Malware Analysis Report

2024-09-22 11:10

Sample ID 240627-ksy2gasgpe
Target 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118
SHA256 a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb
Tags
remote cybergate persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb

Threat Level: Known bad

The file 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remote cybergate persistence stealer trojan upx

CyberGate, Rebhip

Cybergate family

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-27 08:52

Signatures

Cybergate family

cybergate

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 08:52

Reported

2024-06-27 08:55

Platform

win7-20240611-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\rafaella.exe" C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\rafaella.exe" C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{ST752634-V1IQ-UP22-5600-C22Y1Q0K2H6W} C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ST752634-V1IQ-UP22-5600-C22Y1Q0K2H6W}\StubPath = "C:\\Windows\\system32\\WinDir\\rafaella.exe Restart" C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\rafaella.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\rafaella.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\rafaella.exe" C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\rafaella.exe" C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\rafaella.exe C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\rafaella.exe C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\rafaella.exe C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\rafaella.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\rafaella.exe

"C:\Windows\system32\WinDir\rafaella.exe"

C:\Windows\SysWOW64\WinDir\rafaella.exe

"C:\Windows\system32\WinDir\rafaella.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2012-7-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2236-6-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2012-18-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2012-13-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2236-2-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2012-291-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\WinDir\rafaella.exe

MD5 1562ea6ccbc11556a2fbc40aeaf1897d
SHA1 d3e9413c1ede49d83be13b118c861cbe41b3e6c2
SHA256 a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb
SHA512 44572ee9589c46f1fe2d009f77b5b199343e506257613ccf8de524fc57e590ec04d102a760aade26bfb23fb4a16f81c242ae98e34ae28382aaa51568d10725aa

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 fcdc2ec75169e8f15aa481a855d2d1ce
SHA1 e175eb08f9c24ef111cb7a0691ef75e81ffc9f49
SHA256 b9dcdb13419530c9b517e0ca3ee3f8c63ae59e970e8ad286a41a4b77addc3173
SHA512 32310fa60f8d1d8c70517ab451034617407106aa5d1ecd80cbd47534952d3ad9fc73b391ff8f76f577b89d996ddf032e6cf46c13a4a45fa93d1e8ede183cdd51

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c6a57eb3bdbf10bab9ae050c5aa7a940
SHA1 0e34774ec9b27c8d61983433bb06fd608be3420a
SHA256 3bb2419816762ec7537a1298a181a292ce2bb6d239d989ef3b28a69d39aeffbf
SHA512 f98aede02d7dbb42ad87fef4377cbe26d26788846dae1c61364dbdaf77340378db208626120b82cdaab6191ee261d7c8d62b53a48b171258864f421a6f0777db

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fa16c17bd57ddac978987e3b4fe3a82c
SHA1 b41cb944cef71aad508be364cd3dab9456cc7d4f
SHA256 8e3749f8e6100d6fe75bc92c36f2d3e1b994fd33a2102d1a6cfca9822a344584
SHA512 66d24575f7cf727d1119e9a8d5420d41fc03457066653ece67aad2330e8220a6a891566d2181a35cc7105b389c2dda9039047c0771085fc48e8b0ccc61ca8713

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e3316ef318e9322c29e840719d6e51b2
SHA1 009d0fca6c0e01dd5c17c4738d07730940ce088c
SHA256 356805e8dd89737f6ccbf88b2d84d33a8ec90c0f0f786b851ef8f68e603380cb
SHA512 91498a051a14fce59053cd188a2b9859f6b5fef0565dee5d0b87a3b7645b701777e56bf16f3fb5367c16948e6d48a0e3d2b8abd269cab9698106969c68f8ee5b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d07f6d2486723e1a114f03d322adcf60
SHA1 69a64297b09c8d679e5dddf3c932a4ec1e44a587
SHA256 dff24518646134ba890bd53823d88e7df5bb6e13e214f3ec870b2a39cf6bbcf0
SHA512 33cfaa555b3783b2026196ea7e9a54d762a069526b1182875e55e8e56cae3adf256898a9d01d9b28f2d4df56a673fcac07e780ba5ed6e1c97600b2bfe503ff6a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a0bff030c7ea47144eb4f2740e45484b
SHA1 c6102a3274de269d612bd7fbee212bc48bbed425
SHA256 b1b3b1ec212ac5413326b8867d51ab28d851664225a85755301764165d05e990
SHA512 d837006591fc7526b12c612dfa4eb4b10853fa90c3446290dadaa507d17b6023cef149c83d441566855116141e15fc55049ddf622146ae70c3dd00e9e084f005

