Analysis Overview
SHA256
a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb
Threat Level: Known bad
The file 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Loads dropped DLL
UPX packed file
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-27 08:52
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 08:52
Reported
2024-06-27 08:55
Platform
win7-20240611-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\rafaella.exe" | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\rafaella.exe" | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{ST752634-V1IQ-UP22-5600-C22Y1Q0K2H6W} | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ST752634-V1IQ-UP22-5600-C22Y1Q0K2H6W}\StubPath = "C:\\Windows\\system32\\WinDir\\rafaella.exe Restart" | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\rafaella.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\rafaella.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\rafaella.exe" | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\rafaella.exe" | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\rafaella.exe | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\rafaella.exe | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\rafaella.exe | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\rafaella.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"
C:\Windows\SysWOW64\WinDir\rafaella.exe
"C:\Windows\system32\WinDir\rafaella.exe"
C:\Windows\SysWOW64\WinDir\rafaella.exe
"C:\Windows\system32\WinDir\rafaella.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2012-7-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2236-6-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2012-18-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2012-13-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2236-2-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2012-291-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\WinDir\rafaella.exe
| MD5 | 1562ea6ccbc11556a2fbc40aeaf1897d |
| SHA1 | d3e9413c1ede49d83be13b118c861cbe41b3e6c2 |
| SHA256 | a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb |
| SHA512 | 44572ee9589c46f1fe2d009f77b5b199343e506257613ccf8de524fc57e590ec04d102a760aade26bfb23fb4a16f81c242ae98e34ae28382aaa51568d10725aa |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | fcdc2ec75169e8f15aa481a855d2d1ce |
| SHA1 | e175eb08f9c24ef111cb7a0691ef75e81ffc9f49 |
| SHA256 | b9dcdb13419530c9b517e0ca3ee3f8c63ae59e970e8ad286a41a4b77addc3173 |
| SHA512 | 32310fa60f8d1d8c70517ab451034617407106aa5d1ecd80cbd47534952d3ad9fc73b391ff8f76f577b89d996ddf032e6cf46c13a4a45fa93d1e8ede183cdd51 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c6a57eb3bdbf10bab9ae050c5aa7a940 |
| SHA1 | 0e34774ec9b27c8d61983433bb06fd608be3420a |
| SHA256 | 3bb2419816762ec7537a1298a181a292ce2bb6d239d989ef3b28a69d39aeffbf |
| SHA512 | f98aede02d7dbb42ad87fef4377cbe26d26788846dae1c61364dbdaf77340378db208626120b82cdaab6191ee261d7c8d62b53a48b171258864f421a6f0777db |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fa16c17bd57ddac978987e3b4fe3a82c |
| SHA1 | b41cb944cef71aad508be364cd3dab9456cc7d4f |
| SHA256 | 8e3749f8e6100d6fe75bc92c36f2d3e1b994fd33a2102d1a6cfca9822a344584 |
| SHA512 | 66d24575f7cf727d1119e9a8d5420d41fc03457066653ece67aad2330e8220a6a891566d2181a35cc7105b389c2dda9039047c0771085fc48e8b0ccc61ca8713 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e3316ef318e9322c29e840719d6e51b2 |
| SHA1 | 009d0fca6c0e01dd5c17c4738d07730940ce088c |
| SHA256 | 356805e8dd89737f6ccbf88b2d84d33a8ec90c0f0f786b851ef8f68e603380cb |
| SHA512 | 91498a051a14fce59053cd188a2b9859f6b5fef0565dee5d0b87a3b7645b701777e56bf16f3fb5367c16948e6d48a0e3d2b8abd269cab9698106969c68f8ee5b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d07f6d2486723e1a114f03d322adcf60 |
