Analysis Overview
SHA256
2efb68d79a839caeae04f7c47559c02722984e3d71c45bd6b2adf87ace60c8f4
Threat Level: Known bad
The file 11b86dec70fab86b23b6577cee016bf0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
UPX packed file
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-26 10:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 10:40
Reported
2024-06-26 10:43
Platform
win7-20240220-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DYR136F1-8WXK-O1P0-LNW1-5XTXY0SJG5HN} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DYR136F1-8WXK-O1P0-LNW1-5XTXY0SJG5HN}\StubPath = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\googleupdate = "C:\\Users\\Admin\\AppData\\Roaming\\googleupdate.exe" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3056 set thread context of 2616 | N/A | C:\Users\Admin\AppData\Local\Temp\11b86dec70fab86b23b6577cee016bf0_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\11b86dec70fab86b23b6577cee016bf0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11b86dec70fab86b23b6577cee016bf0_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tmp371256.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ren C:\Users\Admin\AppData\Roaming\googleupdate googleupdate.exe && exit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/3056-0-0x0000000074D11000-0x0000000074D12000-memory.dmp
memory/3056-1-0x0000000074D10000-0x00000000752BB000-memory.dmp
memory/3056-2-0x0000000074D10000-0x00000000752BB000-memory.dmp
C:\Users\Admin\AppData\Roaming\tmp371256.vbs
| MD5 | 065cbb1f2a3501f855d428b4d8e9131a |
| SHA1 | 630459d0a7419be7beb9df9dd770921e0c02255a |
| SHA256 | f79da66b70559a96da138c2da20a56f17bd1dfd5226b7cfd59d37d46ab27ca6e |
| SHA512 | 56dc6061c0b0927307fcbca3c92c4314b9cb2f759d7eb50e9b765363e2cacef5e9b5d5b3c9127917d77f336df0d3e87488d71fb5500c8e371456e0383784ab3a |
C:\Users\Admin\AppData\Roaming\googleupdate
| MD5 | 11b86dec70fab86b23b6577cee016bf0 |
| SHA1 | 0855cf8448176585df2b72bddf22f5f4256dcf90 |
| SHA256 | 2efb68d79a839caeae04f7c47559c02722984e3d71c45bd6b2adf87ace60c8f4 |
| SHA512 | a0465d84bf221bcedf100424f76d421ee4e4e13fa94a36a2ad9835be2465e78df9e69024739c9495e8d5adeed1a768dab9c76bde7d167bc6d2fdb0dc850f5e71 |
memory/2616-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2616-13-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2616-19-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2616-17-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2616-21-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2616-15-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2616-24-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2616-25-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2616-11-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2616-9-0x0000000000400000-0x0000000000451000-memory.dmp
memory/3056-26-0x0000000074D10000-0x00000000752BB000-memory.dmp
memory/2616-28-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1064-29-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 03978954d224a98fe706b8ca30ef9f8f |
| SHA1 | 2481f9ec85eebf62444b8f286021a150cc9e853e |
| SHA256 | f0466b8305bc2d5267755ab12607a5b8f52904b1b41389513a0abbb428e154b3 |