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fa09d55b41bde0a2661420706c1f0f83
SHA1 d60f54f56c5c1cf72428f7bbac382d9fa11579bd
SHA256 971bbb6b2b91483c0e723509baf4163ca5d0f747af50635328febe8f15e1db3e
SHA512 38972da3457a978f2adfa03838182255547926dde54015e8194328da2ab1cdc5c49fb72f141318205324ef44c57aa922f74ef4340ed58f8f526e6537aeceb5f3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 93803456c54e1da5c0bd17b59f999928
SHA1 800b89889a229ff82396cf92e0ad1bd5b3b2f949
SHA256 ea09f2be24eb678d6fcf66bdb26dc269eef1015d8d0d1d40b7d32245d8b8ae36
SHA512 f968e9be79747477e054272edf32515827e32f95e49da212a14b0416bf169b0ed0424c131849e389ebc5ff53cd6c44a60d7ae938cc600688d432b945aabceadb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8f4f70b06c422f6cd97922ce06a2b2b9
SHA1 489f63af2f3b9c208b316dacfa0a2e9f8f82a7dd
SHA256 730fa91d4c3769bd19ff5997b2b58fb6df5b549f70b1a73b1589e75224cd25e6
SHA512 45193a5bfa883ed037634addca0982164097cbd8810cfbcb41e37c85a8ce07039539ae542f9fadef2214135315725a0efc2b7f3241d159ec116f0573094bcee9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c55cf1aec52529c837ff94f94be1b9d2
SHA1 4486d318d0abebadea286c7a769f9140b4342eac
SHA256 6d2361e1c45d6a8fbe14721a7e9b0089b07532e42b74d6888eddb75c93ff98fb
SHA512 e1ec8dc70b8aa660ec6aea27dc1d48e0d28b1b933751d7d9c86418fa97f760caf2e89302958d0e660a5c4ede80c04ee7dc81281f2768eb264a8db8c9954f909d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 883c9d12b80e689ff3e01f4cc1687e5f
SHA1 2ffca5d1fa8e89610f02cfe11bbe214485abf5b9
SHA256 cfda9af4e8409f913c3d265d20ad1e4f67b1b65e6b0b451682db0ef5cfa3432a
SHA512 67de1cc8eda4079e43d0ab06e3e68e15aa6c511372f1e9127256886a306d24e51fba30e6e597c3bd3c5c2315b331f73583e829d3d498ebe0e3c50db2755d9a17

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2d82b86bdeb30177bece9cf0db3d258e
SHA1 ca9da9148d626fec5724d6da353e73927c5dcdfe
SHA256 c0703bce4a45b6cfeb6351c99671d8958094df50d7950ed39713dcb595a488fd
SHA512 9ff8d19f2106ce98b4b377e8f8330632aea3ce7a63c064f2c0a7f2a5fee5ef332523ab3f237967a0742d823b6643fe26111bd29538f3bd81a39e0adfdd8089f1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4cd91252cc12842a05ea09668a10b3ab
SHA1 a929214d1e1a2a78bf34ab52087945aa70fb564f
SHA256 f98a14a42b5840cf17c304b9baf5b0c980cfb1393698764303499a861c5748ce
SHA512 cf54f0030974b462ccbfd3b724dc1f0bf2ab84b741c882a2cd9be140cf5dbaf7f1521742014717a3714756a910edb693141cfec29c7ed2e8a9ca179e62828931

