43a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 894df7ca356466f3f40ba6b9efd3fe91 |
| SHA1 | 41321568739fc40cc7e0f8eef4543e641b4f34be |
| SHA256 | 251bcf1389558c028b55ec6a10ffed5efe0f7e4357678dec806af8a2a180b8aa |
| SHA512 | 5161077aab55391ff9b68f7818c59f9b924c67d0406f3628d6a2fec567882fecabbf2778f958c58a75f2d0db219f8fc095df1a66c7be8121606a003e55f77cea |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 30965081e8abe9900270d76cdbaf083e |
| SHA1 | 9804ef834a0943494b3960f6407b9c15b30daf9d |
| SHA256 | 81b8df33e27ab9e5665bb0a5f308986283dd3b2d1f10244653799f6523c41e82 |
| SHA512 | 19e2cbb2f7ced7fb4a69b206c6e867fbbb9853e8332d65ddf596f0d2a8ac4fcb1c4d86cb9c99564c73e78551503462184882743080b162b899f3e21ab2b5a226 |
memory/2340-1602-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 17a67348078b83bdb4fc91af0cb71e56 |
| SHA1 | 6f36dbc0a5524d7b369a4a28778207d90a2f833e |
| SHA256 | 3775c2e0fbf4c1512dfc3456bec1f2aadb9f0257dc07c891e6e7cffd5d8e03e1 |
| SHA512 | 6d3e036760d1bfab7d3d1b9bfc322a3c567e451098c5b04e7c8b404d2009acb79d1f4b7426ae49ad6642ed88c6cd77e6c4eb47042ecf7fef2d117d89fc27c7a6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 054c34f3fede60da3ab0d3ed97dde6cb |
| SHA1 | b049cfeacd67a4436efda236a5426ac26b35a520 |
| SHA256 | 2ada732159e667d64ea09c58fbe6d46486d125d72cd88b88dd992999bd615563 |
| SHA512 | f6371ef5275bf3689827455ae67f05b4b26b2ffd0a06eea61a4442a1bbacfde0f0eacca150dd5ff7f1eeedf7aa33692669f616818f9f1f8a9fae617fe77d03a4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | eab151a1921e9444f0ff3bfb260a3e99 |
| SHA1 | ee81bc6ea48bed7410b9f3227c37fffe8228d141 |
| SHA256 | 360a8ee11f14a181333c172bedc566e8740bb5ef3a968081f64738ce7bdb5547 |
| SHA512 | 3d42a05dff82a15155d1d38b7cb13eaf8c3f4ed2fa0e4069929f28ab796a83cdc5c9613e20393f5e38e6c3b974e53be82c031aca908bbc099ea3eef689dd532f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9aed7d4714719ae6c9694743c86ee29d |
| SHA1 | 455a5bff801a0134c74c699c80648658b86329d2 |
| SHA256 | 57ccb7eedf725205d7bd5bcc2d8dd4b2dd7817299147fd37934da50f0b6d6f7b |
| SHA512 | ab29719e60d4f0d68ea5b649da08a11bb3bc949bb0781027f50607b1e4454867407ab9f388300ac37a01f162779e308766cc179c614c41ad12ca385f2c99737a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6a724e1b6169a3f2a21fb717331d9212 |
| SHA1 | 3b4df160ef13a1fde76e84efb10002565c032b30 |
| SHA256 | c26fe6de66ac705c61b3fc5bbc7ee7568cbe57e029a8b63ac845b6c3cb4c504d |
| SHA512 | e2169d44ab46a2749e54b7b19f90d86cca0171f0e3b7bd8f05f17b0853fd51696b3549eaa8d8814e1e6fc3b7c17a5df7f4273a60a947f096b2260cfe085fd394 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6ddd35e9b8ae8aabb5af812a9ae1e605 |
| SHA1 | 894f1d1bb06614c902b6c41508b49c458e41dd67 |
| SHA256 | f0271f80c2d01454c26931357d88ca10a066095b5e2c5bf6873a4b2870d17117 |
| SHA512 | 30e8644790097810156330b74c2355ce60c77f882311ee84820087be22cf9f55dd62d6ff7c7a133be76c61f5674b1dcdad2126289a2d7e92ac015b9ed6c7370b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 170a2f33fc395abcbc3a7dd99f32b25d |
| SHA1 | d2e1a6449f79f29bd39ed93c698f6a665d30127b |
| SHA256 | 58b700c152e35833a33d385c972171344c1a928691b638a895b147a6b99e3589 |