| SHA512 | be6e35e594b63f6f2edd8630990a7f101b2f4f2b9727501c669cceb426c07a434483cdc8c1d9e66c6ba160d3aaa2b63e200e607da726ffa77e6c389fe837c1c8 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a0393d01a6d37a5165d723f94a7f35a5 |
| SHA1 | 1ef6f75a8bd818f7288a7cd4388135ef9d8b00b9 |
| SHA256 | 50568d4a9323acecab96e692a9bf01e4a6507adaa03f4fb9766dbbad6c6031a2 |
| SHA512 | 6217d99692e5bb2a58fbc27e7ebc8e182cd8d0dfa46a879259856a25c36673c7e23248193cc6d6c696ae1dfbaa42611ee914c85721296d9fe6889b0ea58564e2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9a6212e54a4597871c1700d1ec7ee9ef |
| SHA1 | f7af5f6d93bff9f29a51924dcd98c7b42839a30d |
| SHA256 | c9e0ef635282359d3953405c9f7ff1affa1868d72abe77c7308712a86321e247 |
| SHA512 | 1333a153bb2071d51848238a7b06bfee72ca40f00ad49d0db4a3483e88cc3637998c17b1c8a959f0b8638e3b700c95468ad597205fda6de88a059472e323ec02 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7619702aeefec1a2135f7e72b44cc87b |
| SHA1 | 0fc8aface0ba62ffb5b232fb97ce6423bd4de85d |
| SHA256 | 4706a9ea57c9774554e65a63f77b8c831cb87f10b57adf5ef1c88fe84d25d6d7 |
| SHA512 | 02137d4bd484855c0029f2d51eb4cb1c970a32b4383f273d8a72b05e3905741faad684071d085e6f9dd92cd8a280a5fce54ae2a5d313608f05dbd6cfb36df006 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 95b382184fd7bdb4e8059bcca7f1db60 |
| SHA1 | 550e921244cb9659f783d9a9cd3dd3e5c35c74cd |
| SHA256 | 91b144208c8f063b44f88fb057466660a8a6337dd28c66c1c61bbc257c985205 |
| SHA512 | 0d06fa81a15ff2319aebc969351f4fe6aa6c5b1847c2ae0d024cdd1b2c4122a6e61c116bebfe78aac104be10ce576747e0d09dc882ba4074b8711c4ffaa89eac |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 66431af0c7928e9ef5e6166fd8b1b1f8 |
| SHA1 | 802455eff9ce809d0f44c56110869c0b63500caf |
| SHA256 | 5ab3a9790b330638dc2a6999c8691662374a547fc656b953d676493508d69b1b |
| SHA512 | 142253813e6b06d75d113f993e2773f1e4729c62ec519f7a4a302336586ac1533737e0fb17e933f44da6d42cee1b0e76cd52d0212970a1bead0e283cb49a43de |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 99f99464cd72ab411285f6a50479b6d7 |
| SHA1 | ee623fcca68e5f33278241f919cdcbb704ec820e |
| SHA256 | da4e334e2f9d5b5f4a1ad7b1d70cf23307c828dd497f55d0a19d2f2a7274ea03 |
| SHA512 | 18588ff94d36941c6a738bda0ea6c4474d54d63d5f8236384cbdba67b5c623c5a6e7f81f1e7fbc94a52b83b0fdc5b7318ea56929b5d1197d2baea296790c943d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2b15b8c8357f9d9ca8c3e81302a79d6f |
| SHA1 | 51cbcb5ae3d971bea1af297373848588e52e38d5 |
| SHA256 | d03f674dc142b94189b885ffe2eb01e4d92479e0906b96cb254d5877f8532b0a |
| SHA512 | 6297115aa81230badddd1cda656d9b0a39fcd2ad74de517911e1c927d85206a072f8bff9ea4fc92b2013a036c4799adaa6bc594a380577cb3e126c6124b00fa3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 90572832f7073e7fe3b0d67a8762de5f |
| SHA1 | de8050641870e3707ae61082548494d31d69644a |
| SHA256 | 89e22e8611b5d6335e709a3f293cb6500fac022c5eb4b267c70c0fc36926b2e6 |
| SHA512 | 2cd4d190e37517a5b00985afff52e6ee55277a1b785ab8311942085b88b72eeeec9b0bff492160479e6b3d9f3e3535e90cd7ef89f9169b30f62d1b23f704d2b5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8f41cc054e4c51f4e367a8977b2cddcb |
| SHA1 | b21857302bec6c72971040db4935d7b680661cc2 |
| SHA256 | a4251837ff09d55db79fe4313fdc1e5551b2ee0df71bb9c1bb7819c56bb7f2ea |
