Analysis Overview
SHA256
4494a1dd099f4c76c2ad6b5b13c0d848831b0fe79e54ed67cc42949e748f954b
Threat Level: Known bad
The file ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Modifies Installed Components in the registry
Adds policy Run key to start application
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-21 17:01
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 17:01
Reported
2024-04-21 17:04
Platform
win7-20240220-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svghost.exe" | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svghost.exe" | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB} | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB}\StubPath = "C:\\Windows\\system32\\Windir\\Svghost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB}\StubPath = "C:\\Windows\\system32\\Windir\\Svghost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Windir\Svghost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windir\\Svghost.exe" | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windir\\Svghost.exe" | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Windir\Svghost.exe | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windir\ | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\Windir\Svghost.exe | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windir\Svghost.exe | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe"
C:\Windows\SysWOW64\Windir\Svghost.exe
"C:\Windows\system32\Windir\Svghost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1192-3-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/788-248-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/788-249-0x0000000000430000-0x0000000000431000-memory.dmp
memory/788-526-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\Windir\Svghost.exe
| MD5 | ffc0b1f6527773f16534c51c27d63b36 |
| SHA1 | e1e88ddf72246ef04b63fcc22a0135db1414c0d9 |
| SHA256 | 4494a1dd099f4c76c2ad6b5b13c0d848831b0fe79e54ed67cc42949e748f954b |
| SHA512 | 6ac64680c82c40ece00806dd8c988ad16622359c0548d3608273a6826d484430f342ee6b0bd1aca8ea831370d52103b414950b2532382b8b4d6636010030b0dc |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | ea3c0ecca844df73b8e7f93962b06113 |
| SHA1 | a85b4dd585f1860c04fa8289309c5fe1189b4c5a |
| SHA256 | e94611397e7bad562aad76f13b03e5e2966edf6cc67fd6e6fd9a1484febbd0b6 |
| SHA512 | 929e6a4cc172ab4599e403d24d9bc67c7d74750cb36dbcc8a5d0deb0f1ab41845040c5e97121a4538b83aba1cf0c57d0ffff9aafda323dd7fbcff76082d5cddd |
memory/1232-821-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e69103bcfcb1c2134231480575a031cd |
| SHA1 | 29abe52bb7b37250e47226653fb01c4ae6439ea8 |
| SHA256 | 904224b9974d5e03862723277f49f5563ef39f04a8cde12e1cbbe47d9b64814b |
| SHA512 | 5f4d1846dab133ab256e6cbc6628a942921aa42988455c8b0ddf4b0d8c791a085132a0ba2edcf1a1f28456c18532de78346f9aa0042676dff867ea89d749e327 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 18411690b496fcd280cc0a9b2b1e4b30 |
| SHA1 | b21e926bf0494687fab3b3f1741d89b5473e624e |
| SHA256 | 648696d1c7fb3e562d6c56566a4414a9debbf28742861013afa2ad97c6649e12 |
| SHA512 | ab230fc850afaf500f3c5759de90fc790423a0fb2df63370485eb55bfcf8e47808eaa053773ff8c97d16dfb0dbd93769caab37bd3eeb4cde36160cc59ba21543 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 91a2daef9188edbd9ea3129f40a6b67e |
| SHA1 | 665ebacc051cafe2f87f396a77358bc9473f8135 |
| SHA256 | 18e2b6584ae2caafe20ef2e2dccc519d3ce20bd63340e235e72e6f7d35c26c35 |
| SHA512 | e0159bf3fa76298014de4bd973ae1ac74841c8fdfbf49825719489b41931217baa5e3fe2e974ecf133f9858ebaf0cb4bd2f201a50a880f6052dd9211a3dd0f04 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c328fdf693b38cc4b62c696623e85179 |