| SHA512 | b3e296b2b6b5c3054cd6754fd293ac80fb17909e3831f6124787000ecf8a6139b140636075e39a71f112509e009e924cfcecae4036bccc8dc40f8de5d2cad62d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-21 13:53
Reported
2024-04-21 13:55
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windir\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windir\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5O7CG6B5-713X-G21I-5G82-5SE320U4741T} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5O7CG6B5-713X-G21I-5G82-5SE320U4741T}\StubPath = "C:\\Windows\\system32\\windir\\svchost.exe Restart" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5O7CG6B5-713X-G21I-5G82-5SE320U4741T} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5O7CG6B5-713X-G21I-5G82-5SE320U4741T}\StubPath = "C:\\Windows\\system32\\windir\\svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\windir\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\windir\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windir\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\windir\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windir\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windir\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windir\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2424 set thread context of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zhiqmmlq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc59561C0868D949758186E608DEB524A.TMP"
C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe
"C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\windir\svchost.exe
"C:\Windows\system32\windir\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2424-0-0x0000000074920000-0x0000000074ED1000-memory.dmp
memory/2424-1-0x0000000000BC0000-0x0000000000BD0000-memory.dmp
memory/2424-2-0x0000000074920000-0x0000000074ED1000-memory.dmp
memory/3564-3-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3564-7-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3564-11-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3564-13-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3564-12-0x0000000000020000-0x0000000000022000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zhiqmmlq.cmdline
| MD5 | f365a4eb36575923a6daff5ddd8b09bd |
| SHA1 | f170a39ca508f1dad5e137c7acd8ae89454164a0 |
| SHA256 | a0f4ffc98057757b2e25404b5d7c270efc33b83013b1eaabed3a2019c19478e9 |
| SHA512 | d9f8fe65c40a9186ead3dcef239c9d8cac3ed8d5ed65c387721a5bc86f67fc2ac3eea51efe9154d97fe7aaa5deef095fb8bb5759e8810136ed34a50c958aaf41 |
memory/4140-15-0x0000000000AE0000-0x0000000000AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zhiqmmlq.0.vb
| MD5 | fa7f51d39dba0e32645fb562f7b040e7 |
| SHA1 | bde63673a86169584defd4ec03ea9aeb39b83cfa |
| SHA256 | 3e306be355eaf9bc1c7fff8971257cd54f65f6f12e7b27d856f93caf443f1f76 |
| SHA512 | 934b8cb8bfadd28253c575c447cd48b41d3f02ead14f561845bcf79de85175999b50abad70c392cc57300f9257d14191abb5ffd0eb2c31d1edcf1270b391d99a |
C:\Users\Admin\AppData\Local\Temp\vbc59561C0868D949758186E608DEB524A.TMP
| MD5 | ee2a36bd7ded2e3c2f9beb0f27f87cf4 |
| SHA1 | c95a02ed83a40db2c78fb77daea4a85ab7d8865e |
| SHA256 | f4aca1ca06c82be0a3a439440953e7cfeb2a152a934d3de6b8b6bdc35dee0986 |