| SHA512 | 39738849100cdbd9e775effd2c61c281ac916e56f84b2fe3405a4c9e0cfa76320b30be119ebf34f3322e9f9a052f399550ee9057ca61b6ba0ca06a339c0c90a9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7e71be3cc04220c593234dc75cda801a |
| SHA1 | c5286b76dcbce88b1c2c6ca6de170985b130c904 |
| SHA256 | 8c558e08d6c92f384d07efb19e7bfcccabd99d18fa8ad08d0b9ba2c868cd40b0 |
| SHA512 | a22ab457b5cc359c4b827954beaa5ffdfd6ed20b782457b708fde3649b583d006115ba4bde4df45d2c123bad52b85b20b4803c14f49e22471f38f32aa3ebc407 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 71a0d094c0824b315fb59b0560e9480f |
| SHA1 | 6f69331f68db0c9c27b10a2e65ac851e298ed3e6 |
| SHA256 | 5e7a9fc960c1373770c81e084723ab7052a74fb3a0deae465a8db12d9e8cd327 |
| SHA512 | 31499487db15de5f6dfd4f0491d3ac6eb2ecb5da05b0a066d559b0434aabaaee246be5782f82d75f4fcc8ac1d092f356a7f5c71e6c04c758586ea3be58e6b696 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bf511a13f8b44cb357694252ad67edd1 |
| SHA1 | b8efad961bf83f53f896d3d0a66de843938795f5 |
| SHA256 | 29b9304226001b61c74e2dab2763968a385bd0dc40b2b343ebac2d84d7cb76e1 |
| SHA512 | 94d5ad22a17f7983dfb842c2e8a80f6c9fbf73ace6db3e4e797a5e66ba199a4277a48e6190b5e60a9bf3cde2d1a11509384dee5d5e57167622b9fe01d7c08e38 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ea69ebdea43286286939de2791aa37a4 |
| SHA1 | efd442b1b52a76944bfc954dea8af33f5990ae85 |
| SHA256 | c2b5d8b72802e8b685656b729b88666dde2180192e3039175318ae7fdbdbdb61 |
| SHA512 | 06a862804e69e6d1d80f3a94fa5e5e2620f61eb8e39eca34548ab69723ba40d70ee4c4232d5e5c17de67428a9c41db83e46eb35db34dac4d92ade6bb4f97a713 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bc6d534fbfa49d415d6b3e09f95e5dfe |
| SHA1 | 6af5990d9c25278b6e0b6b49b4bb4945c19fe092 |
| SHA256 | d71aa00909d3fa6f5c5791a47b992145cffd8cc0e873ba593209fa5d2ba570dc |
| SHA512 | b980875af4359e4d43ea14a9d667a7e80052ff573057b463cf41cb92086598133230f04245247dfb56f06a4a2737ec587c28c1dcca13a0031c4b1e76e6651ecf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0d2e27edfb84972c72d34db91e195b4d |
| SHA1 | 968a9016747a75e251e9c6cb8ab30e6c6c3f3756 |
| SHA256 | 577ed3c73f42b5309f52bfc62bbd088e9edcdc0f40040da4efce63060f56ef8c |
| SHA512 | 5f8649bd65f44783b3c25361224107f0bfa53de4b9f34ff2681cd2ec44abde3b99afef3b15d1ba025b74693b0f4ae080ebdcd14c112d32fc488746e4a2851045 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 67bc29934eee0ddbd5d71c903e82b562 |
| SHA1 | b94808ef2bcca3e7d874bca0fe7eac9677c4aa26 |
| SHA256 | cab4a591e9b386e0cc01b26289439bccbe135cdcb218cd52823f416b81ec0461 |
| SHA512 | b5977c5734ac1a649794857b771d532c58ea4099d2e9927190b1ce5af8e460e63e5cc548bc388f87e6623ce4e26e011c6eb447238fffe58e35eb92374c4622fe |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 94703a157c1fd194c313195ed7434e35 |
| SHA1 | 097d69ddac2014921dc7e35af4c54785bda9890c |
| SHA256 | ae1886c7e2e13024c8689c6366b8400d07a5fee72886f2f2df4e7143f530bb65 |
| SHA512 | b9a48f8296bcad4d4202f8f9515fa9e0a75bfbb84af1f327b8a5f077a4a925ecb0f50c1711894dbb9d2fd97d62f703d87511723d24df88a8bfb0dc614fe1d1cf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6f9d0c901356d9e8e9c73e1d09ce01b5 |
| SHA1 | 6ed9a052397d509f3ebad4e4b668081d97f41cc9 |
| SHA256 | 20e71d565648d4076238da039bbf2243d79932cc1695ffdf7c2d38403741a599 |