| SHA1 | d6ed51b4fe8170b17ef3eeede7aea0ac9057fb0a |
| SHA256 | 29acc0615d896d844b6b9d28a3bf15624cf5813e8cff35514fd8eaf9783d8102 |
| SHA512 | 900f752d4d220d1156abecb6e4cf9a520530e00c5940ce042f2b41c1638063cdac83d79f9f9c9dafcbaebafc73325a7a5d895c91b48e0c6093c100fd384ba42e |
memory/788-1102-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 09d98a104855f2ece9ec6c50c728aebd |
| SHA1 | 09f18e2e1e73f68519d73c974b6b21f84518a81b |
| SHA256 | c164e4384a77b7819614225ab02c4da92b24a56fb743749d4a79777a5d436989 |
| SHA512 | 41c098de694a4279205ddcdb5286b40043249ca82a3365382ac3ae1779b3ba09e00f51b424ffc9080d3b6a795aea5c16baa414c3f6a1a557556953a86f4caed1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e7d698b9f3cfb60d8a7f5f99e1c57363 |
| SHA1 | a9b8deee7587ab23bfe88b2e27112620933c799f |
| SHA256 | c25d226b031db770daf199f462aa2cca46f288b91b6eeb71a14f59f262de8816 |
| SHA512 | c38f6e785355f91b1fef869381a2bdf1db0ebf92e12934683270e5fd1ab9acd37e76c441c99c0ca44c04cf2bddf1632d36c938276dfc2266ddc1380a748b6208 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b6a8dcb2cb560226e4b7bb2b326df3df |
| SHA1 | 3cc2c953079de84845f60544e2d2034db40a6317 |
| SHA256 | f36b1757183b63ac688a6515d85b32c0c7c3e40389eb6f57640c38d46952fd14 |
| SHA512 | dd6937644010102dda08351131209baa45db6c9bf34d23a14a4acecabbe9773a6ae2321e8b1e25fb36b7f87b68457f8e2efae250b6849770560dfd6222f9d8c5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d103250bc88367d9e350520986421795 |
| SHA1 | 8aed69e57698784f3684e2688612638b59525872 |
| SHA256 | da745f63ff7f5d4367254e2ddada59923b6754391c9d5928f18549b4d30d58c3 |
| SHA512 | fd880f2ac39f2c097929eb6739dcf3e43890d524d625d794449890e7bff501855cf0dc53a30a06f4d4e476ab08d48dca453768c5710afb22f0d06f977863f6ae |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4d077924cd1758f89af1e56b2e483427 |
| SHA1 | 08063cec642c1c2a1927074234c2fef00db5a405 |
| SHA256 | aabdc878d016136d5c24f7b0e06f5b9377cd738a887aa65f32292e716429eb54 |
| SHA512 | df8df3e6ab86cc5c9ceb5d710f7da0ed73a3eefdd3512c8f101a71302e2fbc5b8b7209476ed65b457b584f8e031450b4cf3f50ff36c68283a782e322a05a5d74 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f678dab973c07206a78710ccae2b8cca |
| SHA1 | 868b2dbac1ef79f6f2a96301289905e92b4ed85e |
| SHA256 | 0fbc2d32d5f01a50712a51b36b0cf0734ae83d9f54a6c9dee5208c1761694a53 |
| SHA512 | 9043e593c88a221d502d912f6bf5bea36bcf403b6fcf8bd3305aea0ce38fbb8e55d11b6e1d4daf743b684589fb52675b84a8cae78ecb4323b9f204723f6a72cb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c2b69c0a3fdb915e6c1087820cb8ef30 |
| SHA1 | 3411a4249f399a8fdd93fe5fd355930c3f93d78c |
| SHA256 | 3e7334eaeca0c204102c62264672cefc54dbee3671e5ba539a7a92de565788c1 |
| SHA512 | d114ab22bad8ce4e911771d162f86d3d64e1a7c1ea0d65fd7ee587bf4c4381f13dbfe03d990a97dfdd3c9cd2f5a57aefd47561ba5229e718530a89b2497e3112 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | aab84ac991492ecbd8c99c0a4b169ccf |
| SHA1 | 24220750ac21047034fe694e95cfbabd23af126c |
| SHA256 | 48284ab5a0d0a6baafb5496e808da4fabd3bd41a4c744817f2bf1819c80d85a2 |
| SHA512 | cd67cf197e203cf7045c179d6c1c2b07b48813e7df9c3fc463e452aec047ff3a52cef0d27d7cc34d0d6282ec845d1b4946a7120d5b24b026798aad2f8d98ea8f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ecd49c3b661b039b86c01810f860510a |
| SHA1 | c119218011189a6c8d7dd171687397321e3a2e56 |
| SHA256 | 54321bb46cf042348dae19a1939c4400bcbb40c61493cc617deb9a86bd28ec99 |
| SHA512 | daeabb62c5515fb908cf1b211e864c2129086d4bdab03b84938d536f88636adb6aaf9d880aa7032bc4c250bd73b0ebf6dca3ee7a9aaf13a3c97fd1d2b91a7f33 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 19d7081670fdcfec2c94318671a859ff |