| SHA512 | 2754d7bc26b8401c0fad4e3136463e6b1d040e94cef537d258aef34b452df4f7bf30f92e0127751a63bc4ad26cbe985ead55b7806793256e8b1f874e0b7ee02c |
C:\Users\Admin\AppData\Local\Temp\RESD3CB.tmp
| MD5 | 9b0bf34a7b3712b7835e6ea06c771815 |
| SHA1 | 3c85aa45a3b6a59f956ff8fffa6a52e843824122 |
| SHA256 | 0c54d6bdc278384fefff0262116f1cd1a53625c67b8e5e804b69275c901b9f4b |
| SHA512 | 8335c71f0d126a562d78b4d44a5ace983e146cc435a784b9b70063db5f2d472481a6e975698b22dc759e8be438ae9b98968e2efeef2c636c8bc2b1ba2f8e08c0 |
C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes1181.exe
| MD5 | 936f225bd08967b30d57eb1474fb4652 |
| SHA1 | a55c2e1286a7f4676bfe571076554b19f0481ea9 |
| SHA256 | cbae8bd7702023163b60587f4bcd64bd1fe80cdc98cdd572db7ad37d0597d0a8 |
| SHA512 | e00db107fc64802c0de2441b081364bd95c6c166bc23532f17078934b44e49de42c43fd0a19e8f4a1a3e17d5b4d3205208a95b444bc6116892ca570a20839f88 |
memory/2424-28-0x0000000074920000-0x0000000074ED1000-memory.dmp
memory/2220-29-0x0000000074920000-0x0000000074ED1000-memory.dmp
C:\Users\Admin\AppData\Roaming\ff6d047dd419eccbb0f0db2d1f82fbf4_JaffaCakes118.exe
| MD5 | ff6d047dd419eccbb0f0db2d1f82fbf4 |
| SHA1 | 30a621e24f99473891c4c622a80d777ba0ecfb4c |
| SHA256 | 7bef4696e728107bdefabea3bddad00c04e776fd783a74575b9e68b0b5bd351c |
| SHA512 | 7781e4c067883117a61c90eebe9d1fa2f34042313e60267b9b56a0f07582b4b7240f61f8a7d4c2d9303d9374effae9dda47514ebf53363ce0894dbc3b31c193a |
memory/2220-32-0x0000000074920000-0x0000000074ED1000-memory.dmp
memory/2220-34-0x0000000074920000-0x0000000074ED1000-memory.dmp
memory/3564-38-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1916-43-0x0000000000F00000-0x0000000000F01000-memory.dmp
memory/1916-42-0x0000000000E40000-0x0000000000E41000-memory.dmp
memory/3564-98-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1916-103-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | af504c7074b4c2e6d40c210594cae5ce |
| SHA1 | 261fde6630498da13e0271ffc90f7b7f0cadd89b |
| SHA256 | 914abe023ce834b557e1ed58718c512e5be71e8c56a1bf9b0fff5d95a5a1e183 |
| SHA512 | db9fc72612297cb145b7858157c009b3533bafd89f99990da84137a76099b5b993710a2b25521874b29e1f1bfe2244827b8ed2dd3e9247bcac5952e4fad3a7cd |
C:\Windows\SysWOW64\windir\svchost.exe
| MD5 | d881de17aa8f2e2c08cbb7b265f928f9 |
| SHA1 | 08936aebc87decf0af6e8eada191062b5e65ac2a |
| SHA256 | b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0 |
| SHA512 | 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34 |
memory/3564-114-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3564-134-0x0000000000020000-0x0000000000022000-memory.dmp
memory/3564-177-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3112-176-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 52887b4102327c925084492560b496c5 |
| SHA1 | c26e583ead0de68e128b6b249c7360e062a2ca1c |
| SHA256 | 6d3597f57beec05b0894c7bcfb1fea519c9fec297a566ef364b47c500473af21 |
| SHA512 | 5c24660264440bb590e58adb06bc2217cf2230554cbd6bddd0c60a9df22f652d3f8a1403118d4aaaa9d960ec38ace17b54d09aefd15a2bc6ddebdd0a134a1673 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cbbdf6b06ce3a8021b65a3f4d7db5cd5 |
| SHA1 | 0f45f1dc6a0ea7b366186c502659fe94a5c18ec5 |