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0113a1eba293841d61461773d9969fd4
SHA1 7419b0ad990bb63c49d0f7624bd1afe0379da102
SHA256 437b52e36fed243f9bdea95594abdad81a64d0e98bafe9cf35220e4d525f0e59
SHA512 41d432987be623c19fce5e3520539d2c10b255135f17894c74ee6f8b54009b59c315c7319fbe0d1370e7a235c1f155327f2f98f071196a18c769121e5ed8b62e

memory/2012-1108-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f1cdde69d3881168f15c145c4c13034b
SHA1 522edcb9c4065e636e6fc24bb55abab8cfd77f7d
SHA256 b7f1817525eb2ef20a6c9840e9a910655385584cadff0705e5db26700f10627f
SHA512 31df521c964eb6f6c25279f85908a4a3bd0782853cac34f2b4687673d81f3479d1b5ed9f493d30bf4ecd34a780f4f8cbe28648b674a74d273ef02d76c2ff987f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0702678a3c6be57a890bce6bd1982560
SHA1 cb7742da8051dcba2456d35c3821aea598dc54ee
SHA256 fa8b0dc96a4f26f7b20025f463b9b1559171df84b1d213d2bffbf5f7141de1c2
SHA512 c6846aeb7f52d348fd62e2c28d20440f992dec6239e5e1c0fd3659ecc14dba67c6aab0f79fa17c7853aa3bb481d43c511921d378ff89612f908ee7dc6d9a58c5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6dbe59359ff5c498654c64d1510cfa52
SHA1 f4ea5b6cedb75bc488d8953acc266fbb6a2884e2
SHA256 503c37e7db2f8d4492489fc680c6774ecc2820b4c144cca015db15e8e69885c9
SHA512 f18e13006488699d6b886d677e6b370a496040da408fcd347875592fc2e338ebfd0fe22de51a4b2840b878fbd57325d3b8702629a6551382bb4f120c6a95cc40

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fde4a074e2e25e2cbd1456cb9471089a
SHA1 2272f69121f682d451793ab888e2802134d55884
SHA256 3516eee6156f4d4d6f0f69ab26a2867ff5824a7c360df90bd7db80b059b7d675
SHA512 88c041c1297addad85c1d1b4c1cd8df3ec70960dc068f17f87a8b7ddd52a14d52de9e5e80ef47478fc4ffd611cfe08cb2cd39e18a0b97869ada79ff800361748

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 80aa87b3386be6662cb92ed5536a17c9
SHA1 8cd05f12f5b575e77bd48be5efc68bf7444c4553
SHA256 a212a369fefb8f2790bb20cf370ccaa24eb0f7cb18e559a8255b4bdcb611a45e
SHA512 dd49638bba7c5ccb11d6e535038e40c93840b04391e9131a355e2f19c491103f1dd338fc42a54e62aa66ef3a75edb4c28e22bb39ddac6776dbb5fd5c75bb5095

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 08:52

Reported

2024-06-27 08:55

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\rafaella.exe" C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\rafaella.exe" C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{ST752634-V1IQ-UP22-5600-C22Y1Q0K2H6W} C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ST752634-V1IQ-UP22-5600-C22Y1Q0K2H6W}\StubPath = "C:\\Windows\\system32\\WinDir\\rafaella.exe Restart" C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\rafaella.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\rafaella.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\rafaella.exe" C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\rafaella.exe" C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\rafaella.exe C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\rafaella.exe C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\rafaella.exe C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\rafaella.exe

"C:\Windows\system32\WinDir\rafaella.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 580

C:\Windows\SysWOW64\WinDir\rafaella.exe

"C:\Windows\system32\WinDir\rafaella.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 512 -ip 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4428,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=2816 /prefetch:8

Network

Country Destination Domain Proto
US 13.107.42.16:443 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1176-8-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/1176-7-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4600-6-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/4600-2-0x0000000010410000-0x0000000010475000-memory.dmp

memory/4600-63-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/1176-68-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\WinDir\rafaella.exe

MD5 1562ea6ccbc11556a2fbc40aeaf1897d
SHA1 d3e9413c1ede49d83be13b118c861cbe41b3e6c2
SHA256 a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb
SHA512 44572ee9589c46f1fe2d009f77b5b199343e506257613ccf8de524fc57e590ec04d102a760aade26bfb23fb4a16f81c242ae98e34ae28382aaa51568d10725aa

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 fcdc2ec75169e8f15aa481a855d2d1ce
SHA1 e175eb08f9c24ef111cb7a0691ef75e81ffc9f49
SHA256 b9dcdb13419530c9b517e0ca3ee3f8c63ae59e970e8ad286a41a4b77addc3173
SHA512 32310fa60f8d1d8c70517ab451034617407106aa5d1ecd80cbd47534952d3ad9fc73b391ff8f76f577b89d996ddf032e6cf46c13a4a45fa93d1e8ede183cdd51