| SHA1 | b97a4096438b91076bfd62dd9f18c3a9edf3188e |
| SHA256 | 27b229bac9e7fda36a577d09f9b602ed3d5118a9a4104f89bfd80791a05d61e5 |
| SHA512 | 1dbb8be823d813b2684b2c91bf42bb7fd32b36d858d0e782b8eb013ce224c12f60c8cf00fc50b8fc783edb4bf6d1ab8f66ab6b821b120f88ec18ec74be64f15c |
memory/1232-1733-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9b2accd7a7985f0e4b0b24f8f3ff8b49 |
| SHA1 | 33c4351f6b7667ceb5a28f6d1be4d5e347e39bc7 |
| SHA256 | 6c3f3ed8ce9b319c70666dc72d1ab177f54aca902a8ff868e844454fa4d2ba6c |
| SHA512 | 9053ab63186eeebc1a39671995cf069134d147d3b3d1b2b877a2f3781f1d32215041e14dd0505ed8bbda8fb8ed7aaccdc0526779b3e8bc181610d3bf71a01ac1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2dc7e5d3429c0348b34f8ccfe2875c75 |
| SHA1 | 0b538ba16d4adb8e415528e4f40209a731cdeadf |
| SHA256 | 9a20da6b7edb136f3ff85e24de946b252e8b1f4084eadb875d82668990280e9e |
| SHA512 | 611d8e9393140ad798a051f75aae6407fb9aa0870a9c3b26aa5c426f73fa1a213eb1936a4898a59edaece7475b32e0a55d37408ac78676c23b0295620e08bf46 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2e3649412777bafcf87b33f16f81b88d |
| SHA1 | e916a3a8019b43d051e0c0a43303544c5d7314d9 |
| SHA256 | 9bcf6416e2e8c270498af6903b3bdee7225a7487eeff04c91de8dba8b2149264 |
| SHA512 | 9c18413fd5f620dc94337eb47d1190f3fb7e42a48210610b302af263207a7a410875f80bf294c36fe7867fcea70cad8f4fd9a7db854b252525f73a0fc3643a86 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3543241091790467e7f20ef9bdfc1460 |
| SHA1 | 59dfcda01255bea3def67e510d46d3dcef8f6f66 |
| SHA256 | 997783f1357beb0d9d396d8a41f451825244633d251e82008e9bcb2daee2fd55 |
| SHA512 | 2586988f321605e6b1f4ca0beccf055b4e0caaf24d154012da44b5889207428d08dbb35aa062584046246fc7f6ee616ac16ff538126315091ef257427db272af |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-21 17:01
Reported
2024-04-21 17:04
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svghost.exe" | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svghost.exe" | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB}\StubPath = "C:\\Windows\\system32\\Windir\\Svghost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB} | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB}\StubPath = "C:\\Windows\\system32\\Windir\\Svghost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1LV67644-C447-JAN6-07M4-UV2UT06GP4LB} | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Windir\Svghost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windir\\Svghost.exe" | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windir\\Svghost.exe" | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Windir\Svghost.exe | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windir\Svghost.exe | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windir\Svghost.exe | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windir\ | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Windir\Svghost.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffc0b1f6527773f16534c51c27d63b36_JaffaCakes118.exe"
C:\Windows\SysWOW64\Windir\Svghost.exe
"C:\Windows\system32\Windir\Svghost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 580
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 137.191.110.104.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2900-3-0x0000000010410000-0x0000000010475000-memory.dmp
memory/4776-7-0x0000000000830000-0x0000000000831000-memory.dmp
memory/4776-8-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/2900-63-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4776-66-0x00000000039A0000-0x00000000039A1000-memory.dmp
memory/4776-67-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4776-68-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\Windir\Svghost.exe
