Malware Analysis Report

2024-09-22 09:44

Sample ID 240421-vj15ksff36
Target ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118
SHA256 4494a1dd099f4c76c2ad6b5b13c0d848831b0fe79e54ed67cc42949e748f954b
Tags
cybercyber cybergate persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4494a1dd099f4c76c2ad6b5b13c0d848831b0fe79e54ed67cc42949e748f954b

Threat Level: Known bad

The file ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybercyber cybergate persistence stealer trojan upx

CyberGate, Rebhip

Cybergate family

Modifies Installed Components in the registry

Adds policy Run key to start application

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-21 17:01

Signatures

Cybergate family

cybergate

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-21 17:01

Reported

2024-04-21 17:04

Platform

win7-20240220-en

Max time kernel

146s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svghost.exe" C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svghost.exe" C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB} C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB}\StubPath = "C:\\Windows\\system32\\Windir\\Svghost.exe Restart" C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB}\StubPath = "C:\\Windows\\system32\\Windir\\Svghost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windir\Svghost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windir\\Svghost.exe" C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windir\\Svghost.exe" C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Windir\Svghost.exe C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Windir\ C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Windir\Svghost.exe C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Windir\Svghost.exe C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe"

C:\Windows\SysWOW64\Windir\Svghost.exe

"C:\Windows\system32\Windir\Svghost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1192-3-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/788-248-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/788-249-0x0000000000430000-0x0000000000431000-memory.dmp

memory/788-526-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\Windir\Svghost.exe

MD5 ffc0b1f6527773f16534c51c27d63b36
SHA1 e1e88ddf72246ef04b63fcc22a0135db1414c0d9
SHA256 4494a1dd099f4c76c2ad6b5b13c0d848831b0fe79e54ed67cc42949e748f954b
SHA512 6ac64680c82c40ece00806dd8c988ad16622359c0548d3608273a6826d484430f342ee6b0bd1aca8ea831370d52103b414950b2532382b8b4d6636010030b0dc

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 ea3c0ecca844df73b8e7f93962b06113
SHA1 a85b4dd585f1860c04fa8289309c5fe1189b4c5a
SHA256 e94611397e7bad562aad76f13b03e5e2966edf6cc67fd6e6fd9a1484febbd0b6
SHA512 929e6a4cc172ab4599e403d24d9bc67c7d74750cb36dbcc8a5d0deb0f1ab41845040c5e97121a4538b83aba1cf0c57d0ffff9aafda323dd7fbcff76082d5cddd

memory/1232-821-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e69103bcfcb1c2134231480575a031cd
SHA1 29abe52bb7b37250e47226653fb01c4ae6439ea8
SHA256 904224b9974d5e03862723277f49f5563ef39f04a8cde12e1cbbe47d9b64814b
SHA512 5f4d1846dab133ab256e6cbc6628a942921aa42988455c8b0ddf4b0d8c791a085132a0ba2edcf1a1f28456c18532de78346f9aa0042676dff867ea89d749e327

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 18411690b496fcd280cc0a9b2b1e4b30
SHA1 b21e926bf0494687fab3b3f1741d89b5473e624e
SHA256 648696d1c7fb3e562d6c56566a4414a9debbf28742861013afa2ad97c6649e12
SHA512 ab230fc850afaf500f3c5759de90fc790423a0fb2df63370485eb55bfcf8e47808eaa053773ff8c97d16dfb0dbd93769caab37bd3eeb4cde36160cc59ba21543

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 91a2daef9188edbd9ea3129f40a6b67e
SHA1 665ebacc051cafe2f87f396a77358bc9473f8135
SHA256 18e2b6584ae2caafe20ef2e2dccc519d3ce20bd63340e235e72e6f7d35c26c35
SHA512 e0159bf3fa76298014de4bd973ae1ac74841c8fdfbf49825719489b41931217baa5e3fe2e974ecf133f9858ebaf0cb4bd2f201a50a880f6052dd9211a3dd0f04