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f7fd02d9f9118543b6038bc53cd04b47
SHA1 890ac4ee76f99bcfb09abefdcdd46b55e4e6e3be
SHA256 a9c58a5d5270614e9e215df23b7d095a4bb447901a599b3976d3a356082afdb7
SHA512 f2d44f9713d647d9f916dc41646cc111a996b5a3646cc568cd582665c21017b22ecc4cc0f301124b0e14ba19be05076c2d5d1a7030c87c7cf1969821fdc536d9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c6a57eb3bdbf10bab9ae050c5aa7a940
SHA1 0e34774ec9b27c8d61983433bb06fd608be3420a
SHA256 3bb2419816762ec7537a1298a181a292ce2bb6d239d989ef3b28a69d39aeffbf
SHA512 f98aede02d7dbb42ad87fef4377cbe26d26788846dae1c61364dbdaf77340378db208626120b82cdaab6191ee261d7c8d62b53a48b171258864f421a6f0777db

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fa16c17bd57ddac978987e3b4fe3a82c
SHA1 b41cb944cef71aad508be364cd3dab9456cc7d4f
SHA256 8e3749f8e6100d6fe75bc92c36f2d3e1b994fd33a2102d1a6cfca9822a344584
SHA512 66d24575f7cf727d1119e9a8d5420d41fc03457066653ece67aad2330e8220a6a891566d2181a35cc7105b389c2dda9039047c0771085fc48e8b0ccc61ca8713

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e3316ef318e9322c29e840719d6e51b2
SHA1 009d0fca6c0e01dd5c17c4738d07730940ce088c
SHA256 356805e8dd89737f6ccbf88b2d84d33a8ec90c0f0f786b851ef8f68e603380cb
SHA512 91498a051a14fce59053cd188a2b9859f6b5fef0565dee5d0b87a3b7645b701777e56bf16f3fb5367c16948e6d48a0e3d2b8abd269cab9698106969c68f8ee5b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d07f6d2486723e1a114f03d322adcf60
SHA1 69a64297b09c8d679e5dddf3c932a4ec1e44a587
SHA256 dff24518646134ba890bd53823d88e7df5bb6e13e214f3ec870b2a39cf6bbcf0
SHA512 33cfaa555b3783b2026196ea7e9a54d762a069526b1182875e55e8e56cae3adf256898a9d01d9b28f2d4df56a673fcac07e780ba5ed6e1c97600b2bfe503ff6a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a0bff030c7ea47144eb4f2740e45484b
SHA1 c6102a3274de269d612bd7fbee212bc48bbed425
SHA256 b1b3b1ec212ac5413326b8867d51ab28d851664225a85755301764165d05e990
SHA512 d837006591fc7526b12c612dfa4eb4b10853fa90c3446290dadaa507d17b6023cef149c83d441566855116141e15fc55049ddf622146ae70c3dd00e9e084f005

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fa09d55b41bde0a2661420706c1f0f83
SHA1 d60f54f56c5c1cf72428f7bbac382d9fa11579bd
SHA256 971bbb6b2b91483c0e723509baf4163ca5d0f747af50635328febe8f15e1db3e
SHA512 38972da3457a978f2adfa03838182255547926dde54015e8194328da2ab1cdc5c49fb72f141318205324ef44c57aa922f74ef4340ed58f8f526e6537aeceb5f3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 93803456c54e1da5c0bd17b59f999928
SHA1 800b89889a229ff82396cf92e0ad1bd5b3b2f949
SHA256 ea09f2be24eb678d6fcf66bdb26dc269eef1015d8d0d1d40b7d32245d8b8ae36
SHA512 f968e9be79747477e054272edf32515827e32f95e49da212a14b0416bf169b0ed0424c131849e389ebc5ff53cd6c44a60d7ae938cc600688d432b945aabceadb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8f4f70b06c422f6cd97922ce06a2b2b9
SHA1 489f63af2f3b9c208b316dacfa0a2e9f8f82a7dd
SHA256 730fa91d4c3769bd19ff5997b2b58fb6df5b549f70b1a73b1589e75224cd25e6
SHA512 45193a5bfa883ed037634addca0982164097cbd8810cfbcb41e37c85a8ce07039539ae542f9fadef2214135315725a0efc2b7f3241d159ec116f0573094bcee9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c55cf1aec52529c837ff94f94be1b9d2
SHA1 4486d318d0abebadea286c7a769f9140b4342eac
SHA256 6d2361e1c45d6a8fbe14721a7e9b0089b07532e42b74d6888eddb75c93ff98fb
SHA512 e1ec8dc70b8aa660ec6aea27dc1d48e0d28b1b933751d7d9c86418fa97f760caf2e89302958d0e660a5c4ede80c04ee7dc81281f2768eb264a8db8c9954f909d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 883c9d12b80e689ff3e01f4cc1687e5f
SHA1 2ffca5d1fa8e89610f02cfe11bbe214485abf5b9
SHA256 cfda9af4e8409f913c3d265d20ad1e4f67b1b65e6b0b451682db0ef5cfa3432a
SHA512 67de1cc8eda4079e43d0ab06e3e68e15aa6c511372f1e9127256886a306d24e51fba30e6e597c3bd3c5c2315b331f73583e829d3d498ebe0e3c50db2755d9a17