| MD5 | ffc0b1f6527773f16534c51c27d63b36 |
| SHA1 | e1e88ddf72246ef04b63fcc22a0135db1414c0d9 |
| SHA256 | 4494a1dd099f4c76c2ad6b5b13c0d848831b0fe79e54ed67cc42949e748f954b |
| SHA512 | 6ac64680c82c40ece00806dd8c988ad16622359c0548d3608273a6826d484430f342ee6b0bd1aca8ea831370d52103b414950b2532382b8b4d6636010030b0dc |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | ea3c0ecca844df73b8e7f93962b06113 |
| SHA1 | a85b4dd585f1860c04fa8289309c5fe1189b4c5a |
| SHA256 | e94611397e7bad562aad76f13b03e5e2966edf6cc67fd6e6fd9a1484febbd0b6 |
| SHA512 | 929e6a4cc172ab4599e403d24d9bc67c7d74750cb36dbcc8a5d0deb0f1ab41845040c5e97121a4538b83aba1cf0c57d0ffff9aafda323dd7fbcff76082d5cddd |
memory/884-138-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 18411690b496fcd280cc0a9b2b1e4b30 |
| SHA1 | b21e926bf0494687fab3b3f1741d89b5473e624e |
| SHA256 | 648696d1c7fb3e562d6c56566a4414a9debbf28742861013afa2ad97c6649e12 |
| SHA512 | ab230fc850afaf500f3c5759de90fc790423a0fb2df63370485eb55bfcf8e47808eaa053773ff8c97d16dfb0dbd93769caab37bd3eeb4cde36160cc59ba21543 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 91a2daef9188edbd9ea3129f40a6b67e |
| SHA1 | 665ebacc051cafe2f87f396a77358bc9473f8135 |
| SHA256 | 18e2b6584ae2caafe20ef2e2dccc519d3ce20bd63340e235e72e6f7d35c26c35 |
| SHA512 | e0159bf3fa76298014de4bd973ae1ac74841c8fdfbf49825719489b41931217baa5e3fe2e974ecf133f9858ebaf0cb4bd2f201a50a880f6052dd9211a3dd0f04 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c328fdf693b38cc4b62c696623e85179 |
| SHA1 | d6ed51b4fe8170b17ef3eeede7aea0ac9057fb0a |
| SHA256 | 29acc0615d896d844b6b9d28a3bf15624cf5813e8cff35514fd8eaf9783d8102 |
| SHA512 | 900f752d4d220d1156abecb6e4cf9a520530e00c5940ce042f2b41c1638063cdac83d79f9f9c9dafcbaebafc73325a7a5d895c91b48e0c6093c100fd384ba42e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 09d98a104855f2ece9ec6c50c728aebd |
| SHA1 | 09f18e2e1e73f68519d73c974b6b21f84518a81b |
| SHA256 | c164e4384a77b7819614225ab02c4da92b24a56fb743749d4a79777a5d436989 |
| SHA512 | 41c098de694a4279205ddcdb5286b40043249ca82a3365382ac3ae1779b3ba09e00f51b424ffc9080d3b6a795aea5c16baa414c3f6a1a557556953a86f4caed1 |
memory/4776-519-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e7d698b9f3cfb60d8a7f5f99e1c57363 |
| SHA1 | a9b8deee7587ab23bfe88b2e27112620933c799f |
| SHA256 | c25d226b031db770daf199f462aa2cca46f288b91b6eeb71a14f59f262de8816 |
| SHA512 | c38f6e785355f91b1fef869381a2bdf1db0ebf92e12934683270e5fd1ab9acd37e76c441c99c0ca44c04cf2bddf1632d36c938276dfc2266ddc1380a748b6208 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b6a8dcb2cb560226e4b7bb2b326df3df |
| SHA1 | 3cc2c953079de84845f60544e2d2034db40a6317 |
| SHA256 | f36b1757183b63ac688a6515d85b32c0c7c3e40389eb6f57640c38d46952fd14 |
| SHA512 | dd6937644010102dda08351131209baa45db6c9bf34d23a14a4acecabbe9773a6ae2321e8b1e25fb36b7f87b68457f8e2efae250b6849770560dfd6222f9d8c5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d103250bc88367d9e350520986421795 |
| SHA1 | 8aed69e57698784f3684e2688612638b59525872 |
| SHA256 | da745f63ff7f5d4367254e2ddada59923b6754391c9d5928f18549b4d30d58c3 |
| SHA512 | fd880f2ac39f2c097929eb6739dcf3e43890d524d625d794449890e7bff501855cf0dc53a30a06f4d4e476ab08d48dca453768c5710afb22f0d06f977863f6ae |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4d077924cd1758f89af1e56b2e483427 |
| SHA1 | 08063cec642c1c2a1927074234c2fef00db5a405 |
| SHA256 | aabdc878d016136d5c24f7b0e06f5b9377cd738a887aa65f32292e716429eb54 |
| SHA512 | df8df3e6ab86cc5c9ceb5d710f7da0ed73a3eefdd3512c8f101a71302e2fbc5b8b7209476ed65b457b584f8e031450b4cf3f50ff36c68283a782e322a05a5d74 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f678dab973c07206a78710ccae2b8cca |