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c328fdf693b38cc4b62c696623e85179
SHA1 d6ed51b4fe8170b17ef3eeede7aea0ac9057fb0a
SHA256 29acc0615d896d844b6b9d28a3bf15624cf5813e8cff35514fd8eaf9783d8102
SHA512 900f752d4d220d1156abecb6e4cf9a520530e00c5940ce042f2b41c1638063cdac83d79f9f9c9dafcbaebafc73325a7a5d895c91b48e0c6093c100fd384ba42e

memory/788-1102-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 09d98a104855f2ece9ec6c50c728aebd
SHA1 09f18e2e1e73f68519d73c974b6b21f84518a81b
SHA256 c164e4384a77b7819614225ab02c4da92b24a56fb743749d4a79777a5d436989
SHA512 41c098de694a4279205ddcdb5286b40043249ca82a3365382ac3ae1779b3ba09e00f51b424ffc9080d3b6a795aea5c16baa414c3f6a1a557556953a86f4caed1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e7d698b9f3cfb60d8a7f5f99e1c57363
SHA1 a9b8deee7587ab23bfe88b2e27112620933c799f
SHA256 c25d226b031db770daf199f462aa2cca46f288b91b6eeb71a14f59f262de8816
SHA512 c38f6e785355f91b1fef869381a2bdf1db0ebf92e12934683270e5fd1ab9acd37e76c441c99c0ca44c04cf2bddf1632d36c938276dfc2266ddc1380a748b6208

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b6a8dcb2cb560226e4b7bb2b326df3df
SHA1 3cc2c953079de84845f60544e2d2034db40a6317
SHA256 f36b1757183b63ac688a6515d85b32c0c7c3e40389eb6f57640c38d46952fd14
SHA512 dd6937644010102dda08351131209baa45db6c9bf34d23a14a4acecabbe9773a6ae2321e8b1e25fb36b7f87b68457f8e2efae250b6849770560dfd6222f9d8c5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d103250bc88367d9e350520986421795
SHA1 8aed69e57698784f3684e2688612638b59525872
SHA256 da745f63ff7f5d4367254e2ddada59923b6754391c9d5928f18549b4d30d58c3
SHA512 fd880f2ac39f2c097929eb6739dcf3e43890d524d625d794449890e7bff501855cf0dc53a30a06f4d4e476ab08d48dca453768c5710afb22f0d06f977863f6ae

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4d077924cd1758f89af1e56b2e483427
SHA1 08063cec642c1c2a1927074234c2fef00db5a405
SHA256 aabdc878d016136d5c24f7b0e06f5b9377cd738a887aa65f32292e716429eb54
SHA512 df8df3e6ab86cc5c9ceb5d710f7da0ed73a3eefdd3512c8f101a71302e2fbc5b8b7209476ed65b457b584f8e031450b4cf3f50ff36c68283a782e322a05a5d74

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f678dab973c07206a78710ccae2b8cca
SHA1 868b2dbac1ef79f6f2a96301289905e92b4ed85e
SHA256 0fbc2d32d5f01a50712a51b36b0cf0734ae83d9f54a6c9dee5208c1761694a53
SHA512 9043e593c88a221d502d912f6bf5bea36bcf403b6fcf8bd3305aea0ce38fbb8e55d11b6e1d4daf743b684589fb52675b84a8cae78ecb4323b9f204723f6a72cb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c2b69c0a3fdb915e6c1087820cb8ef30
SHA1 3411a4249f399a8fdd93fe5fd355930c3f93d78c
SHA256 3e7334eaeca0c204102c62264672cefc54dbee3671e5ba539a7a92de565788c1
SHA512 d114ab22bad8ce4e911771d162f86d3d64e1a7c1ea0d65fd7ee587bf4c4381f13dbfe03d990a97dfdd3c9cd2f5a57aefd47561ba5229e718530a89b2497e3112

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 aab84ac991492ecbd8c99c0a4b169ccf
SHA1 24220750ac21047034fe694e95cfbabd23af126c
SHA256 48284ab5a0d0a6baafb5496e808da4fabd3bd41a4c744817f2bf1819c80d85a2
SHA512 cd67cf197e203cf7045c179d6c1c2b07b48813e7df9c3fc463e452aec047ff3a52cef0d27d7cc34d0d6282ec845d1b4946a7120d5b24b026798aad2f8d98ea8f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ecd49c3b661b039b86c01810f860510a
SHA1 c119218011189a6c8d7dd171687397321e3a2e56
SHA256 54321bb46cf042348dae19a1939c4400bcbb40c61493cc617deb9a86bd28ec99
SHA512 daeabb62c5515fb908cf1b211e864c2129086d4bdab03b84938d536f88636adb6aaf9d880aa7032bc4c250bd73b0ebf6dca3ee7a9aaf13a3c97fd1d2b91a7f33