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2d82b86bdeb30177bece9cf0db3d258e
SHA1 ca9da9148d626fec5724d6da353e73927c5dcdfe
SHA256 c0703bce4a45b6cfeb6351c99671d8958094df50d7950ed39713dcb595a488fd
SHA512 9ff8d19f2106ce98b4b377e8f8330632aea3ce7a63c064f2c0a7f2a5fee5ef332523ab3f237967a0742d823b6643fe26111bd29538f3bd81a39e0adfdd8089f1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4cd91252cc12842a05ea09668a10b3ab
SHA1 a929214d1e1a2a78bf34ab52087945aa70fb564f
SHA256 f98a14a42b5840cf17c304b9baf5b0c980cfb1393698764303499a861c5748ce
SHA512 cf54f0030974b462ccbfd3b724dc1f0bf2ab84b741c882a2cd9be140cf5dbaf7f1521742014717a3714756a910edb693141cfec29c7ed2e8a9ca179e62828931

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0113a1eba293841d61461773d9969fd4
SHA1 7419b0ad990bb63c49d0f7624bd1afe0379da102
SHA256 437b52e36fed243f9bdea95594abdad81a64d0e98bafe9cf35220e4d525f0e59
SHA512 41d432987be623c19fce5e3520539d2c10b255135f17894c74ee6f8b54009b59c315c7319fbe0d1370e7a235c1f155327f2f98f071196a18c769121e5ed8b62e

memory/1176-1377-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f1cdde69d3881168f15c145c4c13034b
SHA1 522edcb9c4065e636e6fc24bb55abab8cfd77f7d
SHA256 b7f1817525eb2ef20a6c9840e9a910655385584cadff0705e5db26700f10627f
SHA512 31df521c964eb6f6c25279f85908a4a3bd0782853cac34f2b4687673d81f3479d1b5ed9f493d30bf4ecd34a780f4f8cbe28648b674a74d273ef02d76c2ff987f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0702678a3c6be57a890bce6bd1982560
SHA1 cb7742da8051dcba2456d35c3821aea598dc54ee
SHA256 fa8b0dc96a4f26f7b20025f463b9b1559171df84b1d213d2bffbf5f7141de1c2
SHA512 c6846aeb7f52d348fd62e2c28d20440f992dec6239e5e1c0fd3659ecc14dba67c6aab0f79fa17c7853aa3bb481d43c511921d378ff89612f908ee7dc6d9a58c5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6dbe59359ff5c498654c64d1510cfa52
SHA1 f4ea5b6cedb75bc488d8953acc266fbb6a2884e2
SHA256 503c37e7db2f8d4492489fc680c6774ecc2820b4c144cca015db15e8e69885c9
SHA512 f18e13006488699d6b886d677e6b370a496040da408fcd347875592fc2e338ebfd0fe22de51a4b2840b878fbd57325d3b8702629a6551382bb4f120c6a95cc40

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fde4a074e2e25e2cbd1456cb9471089a
SHA1 2272f69121f682d451793ab888e2802134d55884
SHA256 3516eee6156f4d4d6f0f69ab26a2867ff5824a7c360df90bd7db80b059b7d675
SHA512 88c041c1297addad85c1d1b4c1cd8df3ec70960dc068f17f87a8b7ddd52a14d52de9e5e80ef47478fc4ffd611cfe08cb2cd39e18a0b97869ada79ff800361748