| SHA1 | 868b2dbac1ef79f6f2a96301289905e92b4ed85e |
| SHA256 | 0fbc2d32d5f01a50712a51b36b0cf0734ae83d9f54a6c9dee5208c1761694a53 |
| SHA512 | 9043e593c88a221d502d912f6bf5bea36bcf403b6fcf8bd3305aea0ce38fbb8e55d11b6e1d4daf743b684589fb52675b84a8cae78ecb4323b9f204723f6a72cb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c2b69c0a3fdb915e6c1087820cb8ef30 |
| SHA1 | 3411a4249f399a8fdd93fe5fd355930c3f93d78c |
| SHA256 | 3e7334eaeca0c204102c62264672cefc54dbee3671e5ba539a7a92de565788c1 |
| SHA512 | d114ab22bad8ce4e911771d162f86d3d64e1a7c1ea0d65fd7ee587bf4c4381f13dbfe03d990a97dfdd3c9cd2f5a57aefd47561ba5229e718530a89b2497e3112 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | aab84ac991492ecbd8c99c0a4b169ccf |
| SHA1 | 24220750ac21047034fe694e95cfbabd23af126c |
| SHA256 | 48284ab5a0d0a6baafb5496e808da4fabd3bd41a4c744817f2bf1819c80d85a2 |
| SHA512 | cd67cf197e203cf7045c179d6c1c2b07b48813e7df9c3fc463e452aec047ff3a52cef0d27d7cc34d0d6282ec845d1b4946a7120d5b24b026798aad2f8d98ea8f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ecd49c3b661b039b86c01810f860510a |
| SHA1 | c119218011189a6c8d7dd171687397321e3a2e56 |
| SHA256 | 54321bb46cf042348dae19a1939c4400bcbb40c61493cc617deb9a86bd28ec99 |
| SHA512 | daeabb62c5515fb908cf1b211e864c2129086d4bdab03b84938d536f88636adb6aaf9d880aa7032bc4c250bd73b0ebf6dca3ee7a9aaf13a3c97fd1d2b91a7f33 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 19d7081670fdcfec2c94318671a859ff |
| SHA1 | b97a4096438b91076bfd62dd9f18c3a9edf3188e |
| SHA256 | 27b229bac9e7fda36a577d09f9b602ed3d5118a9a4104f89bfd80791a05d61e5 |
| SHA512 | 1dbb8be823d813b2684b2c91bf42bb7fd32b36d858d0e782b8eb013ce224c12f60c8cf00fc50b8fc783edb4bf6d1ab8f66ab6b821b120f88ec18ec74be64f15c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9b2accd7a7985f0e4b0b24f8f3ff8b49 |
| SHA1 | 33c4351f6b7667ceb5a28f6d1be4d5e347e39bc7 |
| SHA256 | 6c3f3ed8ce9b319c70666dc72d1ab177f54aca902a8ff868e844454fa4d2ba6c |
| SHA512 | 9053ab63186eeebc1a39671995cf069134d147d3b3d1b2b877a2f3781f1d32215041e14dd0505ed8bbda8fb8ed7aaccdc0526779b3e8bc181610d3bf71a01ac1 |
memory/884-1424-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2dc7e5d3429c0348b34f8ccfe2875c75 |
| SHA1 | 0b538ba16d4adb8e415528e4f40209a731cdeadf |
| SHA256 | 9a20da6b7edb136f3ff85e24de946b252e8b1f4084eadb875d82668990280e9e |
| SHA512 | 611d8e9393140ad798a051f75aae6407fb9aa0870a9c3b26aa5c426f73fa1a213eb1936a4898a59edaece7475b32e0a55d37408ac78676c23b0295620e08bf46 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2e3649412777bafcf87b33f16f81b88d |
| SHA1 | e916a3a8019b43d051e0c0a43303544c5d7314d9 |
| SHA256 | 9bcf6416e2e8c270498af6903b3bdee7225a7487eeff04c91de8dba8b2149264 |
| SHA512 | 9c18413fd5f620dc94337eb47d1190f3fb7e42a48210610b302af263207a7a410875f80bf294c36fe7867fcea70cad8f4fd9a7db854b252525f73a0fc3643a86 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3543241091790467e7f20ef9bdfc1460 |
| SHA1 | 59dfcda01255bea3def67e510d46d3dcef8f6f66 |
| SHA256 | 997783f1357beb0d9d396d8a41f451825244633d251e82008e9bcb2daee2fd55 |
| SHA512 | 2586988f321605e6b1f4ca0beccf055b4e0caaf24d154012da44b5889207428d08dbb35aa062584046246fc7f6ee616ac16ff538126315091ef257427db272af |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4b24c4e30e9d100b515defcbd55c6e83 |
| SHA1 | f741b9aef183d291c6a75028b121751191086411 |
| SHA256 | 290481ce835f8246179929fb0a55bfa4398b4911edeea4a312441e34093af5e5 |
| SHA512 | a626659860240fe3850a3dd4d397d36e3a2ede728775584963083be4e42e06694bb8feff9e92df0653d383715c3caea9d68a2eef793b8b5947a08c2ce0957140 |