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 19d7081670fdcfec2c94318671a859ff
SHA1 b97a4096438b91076bfd62dd9f18c3a9edf3188e
SHA256 27b229bac9e7fda36a577d09f9b602ed3d5118a9a4104f89bfd80791a05d61e5
SHA512 1dbb8be823d813b2684b2c91bf42bb7fd32b36d858d0e782b8eb013ce224c12f60c8cf00fc50b8fc783edb4bf6d1ab8f66ab6b821b120f88ec18ec74be64f15c

memory/1232-1733-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b2accd7a7985f0e4b0b24f8f3ff8b49
SHA1 33c4351f6b7667ceb5a28f6d1be4d5e347e39bc7
SHA256 6c3f3ed8ce9b319c70666dc72d1ab177f54aca902a8ff868e844454fa4d2ba6c
SHA512 9053ab63186eeebc1a39671995cf069134d147d3b3d1b2b877a2f3781f1d32215041e14dd0505ed8bbda8fb8ed7aaccdc0526779b3e8bc181610d3bf71a01ac1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2dc7e5d3429c0348b34f8ccfe2875c75
SHA1 0b538ba16d4adb8e415528e4f40209a731cdeadf
SHA256 9a20da6b7edb136f3ff85e24de946b252e8b1f4084eadb875d82668990280e9e
SHA512 611d8e9393140ad798a051f75aae6407fb9aa0870a9c3b26aa5c426f73fa1a213eb1936a4898a59edaece7475b32e0a55d37408ac78676c23b0295620e08bf46

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2e3649412777bafcf87b33f16f81b88d
SHA1 e916a3a8019b43d051e0c0a43303544c5d7314d9
SHA256 9bcf6416e2e8c270498af6903b3bdee7225a7487eeff04c91de8dba8b2149264
SHA512 9c18413fd5f620dc94337eb47d1190f3fb7e42a48210610b302af263207a7a410875f80bf294c36fe7867fcea70cad8f4fd9a7db854b252525f73a0fc3643a86

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3543241091790467e7f20ef9bdfc1460
SHA1 59dfcda01255bea3def67e510d46d3dcef8f6f66
SHA256 997783f1357beb0d9d396d8a41f451825244633d251e82008e9bcb2daee2fd55
SHA512 2586988f321605e6b1f4ca0beccf055b4e0caaf24d154012da44b5889207428d08dbb35aa062584046246fc7f6ee616ac16ff538126315091ef257427db272af

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-21 17:01

Reported

2024-04-21 17:04

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svghost.exe" C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svghost.exe" C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB}\StubPath = "C:\\Windows\\system32\\Windir\\Svghost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB} C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB}\StubPath = "C:\\Windows\\system32\\Windir\\Svghost.exe Restart" C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB} C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windir\Svghost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windir\\Svghost.exe" C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windir\\Svghost.exe" C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Windir\Svghost.exe C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Windir\Svghost.exe C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Windir\Svghost.exe C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Windir\ C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Windir\Svghost.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe"

C:\Windows\SysWOW64\Windir\Svghost.exe

"C:\Windows\system32\Windir\Svghost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4708 -ip 4708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 580

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 137.191.110.104.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2900-3-0x0000000010410000-0x0000000010475000-memory.dmp

memory/4776-7-0x0000000000830000-0x0000000000831000-memory.dmp

memory/4776-8-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/2900-63-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/4776-66-0x00000000039A0000-0x00000000039A1000-memory.dmp

memory/4776-67-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/4776-68-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\Windir\Svghost.exe

MD5 ffc0b1f6527773f16534c51c27d63b36
SHA1 e1e88ddf72246ef04b63fcc22a0135db1414c0d9
SHA256 4494a1dd099f4c76c2ad6b5b13c0d848831b0fe79e54ed67cc42949e748f954b
SHA512 6ac64680c82c40ece00806dd8c988ad16622359c0548d3608273a6826d484430f342ee6b0bd1aca8ea831370d52103b414950b2532382b8b4d6636010030b0dc