| SHA512 | 5876103367a0827c426163fefd958ce43856babe36e21fe616c6315cdb4ac3d079349d9531319b62b90dca5507ecc2c9f9ecca0788dc48bb75ae76b92c75e1e4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 10:40
Reported
2024-06-26 10:43
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYR136F1-8WXK-O1P0-LNW1-5XTXY0SJG5HN}\StubPath = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYR136F1-8WXK-O1P0-LNW1-5XTXY0SJG5HN} | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\11b86dec70fab86b23b6577cee016bf0_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\googleupdate = "C:\\Users\\Admin\\AppData\\Roaming\\googleupdate.exe" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1920 set thread context of 3600 | N/A | C:\Users\Admin\AppData\Local\Temp\11b86dec70fab86b23b6577cee016bf0_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\11b86dec70fab86b23b6577cee016bf0_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\11b86dec70fab86b23b6577cee016bf0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11b86dec70fab86b23b6577cee016bf0_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tmp371256.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ren C:\Users\Admin\AppData\Roaming\googleupdate googleupdate.exe && exit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1920-0-0x0000000074CC2000-0x0000000074CC3000-memory.dmp
memory/1920-1-0x0000000074CC0000-0x0000000075271000-memory.dmp
memory/1920-2-0x0000000074CC0000-0x0000000075271000-memory.dmp
C:\Users\Admin\AppData\Roaming\tmp371256.vbs
| MD5 | 065cbb1f2a3501f855d428b4d8e9131a |
| SHA1 | 630459d0a7419be7beb9df9dd770921e0c02255a |
| SHA256 | f79da66b70559a96da138c2da20a56f17bd1dfd5226b7cfd59d37d46ab27ca6e |
| SHA512 | 56dc6061c0b0927307fcbca3c92c4314b9cb2f759d7eb50e9b765363e2cacef5e9b5d5b3c9127917d77f336df0d3e87488d71fb5500c8e371456e0383784ab3a |
C:\Users\Admin\AppData\Roaming\googleupdate
| MD5 | 11b86dec70fab86b23b6577cee016bf0 |
| SHA1 | 0855cf8448176585df2b72bddf22f5f4256dcf90 |
| SHA256 | 2efb68d79a839caeae04f7c47559c02722984e3d71c45bd6b2adf87ace60c8f4 |
| SHA512 | a0465d84bf221bcedf100424f76d421ee4e4e13fa94a36a2ad9835be2465e78df9e69024739c9495e8d5adeed1a768dab9c76bde7d167bc6d2fdb0dc850f5e71 |
memory/3600-9-0x0000000000400000-0x0000000000451000-memory.dmp
memory/3600-11-0x0000000000400000-0x0000000000451000-memory.dmp
memory/3600-12-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1920-13-0x0000000074CC0000-0x0000000075271000-memory.dmp
memory/3600-14-0x0000000000400000-0x0000000000451000-memory.dmp
memory/3600-16-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1672-21-0x00000000010F0000-0x00000000010F1000-memory.dmp
memory/1672-22-0x00000000011B0000-0x00000000011B1000-memory.dmp
memory/3600-77-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1672-82-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 03978954d224a98fe706b8ca30ef9f8f |
| SHA1 | 2481f9ec85eebf62444b8f286021a150cc9e853e |
| SHA256 | f0466b8305bc2d5267755ab12607a5b8f52904b1b41389513a0abbb428e154b3 |
| SHA512 | be6e35e594b63f6f2edd8630990a7f101b2f4f2b9727501c669cceb426c07a434483cdc8c1d9e66c6ba160d3aaa2b63e200e607da726ffa77e6c389fe837c1c8 |
memory/3600-147-0x0000000000400000-0x0000000000451000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9a6212e54a4597871c1700d1ec7ee9ef |