| SHA1 | 69a64297b09c8d679e5dddf3c932a4ec1e44a587 |
| SHA256 | dff24518646134ba890bd53823d88e7df5bb6e13e214f3ec870b2a39cf6bbcf0 |
| SHA512 | 33cfaa555b3783b2026196ea7e9a54d762a069526b1182875e55e8e56cae3adf256898a9d01d9b28f2d4df56a673fcac07e780ba5ed6e1c97600b2bfe503ff6a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a0bff030c7ea47144eb4f2740e45484b |
| SHA1 | c6102a3274de269d612bd7fbee212bc48bbed425 |
| SHA256 | b1b3b1ec212ac5413326b8867d51ab28d851664225a85755301764165d05e990 |
| SHA512 | d837006591fc7526b12c612dfa4eb4b10853fa90c3446290dadaa507d17b6023cef149c83d441566855116141e15fc55049ddf622146ae70c3dd00e9e084f005 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fa09d55b41bde0a2661420706c1f0f83 |
| SHA1 | d60f54f56c5c1cf72428f7bbac382d9fa11579bd |
| SHA256 | 971bbb6b2b91483c0e723509baf4163ca5d0f747af50635328febe8f15e1db3e |
| SHA512 | 38972da3457a978f2adfa03838182255547926dde54015e8194328da2ab1cdc5c49fb72f141318205324ef44c57aa922f74ef4340ed58f8f526e6537aeceb5f3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 93803456c54e1da5c0bd17b59f999928 |
| SHA1 | 800b89889a229ff82396cf92e0ad1bd5b3b2f949 |
| SHA256 | ea09f2be24eb678d6fcf66bdb26dc269eef1015d8d0d1d40b7d32245d8b8ae36 |
| SHA512 | f968e9be79747477e054272edf32515827e32f95e49da212a14b0416bf169b0ed0424c131849e389ebc5ff53cd6c44a60d7ae938cc600688d432b945aabceadb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8f4f70b06c422f6cd97922ce06a2b2b9 |
| SHA1 | 489f63af2f3b9c208b316dacfa0a2e9f8f82a7dd |
| SHA256 | 730fa91d4c3769bd19ff5997b2b58fb6df5b549f70b1a73b1589e75224cd25e6 |
| SHA512 | 45193a5bfa883ed037634addca0982164097cbd8810cfbcb41e37c85a8ce07039539ae542f9fadef2214135315725a0efc2b7f3241d159ec116f0573094bcee9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c55cf1aec52529c837ff94f94be1b9d2 |
| SHA1 | 4486d318d0abebadea286c7a769f9140b4342eac |
| SHA256 | 6d2361e1c45d6a8fbe14721a7e9b0089b07532e42b74d6888eddb75c93ff98fb |
| SHA512 | e1ec8dc70b8aa660ec6aea27dc1d48e0d28b1b933751d7d9c86418fa97f760caf2e89302958d0e660a5c4ede80c04ee7dc81281f2768eb264a8db8c9954f909d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 883c9d12b80e689ff3e01f4cc1687e5f |
| SHA1 | 2ffca5d1fa8e89610f02cfe11bbe214485abf5b9 |
| SHA256 | cfda9af4e8409f913c3d265d20ad1e4f67b1b65e6b0b451682db0ef5cfa3432a |
| SHA512 | 67de1cc8eda4079e43d0ab06e3e68e15aa6c511372f1e9127256886a306d24e51fba30e6e597c3bd3c5c2315b331f73583e829d3d498ebe0e3c50db2755d9a17 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2d82b86bdeb30177bece9cf0db3d258e |
| SHA1 | ca9da9148d626fec5724d6da353e73927c5dcdfe |
| SHA256 | c0703bce4a45b6cfeb6351c99671d8958094df50d7950ed39713dcb595a488fd |
| SHA512 | 9ff8d19f2106ce98b4b377e8f8330632aea3ce7a63c064f2c0a7f2a5fee5ef332523ab3f237967a0742d823b6643fe26111bd29538f3bd81a39e0adfdd8089f1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4cd91252cc12842a05ea09668a10b3ab |
| SHA1 | a929214d1e1a2a78bf34ab52087945aa70fb564f |
| SHA256 | f98a14a42b5840cf17c304b9baf5b0c980cfb1393698764303499a861c5748ce |
| SHA512 | cf54f0030974b462ccbfd3b724dc1f0bf2ab84b741c882a2cd9be140cf5dbaf7f1521742014717a3714756a910edb693141cfec29c7ed2e8a9ca179e62828931 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0113a1eba293841d61461773d9969fd4 |
| SHA1 | 7419b0ad990bb63c49d0f7624bd1afe0379da102 |
| SHA256 | 437b52e36fed243f9bdea95594abdad81a64d0e98bafe9cf35220e4d525f0e59 |
| SHA512 | 41d432987be623c19fce5e3520539d2c10b255135f17894c74ee6f8b54009b59c315c7319fbe0d1370e7a235c1f155327f2f98f071196a18c769121e5ed8b62e |
memory/2012-1108-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f1cdde69d3881168f15c145c4c13034b |