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 ea3c0ecca844df73b8e7f93962b06113
SHA1 a85b4dd585f1860c04fa8289309c5fe1189b4c5a
SHA256 e94611397e7bad562aad76f13b03e5e2966edf6cc67fd6e6fd9a1484febbd0b6
SHA512 929e6a4cc172ab4599e403d24d9bc67c7d74750cb36dbcc8a5d0deb0f1ab41845040c5e97121a4538b83aba1cf0c57d0ffff9aafda323dd7fbcff76082d5cddd

memory/884-138-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 18411690b496fcd280cc0a9b2b1e4b30
SHA1 b21e926bf0494687fab3b3f1741d89b5473e624e
SHA256 648696d1c7fb3e562d6c56566a4414a9debbf28742861013afa2ad97c6649e12
SHA512 ab230fc850afaf500f3c5759de90fc790423a0fb2df63370485eb55bfcf8e47808eaa053773ff8c97d16dfb0dbd93769caab37bd3eeb4cde36160cc59ba21543

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 91a2daef9188edbd9ea3129f40a6b67e
SHA1 665ebacc051cafe2f87f396a77358bc9473f8135
SHA256 18e2b6584ae2caafe20ef2e2dccc519d3ce20bd63340e235e72e6f7d35c26c35
SHA512 e0159bf3fa76298014de4bd973ae1ac74841c8fdfbf49825719489b41931217baa5e3fe2e974ecf133f9858ebaf0cb4bd2f201a50a880f6052dd9211a3dd0f04

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c328fdf693b38cc4b62c696623e85179
SHA1 d6ed51b4fe8170b17ef3eeede7aea0ac9057fb0a
SHA256 29acc0615d896d844b6b9d28a3bf15624cf5813e8cff35514fd8eaf9783d8102
SHA512 900f752d4d220d1156abecb6e4cf9a520530e00c5940ce042f2b41c1638063cdac83d79f9f9c9dafcbaebafc73325a7a5d895c91b48e0c6093c100fd384ba42e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 09d98a104855f2ece9ec6c50c728aebd
SHA1 09f18e2e1e73f68519d73c974b6b21f84518a81b
SHA256 c164e4384a77b7819614225ab02c4da92b24a56fb743749d4a79777a5d436989
SHA512 41c098de694a4279205ddcdb5286b40043249ca82a3365382ac3ae1779b3ba09e00f51b424ffc9080d3b6a795aea5c16baa414c3f6a1a557556953a86f4caed1

memory/4776-519-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e7d698b9f3cfb60d8a7f5f99e1c57363
SHA1 a9b8deee7587ab23bfe88b2e27112620933c799f
SHA256 c25d226b031db770daf199f462aa2cca46f288b91b6eeb71a14f59f262de8816
SHA512 c38f6e785355f91b1fef869381a2bdf1db0ebf92e12934683270e5fd1ab9acd37e76c441c99c0ca44c04cf2bddf1632d36c938276dfc2266ddc1380a748b6208

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b6a8dcb2cb560226e4b7bb2b326df3df
SHA1 3cc2c953079de84845f60544e2d2034db40a6317
SHA256 f36b1757183b63ac688a6515d85b32c0c7c3e40389eb6f57640c38d46952fd14
SHA512 dd6937644010102dda08351131209baa45db6c9bf34d23a14a4acecabbe9773a6ae2321e8b1e25fb36b7f87b68457f8e2efae250b6849770560dfd6222f9d8c5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d103250bc88367d9e350520986421795
SHA1 8aed69e57698784f3684e2688612638b59525872
SHA256 da745f63ff7f5d4367254e2ddada59923b6754391c9d5928f18549b4d30d58c3
SHA512 fd880f2ac39f2c097929eb6739dcf3e43890d524d625d794449890e7bff501855cf0dc53a30a06f4d4e476ab08d48dca453768c5710afb22f0d06f977863f6ae

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4d077924cd1758f89af1e56b2e483427
SHA1 08063cec642c1c2a1927074234c2fef00db5a405
SHA256 aabdc878d016136d5c24f7b0e06f5b9377cd738a887aa65f32292e716429eb54
SHA512 df8df3e6ab86cc5c9ceb5d710f7da0ed73a3eefdd3512c8f101a71302e2fbc5b8b7209476ed65b457b584f8e031450b4cf3f50ff36c68283a782e322a05a5d74