| SHA1 | f7af5f6d93bff9f29a51924dcd98c7b42839a30d |
| SHA256 | c9e0ef635282359d3953405c9f7ff1affa1868d72abe77c7308712a86321e247 |
| SHA512 | 1333a153bb2071d51848238a7b06bfee72ca40f00ad49d0db4a3483e88cc3637998c17b1c8a959f0b8638e3b700c95468ad597205fda6de88a059472e323ec02 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7619702aeefec1a2135f7e72b44cc87b |
| SHA1 | 0fc8aface0ba62ffb5b232fb97ce6423bd4de85d |
| SHA256 | 4706a9ea57c9774554e65a63f77b8c831cb87f10b57adf5ef1c88fe84d25d6d7 |
| SHA512 | 02137d4bd484855c0029f2d51eb4cb1c970a32b4383f273d8a72b05e3905741faad684071d085e6f9dd92cd8a280a5fce54ae2a5d313608f05dbd6cfb36df006 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 95b382184fd7bdb4e8059bcca7f1db60 |
| SHA1 | 550e921244cb9659f783d9a9cd3dd3e5c35c74cd |
| SHA256 | 91b144208c8f063b44f88fb057466660a8a6337dd28c66c1c61bbc257c985205 |
| SHA512 | 0d06fa81a15ff2319aebc969351f4fe6aa6c5b1847c2ae0d024cdd1b2c4122a6e61c116bebfe78aac104be10ce576747e0d09dc882ba4074b8711c4ffaa89eac |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 66431af0c7928e9ef5e6166fd8b1b1f8 |
| SHA1 | 802455eff9ce809d0f44c56110869c0b63500caf |
| SHA256 | 5ab3a9790b330638dc2a6999c8691662374a547fc656b953d676493508d69b1b |
| SHA512 | 142253813e6b06d75d113f993e2773f1e4729c62ec519f7a4a302336586ac1533737e0fb17e933f44da6d42cee1b0e76cd52d0212970a1bead0e283cb49a43de |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 99f99464cd72ab411285f6a50479b6d7 |
| SHA1 | ee623fcca68e5f33278241f919cdcbb704ec820e |
| SHA256 | da4e334e2f9d5b5f4a1ad7b1d70cf23307c828dd497f55d0a19d2f2a7274ea03 |
| SHA512 | 18588ff94d36941c6a738bda0ea6c4474d54d63d5f8236384cbdba67b5c623c5a6e7f81f1e7fbc94a52b83b0fdc5b7318ea56929b5d1197d2baea296790c943d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2b15b8c8357f9d9ca8c3e81302a79d6f |
| SHA1 | 51cbcb5ae3d971bea1af297373848588e52e38d5 |
| SHA256 | d03f674dc142b94189b885ffe2eb01e4d92479e0906b96cb254d5877f8532b0a |
| SHA512 | 6297115aa81230badddd1cda656d9b0a39fcd2ad74de517911e1c927d85206a072f8bff9ea4fc92b2013a036c4799adaa6bc594a380577cb3e126c6124b00fa3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 90572832f7073e7fe3b0d67a8762de5f |
| SHA1 | de8050641870e3707ae61082548494d31d69644a |
| SHA256 | 89e22e8611b5d6335e709a3f293cb6500fac022c5eb4b267c70c0fc36926b2e6 |
| SHA512 | 2cd4d190e37517a5b00985afff52e6ee55277a1b785ab8311942085b88b72eeeec9b0bff492160479e6b3d9f3e3535e90cd7ef89f9169b30f62d1b23f704d2b5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8f41cc054e4c51f4e367a8977b2cddcb |
| SHA1 | b21857302bec6c72971040db4935d7b680661cc2 |
| SHA256 | a4251837ff09d55db79fe4313fdc1e5551b2ee0df71bb9c1bb7819c56bb7f2ea |
| SHA512 | 39738849100cdbd9e775effd2c61c281ac916e56f84b2fe3405a4c9e0cfa76320b30be119ebf34f3322e9f9a052f399550ee9057ca61b6ba0ca06a339c0c90a9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7e71be3cc04220c593234dc75cda801a |
| SHA1 | c5286b76dcbce88b1c2c6ca6de170985b130c904 |
| SHA256 | 8c558e08d6c92f384d07efb19e7bfcccabd99d18fa8ad08d0b9ba2c868cd40b0 |
| SHA512 | a22ab457b5cc359c4b827954beaa5ffdfd6ed20b782457b708fde3649b583d006115ba4bde4df45d2c123bad52b85b20b4803c14f49e22471f38f32aa3ebc407 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 71a0d094c0824b315fb59b0560e9480f |