| SHA256 | fb75e2d6852ce45e8a86e4358ce03b81755b927a34effa7ce46e09310223148b |
| SHA512 | be341f880ae163b577d8566ec0793f41abaff49532fa474470ca04bcab2beab658b99ee0eeb74709fd302bc65fcb15f3431673909152ac33ae028f924ca3570d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e135b07b67124303a429284b4763ad93 |
| SHA1 | 6e5b1270755cab5ff9e04e7cfb5a57f87dce2ef3 |
| SHA256 | a68e3b0f09f87671c8b26cd32ccc03fc5ff05c5c97e6d5bff0490802014fd95a |
| SHA512 | a343325627a55076397e6c1ea862e74061e92943eaa8907b9a7b67a1d4004f48d092062b6c69e9f0472864714b879e625b2659669b6efedec9ed519b9c7a3bf8 |
memory/1916-346-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3f07813798c1f689ee5f83e060386e9f |
| SHA1 | fca7edd6305ba7f9c794cb288c8916eba59eeae5 |
| SHA256 | 1aef82034450108410644ffd3f28f89b4d4a20d68e882d303023d0e06a7ec9ff |
| SHA512 | 94a2572df510ac489d1276a70bed756897bccbfae13c43fee8852119079f8025e4a98eb782553d1d41618af229f448fe2e0e3890b6cd1c3ad32167b3260ad7ea |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 787ad5781d7690b5ce7a300c66b8c61b |
| SHA1 | 42d880dcc4655b3f810a03e0aa87a64edd8391d4 |
| SHA256 | 49611fafdc89036a8ab32635224699821066a35195855a64ba9838c6e085a515 |
| SHA512 | f6528880f326cced33d5ea91559ebaa16206709815af30a09f37feadef88bc0d61438ad520447a2f02cd6c762402a66d00e3e655d818c48b00886d20d369bb79 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 75cc2603f58eb1301bc1078e9803c2f0 |
| SHA1 | 73fef6a032a239352185ae941275b684851670d5 |
| SHA256 | e4dd4e026b5134f8ed99695b19d4a6238adfb621abdc68c8011e537aac1262c3 |
| SHA512 | 3126d4bf8efae16f68d659996bf2c58ffe8f0ff91efcd577a1931adebf0f44bfb4c0b66d89fd2ee9f75f6fd361da8447692cc94e2e50ee4cae8515002094949e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5bb086a74fc6d10b4d6c065eb5978a82 |
| SHA1 | f89256c96c0d14778a30cd385e5213da4403f102 |
| SHA256 | 829481eb15efe059277af69e18aa036a6b8298ddbc6dfa088631098690351824 |
| SHA512 | 25b76a9855ef64788a9469e18a5c908afeace67d2fe0e0c3b712e53796b8add03339161852a96097a6e9e452b37042ff3530b5277cfacfea91689aa26521cb7f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e6581f6c0e297663d110cbe8b2405fed |
| SHA1 | bdbe3944f378d5cc18fd18c9b924480fa569bd89 |
| SHA256 | 6381b8efbbad71aa88663f953000a25b0c4dae5be9c37989faf26d858190e832 |
| SHA512 | 3e9051941da4e333038730ce42f5ad215427472bed043ee0af7a99dd68bc66f3848aacd26dbeb29efc21825077772d36c3f74a6a3bd0fc8b445e1f6c6980f52a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c038ea4c0c8533f93fbff7848a0c1a11 |
| SHA1 | 2e2df1f7043a465a1ffc072962f6ab6f2646fc67 |
| SHA256 | de56a7b9dcaf55d93ebe2f46ac2c650087f0023508fd1be6cd611a2fe507ad65 |
| SHA512 | a6e06b5ee9f01d1bd324741fd2ab7bd25bc97aefa54d307d1ba298f568ec2c6bd5408ac7d4c0954a187a5042ead0bf5761cf9df3023ba9b65ece654cc0954251 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 91e175c86f6f67972c2ee73fa52d7345 |
| SHA1 | 1fc9e81eaf2ba0438c3edf00b7c76aaf6f5b1efe |
| SHA256 | eeec4e739df1047a797ba1a7cec40c0ae3fbca1b255865ea17ade550886461ac |
| SHA512 | b21f6f1be84c138fcea877d6da44d028a1abb147161c72dcf4436f439a7548e6fdc00b264d217bf0941b863fba55a8f77799f438fdccdbd2df1972df0f3aeac7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 690a0c9299abbe7b4da137c3c18519d1 |