| SHA1 | 522edcb9c4065e636e6fc24bb55abab8cfd77f7d |
| SHA256 | b7f1817525eb2ef20a6c9840e9a910655385584cadff0705e5db26700f10627f |
| SHA512 | 31df521c964eb6f6c25279f85908a4a3bd0782853cac34f2b4687673d81f3479d1b5ed9f493d30bf4ecd34a780f4f8cbe28648b674a74d273ef02d76c2ff987f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0702678a3c6be57a890bce6bd1982560 |
| SHA1 | cb7742da8051dcba2456d35c3821aea598dc54ee |
| SHA256 | fa8b0dc96a4f26f7b20025f463b9b1559171df84b1d213d2bffbf5f7141de1c2 |
| SHA512 | c6846aeb7f52d348fd62e2c28d20440f992dec6239e5e1c0fd3659ecc14dba67c6aab0f79fa17c7853aa3bb481d43c511921d378ff89612f908ee7dc6d9a58c5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6dbe59359ff5c498654c64d1510cfa52 |
| SHA1 | f4ea5b6cedb75bc488d8953acc266fbb6a2884e2 |
| SHA256 | 503c37e7db2f8d4492489fc680c6774ecc2820b4c144cca015db15e8e69885c9 |
| SHA512 | f18e13006488699d6b886d677e6b370a496040da408fcd347875592fc2e338ebfd0fe22de51a4b2840b878fbd57325d3b8702629a6551382bb4f120c6a95cc40 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fde4a074e2e25e2cbd1456cb9471089a |
| SHA1 | 2272f69121f682d451793ab888e2802134d55884 |
| SHA256 | 3516eee6156f4d4d6f0f69ab26a2867ff5824a7c360df90bd7db80b059b7d675 |
| SHA512 | 88c041c1297addad85c1d1b4c1cd8df3ec70960dc068f17f87a8b7ddd52a14d52de9e5e80ef47478fc4ffd611cfe08cb2cd39e18a0b97869ada79ff800361748 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 80aa87b3386be6662cb92ed5536a17c9 |
| SHA1 | 8cd05f12f5b575e77bd48be5efc68bf7444c4553 |
| SHA256 | a212a369fefb8f2790bb20cf370ccaa24eb0f7cb18e559a8255b4bdcb611a45e |
| SHA512 | dd49638bba7c5ccb11d6e535038e40c93840b04391e9131a355e2f19c491103f1dd338fc42a54e62aa66ef3a75edb4c28e22bb39ddac6776dbb5fd5c75bb5095 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 08:52
Reported
2024-06-27 08:55
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\rafaella.exe" | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\rafaella.exe" | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{ST752634-V1IQ-UP22-5600-C22Y1Q0K2H6W} | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ST752634-V1IQ-UP22-5600-C22Y1Q0K2H6W}\StubPath = "C:\\Windows\\system32\\WinDir\\rafaella.exe Restart" | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\rafaella.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\rafaella.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\rafaella.exe" | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\rafaella.exe" | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\rafaella.exe | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\rafaella.exe | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\rafaella.exe | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WinDir\rafaella.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WinDir\rafaella.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"
C:\Windows\SysWOW64\WinDir\rafaella.exe
"C:\Windows\system32\WinDir\rafaella.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1368 -ip 1368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 580
C:\Windows\SysWOW64\WinDir\rafaella.exe
"C:\Windows\system32\WinDir\rafaella.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 512 -ip 512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 548
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4428,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=2816 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 13.107.42.16:443 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1176-8-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/1176-7-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/4600-6-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4600-2-0x0000000010410000-0x0000000010475000-memory.dmp