| SHA1 | 6f69331f68db0c9c27b10a2e65ac851e298ed3e6 |
| SHA256 | 5e7a9fc960c1373770c81e084723ab7052a74fb3a0deae465a8db12d9e8cd327 |
| SHA512 | 31499487db15de5f6dfd4f0491d3ac6eb2ecb5da05b0a066d559b0434aabaaee246be5782f82d75f4fcc8ac1d092f356a7f5c71e6c04c758586ea3be58e6b696 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bf511a13f8b44cb357694252ad67edd1 |
| SHA1 | b8efad961bf83f53f896d3d0a66de843938795f5 |
| SHA256 | 29b9304226001b61c74e2dab2763968a385bd0dc40b2b343ebac2d84d7cb76e1 |
| SHA512 | 94d5ad22a17f7983dfb842c2e8a80f6c9fbf73ace6db3e4e797a5e66ba199a4277a48e6190b5e60a9bf3cde2d1a11509384dee5d5e57167622b9fe01d7c08e38 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ea69ebdea43286286939de2791aa37a4 |
| SHA1 | efd442b1b52a76944bfc954dea8af33f5990ae85 |
| SHA256 | c2b5d8b72802e8b685656b729b88666dde2180192e3039175318ae7fdbdbdb61 |
| SHA512 | 06a862804e69e6d1d80f3a94fa5e5e2620f61eb8e39eca34548ab69723ba40d70ee4c4232d5e5c17de67428a9c41db83e46eb35db34dac4d92ade6bb4f97a713 |
memory/1672-1315-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bc6d534fbfa49d415d6b3e09f95e5dfe |
| SHA1 | 6af5990d9c25278b6e0b6b49b4bb4945c19fe092 |
| SHA256 | d71aa00909d3fa6f5c5791a47b992145cffd8cc0e873ba593209fa5d2ba570dc |
| SHA512 | b980875af4359e4d43ea14a9d667a7e80052ff573057b463cf41cb92086598133230f04245247dfb56f06a4a2737ec587c28c1dcca13a0031c4b1e76e6651ecf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0d2e27edfb84972c72d34db91e195b4d |
| SHA1 | 968a9016747a75e251e9c6cb8ab30e6c6c3f3756 |
| SHA256 | 577ed3c73f42b5309f52bfc62bbd088e9edcdc0f40040da4efce63060f56ef8c |
| SHA512 | 5f8649bd65f44783b3c25361224107f0bfa53de4b9f34ff2681cd2ec44abde3b99afef3b15d1ba025b74693b0f4ae080ebdcd14c112d32fc488746e4a2851045 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 67bc29934eee0ddbd5d71c903e82b562 |
| SHA1 | b94808ef2bcca3e7d874bca0fe7eac9677c4aa26 |
| SHA256 | cab4a591e9b386e0cc01b26289439bccbe135cdcb218cd52823f416b81ec0461 |
| SHA512 | b5977c5734ac1a649794857b771d532c58ea4099d2e9927190b1ce5af8e460e63e5cc548bc388f87e6623ce4e26e011c6eb447238fffe58e35eb92374c4622fe |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 94703a157c1fd194c313195ed7434e35 |
| SHA1 | 097d69ddac2014921dc7e35af4c54785bda9890c |
| SHA256 | ae1886c7e2e13024c8689c6366b8400d07a5fee72886f2f2df4e7143f530bb65 |
| SHA512 | b9a48f8296bcad4d4202f8f9515fa9e0a75bfbb84af1f327b8a5f077a4a925ecb0f50c1711894dbb9d2fd97d62f703d87511723d24df88a8bfb0dc614fe1d1cf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6f9d0c901356d9e8e9c73e1d09ce01b5 |
| SHA1 | 6ed9a052397d509f3ebad4e4b668081d97f41cc9 |
| SHA256 | 20e71d565648d4076238da039bbf2243d79932cc1695ffdf7c2d38403741a599 |
| SHA512 | 5876103367a0827c426163fefd958ce43856babe36e21fe616c6315cdb4ac3d079349d9531319b62b90dca5507ecc2c9f9ecca0788dc48bb75ae76b92c75e1e4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7baa6b146a7fe1d9313e6581466ff6cf |
| SHA1 | f4644188b13cf9b90764509a4a49612303037b37 |
| SHA256 | 5d85edc869e1d4f1d01ee45e23b17b649062bfb5a81e07c5e7b95212beaa5b9f |
| SHA512 | 9b3644d4179d19364a679ad68df78c8497d27589916f752ff586e2aea14787d1ba23463efe1de59f551a969b754689b09554ffbc05d62e27cd41585bbf32d07c |