| SHA1 | 0e6f234f93b7c945169908539e432a6b17ee31fb |
| SHA256 | b6a1441bb53cba9f1223f5444dbf03b679b842ffaaf792cfd533d353fdaf02ef |
| SHA512 | 43e46930c09119df09b054a179dd23166ae1ef41b576b0e6486d9e24a45843e30bb434910da786ae3951c1840abc48e90c3b691e63df363456c662833c3bead9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b8e235c8a1ac953fca6a07eba784bed0 |
| SHA1 | e4d8ac9212f51e96083046487344cd14eee8e2be |
| SHA256 | 8e06f21c392cc0eefe3e9bc1f7421b7a135f7e5f1134722ed0e5a65faf3c67ec |
| SHA512 | f8a16b0ee19925dec24c30449ec2454e276a96ee34498a1c444d51364a6e71988311579a264a680fdfa1091b01a021749a92a16c587a4558b0c6229d7da4a136 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8f4977f9884f5d82d004717f33840835 |
| SHA1 | 8ea9017a10ae4c2ff7ef647db76a87904d882a5a |
| SHA256 | ad798ac8b990f8366b601476632629693a75a73a84540f47e58723e662a23df6 |
| SHA512 | 22b0462061665403b323d1c7a2326c9be1cd8f84e3756aa110d8970ee6d80197df5a2bd8a9ce995946ae54da1ad0f2981114bcb68f74bb7dedc5d93ab7185efa |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 354a4c1d94ca9e35b8a1fa34cc0f7176 |
| SHA1 | 8f15ecebb33647fb8bb0c0cf929875f0f9002c85 |
| SHA256 | 84137a8ae6d82f64e2c5606987d51c23daba386bcd9e055e9c5b6c6415ff7554 |
| SHA512 | 14822419a15d79e5e9a2fc448ddd70dceada4a8d318ec064868dfe07fb2b32891f089e2a7aa76414439b3dd6d149760a7e2834f46b1e1495fd1e09a94ab33508 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 850384efbdd48025cf4a7046b45a66bb |
| SHA1 | ee3702f8b6304d4c4d3a0db8a1f808365981bc06 |
| SHA256 | 269fee7f4c8cedc565041be366d79dfb07b7af869bdfcf201b4825cb653fb78d |
| SHA512 | 8a8c561f78231db9eef0d85738d21b9c1920fbf270b66dbe6b2ee57a39f676905c7b06bb7d8805b1bcc4d155a19e7450e2611717fb3c331412ea166451c4c615 |
memory/3112-1475-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c1a46a4787d7b7520a675cc3b276d11f |
| SHA1 | 2a559d0bebc5f6011385338154de688577b3e989 |
| SHA256 | 330fb69ffd96617259b7e0eb022bacb8177c4c689f0521f6eca3020e816afcba |
| SHA512 | 55fe8dc060b93c0443c9a947df6eb14d937f6655869dc11e482fad1c5ba34bcc66dff0b8cca56baa654c795b06d2b6acd95da22f0b4d4ffcdda8c398939e9a89 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bcf06a0d06ecc42afccf73f35bb42d6b |
| SHA1 | cd27aaff389505e11f3964b09e271ef5798a7e5c |
| SHA256 | 81900aeadc4dc0762853cd6a876643c325f7436bd463f6a91c1187913d1be00f |
| SHA512 | bc10a8ac7de9aabe478cf8626f38ad8e6976315eeb71810d46d3a9f4b8925a3d68a0b86eec9a50171bf8d41dc66d4718f05f545ac59586024ac008458c5058e1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | df6afbcd47df3592af880cf4dae29276 |
| SHA1 | bb485f9c4f3685595b0e58fb8584057460b15010 |
| SHA256 | 2c4c032f502dd3e8abf6ae0304243cdc1ebfe6a28272ec539054bea944a7adf3 |
| SHA512 | a0b101217fa9e348ba3bd0313d872eac7fc3cddae15d331daa243adea3895fad30fd57f8caf68d2f8a32c865eb304f0e852935824885b20014fe1bbd06b5f43a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 894df7ca356466f3f40ba6b9efd3fe91 |
| SHA1 | 41321568739fc40cc7e0f8eef4543e641b4f34be |
| SHA256 | 251bcf1389558c028b55ec6a10ffed5efe0f7e4357678dec806af8a2a180b8aa |
| SHA512 | 5161077aab55391ff9b68f7818c59f9b924c67d0406f3628d6a2fec567882fecabbf2778f958c58a75f2d0db219f8fc095df1a66c7be8121606a003e55f77cea |