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f678dab973c07206a78710ccae2b8cca
SHA1 868b2dbac1ef79f6f2a96301289905e92b4ed85e
SHA256 0fbc2d32d5f01a50712a51b36b0cf0734ae83d9f54a6c9dee5208c1761694a53
SHA512 9043e593c88a221d502d912f6bf5bea36bcf403b6fcf8bd3305aea0ce38fbb8e55d11b6e1d4daf743b684589fb52675b84a8cae78ecb4323b9f204723f6a72cb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c2b69c0a3fdb915e6c1087820cb8ef30
SHA1 3411a4249f399a8fdd93fe5fd355930c3f93d78c
SHA256 3e7334eaeca0c204102c62264672cefc54dbee3671e5ba539a7a92de565788c1
SHA512 d114ab22bad8ce4e911771d162f86d3d64e1a7c1ea0d65fd7ee587bf4c4381f13dbfe03d990a97dfdd3c9cd2f5a57aefd47561ba5229e718530a89b2497e3112

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 aab84ac991492ecbd8c99c0a4b169ccf
SHA1 24220750ac21047034fe694e95cfbabd23af126c
SHA256 48284ab5a0d0a6baafb5496e808da4fabd3bd41a4c744817f2bf1819c80d85a2
SHA512 cd67cf197e203cf7045c179d6c1c2b07b48813e7df9c3fc463e452aec047ff3a52cef0d27d7cc34d0d6282ec845d1b4946a7120d5b24b026798aad2f8d98ea8f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ecd49c3b661b039b86c01810f860510a
SHA1 c119218011189a6c8d7dd171687397321e3a2e56
SHA256 54321bb46cf042348dae19a1939c4400bcbb40c61493cc617deb9a86bd28ec99
SHA512 daeabb62c5515fb908cf1b211e864c2129086d4bdab03b84938d536f88636adb6aaf9d880aa7032bc4c250bd73b0ebf6dca3ee7a9aaf13a3c97fd1d2b91a7f33

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 19d7081670fdcfec2c94318671a859ff
SHA1 b97a4096438b91076bfd62dd9f18c3a9edf3188e
SHA256 27b229bac9e7fda36a577d09f9b602ed3d5118a9a4104f89bfd80791a05d61e5
SHA512 1dbb8be823d813b2684b2c91bf42bb7fd32b36d858d0e782b8eb013ce224c12f60c8cf00fc50b8fc783edb4bf6d1ab8f66ab6b821b120f88ec18ec74be64f15c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b2accd7a7985f0e4b0b24f8f3ff8b49
SHA1 33c4351f6b7667ceb5a28f6d1be4d5e347e39bc7
SHA256 6c3f3ed8ce9b319c70666dc72d1ab177f54aca902a8ff868e844454fa4d2ba6c
SHA512 9053ab63186eeebc1a39671995cf069134d147d3b3d1b2b877a2f3781f1d32215041e14dd0505ed8bbda8fb8ed7aaccdc0526779b3e8bc181610d3bf71a01ac1

memory/884-1424-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2dc7e5d3429c0348b34f8ccfe2875c75
SHA1 0b538ba16d4adb8e415528e4f40209a731cdeadf
SHA256 9a20da6b7edb136f3ff85e24de946b252e8b1f4084eadb875d82668990280e9e
SHA512 611d8e9393140ad798a051f75aae6407fb9aa0870a9c3b26aa5c426f73fa1a213eb1936a4898a59edaece7475b32e0a55d37408ac78676c23b0295620e08bf46

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2e3649412777bafcf87b33f16f81b88d
SHA1 e916a3a8019b43d051e0c0a43303544c5d7314d9
SHA256 9bcf6416e2e8c270498af6903b3bdee7225a7487eeff04c91de8dba8b2149264
SHA512 9c18413fd5f620dc94337eb47d1190f3fb7e42a48210610b302af263207a7a410875f80bf294c36fe7867fcea70cad8f4fd9a7db854b252525f73a0fc3643a86

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3543241091790467e7f20ef9bdfc1460
SHA1 59dfcda01255bea3def67e510d46d3dcef8f6f66
SHA256 997783f1357beb0d9d396d8a41f451825244633d251e82008e9bcb2daee2fd55
SHA512 2586988f321605e6b1f4ca0beccf055b4e0caaf24d154012da44b5889207428d08dbb35aa062584046246fc7f6ee616ac16ff538126315091ef257427db272af

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4b24c4e30e9d100b515defcbd55c6e83
SHA1 f741b9aef183d291c6a75028b121751191086411
SHA256 290481ce835f8246179929fb0a55bfa4398b4911edeea4a312441e34093af5e5
SHA512 a626659860240fe3850a3dd4d397d36e3a2ede728775584963083be4e42e06694bb8feff9e92df0653d383715c3caea9d68a2eef793b8b5947a08c2ce0957140