memory/4600-63-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1176-68-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\WinDir\rafaella.exe
| MD5 | 1562ea6ccbc11556a2fbc40aeaf1897d |
| SHA1 | d3e9413c1ede49d83be13b118c861cbe41b3e6c2 |
| SHA256 | a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb |
| SHA512 | 44572ee9589c46f1fe2d009f77b5b199343e506257613ccf8de524fc57e590ec04d102a760aade26bfb23fb4a16f81c242ae98e34ae28382aaa51568d10725aa |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | fcdc2ec75169e8f15aa481a855d2d1ce |
| SHA1 | e175eb08f9c24ef111cb7a0691ef75e81ffc9f49 |
| SHA256 | b9dcdb13419530c9b517e0ca3ee3f8c63ae59e970e8ad286a41a4b77addc3173 |
| SHA512 | 32310fa60f8d1d8c70517ab451034617407106aa5d1ecd80cbd47534952d3ad9fc73b391ff8f76f577b89d996ddf032e6cf46c13a4a45fa93d1e8ede183cdd51 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f7fd02d9f9118543b6038bc53cd04b47 |
| SHA1 | 890ac4ee76f99bcfb09abefdcdd46b55e4e6e3be |
| SHA256 | a9c58a5d5270614e9e215df23b7d095a4bb447901a599b3976d3a356082afdb7 |
| SHA512 | f2d44f9713d647d9f916dc41646cc111a996b5a3646cc568cd582665c21017b22ecc4cc0f301124b0e14ba19be05076c2d5d1a7030c87c7cf1969821fdc536d9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c6a57eb3bdbf10bab9ae050c5aa7a940 |
| SHA1 | 0e34774ec9b27c8d61983433bb06fd608be3420a |
| SHA256 | 3bb2419816762ec7537a1298a181a292ce2bb6d239d989ef3b28a69d39aeffbf |
| SHA512 | f98aede02d7dbb42ad87fef4377cbe26d26788846dae1c61364dbdaf77340378db208626120b82cdaab6191ee261d7c8d62b53a48b171258864f421a6f0777db |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fa16c17bd57ddac978987e3b4fe3a82c |
| SHA1 | b41cb944cef71aad508be364cd3dab9456cc7d4f |
| SHA256 | 8e3749f8e6100d6fe75bc92c36f2d3e1b994fd33a2102d1a6cfca9822a344584 |
| SHA512 | 66d24575f7cf727d1119e9a8d5420d41fc03457066653ece67aad2330e8220a6a891566d2181a35cc7105b389c2dda9039047c0771085fc48e8b0ccc61ca8713 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e3316ef318e9322c29e840719d6e51b2 |
| SHA1 | 009d0fca6c0e01dd5c17c4738d07730940ce088c |
| SHA256 | 356805e8dd89737f6ccbf88b2d84d33a8ec90c0f0f786b851ef8f68e603380cb |
| SHA512 | 91498a051a14fce59053cd188a2b9859f6b5fef0565dee5d0b87a3b7645b701777e56bf16f3fb5367c16948e6d48a0e3d2b8abd269cab9698106969c68f8ee5b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d07f6d2486723e1a114f03d322adcf60 |
| SHA1 | 69a64297b09c8d679e5dddf3c932a4ec1e44a587 |
| SHA256 | dff24518646134ba890bd53823d88e7df5bb6e13e214f3ec870b2a39cf6bbcf0 |
| SHA512 | 33cfaa555b3783b2026196ea7e9a54d762a069526b1182875e55e8e56cae3adf256898a9d01d9b28f2d4df56a673fcac07e780ba5ed6e1c97600b2bfe503ff6a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a0bff030c7ea47144eb4f2740e45484b |
| SHA1 | c6102a3274de269d612bd7fbee212bc48bbed425 |
| SHA256 | b1b3b1ec212ac5413326b8867d51ab28d851664225a85755301764165d05e990 |
| SHA512 | d837006591fc7526b12c612dfa4eb4b10853fa90c3446290dadaa507d17b6023cef149c83d441566855116141e15fc55049ddf622146ae70c3dd00e9e084f005 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fa09d55b41bde0a2661420706c1f0f83 |
| SHA1 | d60f54f56c5c1cf72428f7bbac382d9fa11579bd |
| SHA256 | 971bbb6b2b91483c0e723509baf4163ca5d0f747af50635328febe8f15e1db3e |
| SHA512 | 38972da3457a978f2adfa03838182255547926dde54015e8194328da2ab1cdc5c49fb72f141318205324ef44c57aa922f74ef4340ed58f8f526e6537aeceb5f3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 93803456c54e1da5c0bd17b59f999928 |
| SHA1 | 800b89889a229ff82396cf92e0ad1bd5b3b2f949 |
| SHA256 | ea09f2be24eb678d6fcf66bdb26dc269eef1015d8d0d1d40b7d32245d8b8ae36 |
| SHA512 | f968e9be79747477e054272edf32515827e32f95e49da212a14b0416bf169b0ed0424c131849e389ebc5ff53cd6c44a60d7ae938cc600688d432b945aabceadb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8f4f70b06c422f6cd97922ce06a2b2b9 |
| SHA1 | 489f63af2f3b9c208b316dacfa0a2e9f8f82a7dd |
| SHA256 | 730fa91d4c3769bd19ff5997b2b58fb6df5b549f70b1a73b1589e75224cd25e6 |
| SHA512 | 45193a5bfa883ed037634addca0982164097cbd8810cfbcb41e37c85a8ce07039539ae542f9fadef2214135315725a0efc2b7f3241d159ec116f0573094bcee9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c55cf1aec52529c837ff94f94be1b9d2 |
| SHA1 | 4486d318d0abebadea286c7a769f9140b4342eac |
| SHA256 | 6d2361e1c45d6a8fbe14721a7e9b0089b07532e42b74d6888eddb75c93ff98fb |
| SHA512 | e1ec8dc70b8aa660ec6aea27dc1d48e0d28b1b933751d7d9c86418fa97f760caf2e89302958d0e660a5c4ede80c04ee7dc81281f2768eb264a8db8c9954f909d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 883c9d12b80e689ff3e01f4cc1687e5f |
| SHA1 | 2ffca5d1fa8e89610f02cfe11bbe214485abf5b9 |
| SHA256 | cfda9af4e8409f913c3d265d20ad1e4f67b1b65e6b0b451682db0ef5cfa3432a |
| SHA512 | 67de1cc8eda4079e43d0ab06e3e68e15aa6c511372f1e9127256886a306d24e51fba30e6e597c3bd3c5c2315b331f73583e829d3d498ebe0e3c50db2755d9a17 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2d82b86bdeb30177bece9cf0db3d258e |
| SHA1 | ca9da9148d626fec5724d6da353e73927c5dcdfe |
| SHA256 | c0703bce4a45b6cfeb6351c99671d8958094df50d7950ed39713dcb595a488fd |
| SHA512 | 9ff8d19f2106ce98b4b377e8f8330632aea3ce7a63c064f2c0a7f2a5fee5ef332523ab3f237967a0742d823b6643fe26111bd29538f3bd81a39e0adfdd8089f1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4cd91252cc12842a05ea09668a10b3ab |
| SHA1 | a929214d1e1a2a78bf34ab52087945aa70fb564f |
| SHA256 | f98a14a42b5840cf17c304b9baf5b0c980cfb1393698764303499a861c5748ce |
| SHA512 | cf54f0030974b462ccbfd3b724dc1f0bf2ab84b741c882a2cd9be140cf5dbaf7f1521742014717a3714756a910edb693141cfec29c7ed2e8a9ca179e62828931 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0113a1eba293841d61461773d9969fd4 |
| SHA1 | 7419b0ad990bb63c49d0f7624bd1afe0379da102 |
| SHA256 | 437b52e36fed243f9bdea95594abdad81a64d0e98bafe9cf35220e4d525f0e59 |
| SHA512 | 41d432987be623c19fce5e3520539d2c10b255135f17894c74ee6f8b54009b59c315c7319fbe0d1370e7a235c1f155327f2f98f071196a18c769121e5ed8b62e |
memory/1176-1377-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f1cdde69d3881168f15c145c4c13034b |
| SHA1 | 522edcb9c4065e636e6fc24bb55abab8cfd77f7d |
| SHA256 | b7f1817525eb2ef20a6c9840e9a910655385584cadff0705e5db26700f10627f |
| SHA512 | 31df521c964eb6f6c25279f85908a4a3bd0782853cac34f2b4687673d81f3479d1b5ed9f493d30bf4ecd34a780f4f8cbe28648b674a74d273ef02d76c2ff987f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0702678a3c6be57a890bce6bd1982560 |
| SHA1 | cb7742da8051dcba2456d35c3821aea598dc54ee |
| SHA256 | fa8b0dc96a4f26f7b20025f463b9b1559171df84b1d213d2bffbf5f7141de1c2 |
| SHA512 | c6846aeb7f52d348fd62e2c28d20440f992dec6239e5e1c0fd3659ecc14dba67c6aab0f79fa17c7853aa3bb481d43c511921d378ff89612f908ee7dc6d9a58c5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6dbe59359ff5c498654c64d1510cfa52 |
| SHA1 | f4ea5b6cedb75bc488d8953acc266fbb6a2884e2 |
| SHA256 | 503c37e7db2f8d4492489fc680c6774ecc2820b4c144cca015db15e8e69885c9 |
| SHA512 | f18e13006488699d6b886d677e6b370a496040da408fcd347875592fc2e338ebfd0fe22de51a4b2840b878fbd57325d3b8702629a6551382bb4f120c6a95cc40 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fde4a074e2e25e2cbd1456cb9471089a |
| SHA1 | 2272f69121f682d451793ab888e2802134d55884 |
| SHA256 | 3516eee6156f4d4d6f0f69ab26a2867ff5824a7c360df90bd7db80b059b7d675 |
| SHA512 | 88c041c1297addad85c1d1b4c1cd8df3ec70960dc068f17f87a8b7ddd52a14d52de9e5e80ef47478fc4ffd611cfe08cb2cd39e18a0b97869ada79ff800361748 |