Malware Analysis Report

2025-01-02 13:06

Sample ID 240703-bz5yxs1alc
Target 20a253e7ccc6109324a48e2248bded37_JaffaCakes118
SHA256 289fc994865bc852bc5328300c4b45d133b05381e58a73ca8355d30a3566bc03
Tags
cybergate victim persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

289fc994865bc852bc5328300c4b45d133b05381e58a73ca8355d30a3566bc03

Threat Level: Known bad

The file 20a253e7ccc6109324a48e2248bded37_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate victim persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

UPX packed file

Uses the VBS compiler for execution

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-03 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-03 01:35

Reported

2024-07-03 01:38

Platform

win7-20231129-en

Max time kernel

147s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\KeyGen.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\KeyGen.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{361FXX5T-8053-EL5B-8J12-4Q8UT74U64TU} C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{361FXX5T-8053-EL5B-8J12-4Q8UT74U64TU}\StubPath = "C:\\Windows\\system32\\WinDir\\KeyGen.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{361FXX5T-8053-EL5B-8J12-4Q8UT74U64TU} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{361FXX5T-8053-EL5B-8J12-4Q8UT74U64TU}\StubPath = "C:\\Windows\\system32\\WinDir\\KeyGen.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\KeyGen.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\KeyGen.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\KeyGen.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\KeyGen.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\KeyGen.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\KeyGen.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2232 set thread context of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Windows\SysWOW64\WinDir\KeyGen.exe

"C:\Windows\system32\WinDir\KeyGen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2232-0-0x00000000745B1000-0x00000000745B2000-memory.dmp

memory/2232-2-0x00000000745B0000-0x0000000074B5B000-memory.dmp

memory/2232-1-0x00000000745B0000-0x0000000074B5B000-memory.dmp

memory/2368-3-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2368-16-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2368-15-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2368-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2368-12-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2368-10-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2368-8-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2368-6-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2368-5-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2368-4-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2368-17-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2232-18-0x00000000745B0000-0x0000000074B5B000-memory.dmp

memory/2368-21-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1360-22-0x0000000002590000-0x0000000002591000-memory.dmp

memory/380-265-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/380-319-0x0000000000120000-0x0000000000121000-memory.dmp

memory/380-551-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 edd2639d5daf5503c38e706ef5b8ac03
SHA1 f383c716afd7134770b7de4ba764a121218e0795
SHA256 98ba2d2b65ae4b2c8fe8b6b524178193512a8a432ba48524f4ef70f5d3ad219d
SHA512 0140bb944355a013b1782628fded972ddff37515ad2c4f0b0f84853f0754e942020d84f30d8086845dc359722dd015c64d07541898eb3a6e7f43d28ad4a46266

C:\Windows\SysWOW64\WinDir\KeyGen.exe

MD5 34aa912defa18c2c129f1e09d75c1d7e
SHA1 9c3046324657505a30ecd9b1fdb46c05bde7d470
SHA256 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512 d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 784aace04383b0217da78564b37f0fff
SHA1 1b0651e5c998ba849781f53cd1e5391b2d0de5db
SHA256 fa3df980a6faf332950de88374db8500e76eb18db79a87e799ff1787389a74ad
SHA512 509a24b8893f4fe74a3eb53315e711518ff7deb1b9a0c463cac9dd21fa41a8bc4564895ca56dcc63b456182e03908286b0b5315e39863733840964b9eff6cde6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a9603af2902b457e37ed6d95893e67f4
SHA1 428a4764d60b13a41f8edf758b3b5c010b0c25b6
SHA256 73ce9df4a8861577cafbe3c29b8e467b2cddeaee2029eff5655896349a2899a3
SHA512 ec9582dab424a95f776e6e13ce166f44a37f752b9ffc9ff7865634616cf678b78d102618294e3a475a1a0f8da1a6b47f0c852f9eb20ddead21642ca703feb991

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0769244718890448563e33eed15fe776
SHA1 45fc8741d1febb609c1050f10041a44928459a40
SHA256 6d951140bcaf7e31d093ead9360f82f110b9dc2c422c3eb7db4496f27f9044c9
SHA512 7b11c6bb036c01ba281b9998b2ff668d66b1a911644dee643452421b9ab004570839bdaa5406ff8093c514e45aac550e3ceb402c68261a4189a8a3cc9fa982a7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 47e5c08bf70a43133e4c0a1006ed3f7d
SHA1 f52ee8afdd970b982660033663b4e25a65d7fad5
SHA256 57c8562e635e88e7af64abc76987dc7828ea05d33094b0d27ef6e2c2ce0b6098
SHA512 7a9b91dcf3e0dd3916c4a5b33416b675b62a057df73927d77033ffef5f76a48ffbdd23a931b616b7228641294e2559d2898ad99a771cc37817af9c5c50fbfdba

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 76ed80c5873aa2e2bc9e594a9bd8794e
SHA1 bc3c5ccb1e04a0b828e1beb7a8c2b73b903b9489
SHA256 6b0fe84be809672c837b57bfe7fed699d79faf4bcd7e6288c4be72bd4e95d4f4
SHA512 c69a19a5162a32c16db0b44cafb27c2802c6606a606b0d9a12ef97a3a500ead97baad123c5c7cad24f12d8562e23fe53769a822361a40897837c1ec3ed4dfb91

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0fe9f5da22bc21e8b99a25889a6688a3
SHA1 093f2d9717e4c0b8d2f1a0fa06337e5ca14be9f4
SHA256 a428b4c7c29cfc323080653c07d6ee546439b7a2406119874948f0c70fb94c0c
SHA512 56e80e127f010aaf8e9ff91f30d62060d49e00d1cb9100f881c64d5238bc7cb7ddf05a373861f4b8b63a0d989abcaa16345ae2bac3dffe8d4f3495916d22f768

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bbea0226854710e89b4e9d21732d5f4f
SHA1 314c2b5d38e7b9833e27889ceb486281d3d55bef
SHA256 07a4815b978231aedac3c05de39cbafbeba2fcb367a55835df76e7a8e4d01a41
SHA512 bd250502552868129cf7aa42d9e4bd9c5bd51ab1a53c0e54bd2676890f14c98d4f8a888bc082f36b0e98ac1e535ef4d58183350b0f1234bb9840e1e219c9dc0d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a2f8908b0f75e45816fd0463eb4df49b
SHA1 86c125a8a2e2256b700730f72bce796fe40b9cba
SHA256 c21f0f2c6ffaad99900733f71abe5a0d043eaee7fec24f778817f554e61a0c95
SHA512 456519a295573aab82447f26d729250a097f7d68c67ec71a178c7d428dccf4c79766777b40c580dbce827dea4d0a420265a19fd5d238b72eab8678d5a1f02f20

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d6b1f86f7ceaa6410e81f511feafffee
SHA1 8f4cc7952fa785f2030a747dbd19c96eb4ada823
SHA256 6a8d168e9dd06ec5ba5ae24b21306928469fb6f6ff261917f7dd221e564b3592
SHA512 bfba60e0fd62bc11f5c978302c94857c69ccb1fc64a78f2647b852f3c82a98f2f7c3efa1d2bee7cc722b68ac37b626b3d94188130d03621483dfda918318697c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3c30d660fdc7e397b1274fa0147e0440
SHA1 ada6e1564180b20ad4b9f1baaa8acb2b273c0932
SHA256 f2edb2c2021c56a98e645dcb5b422a652fcf2aab1ec35e81f70cf8072d868942
SHA512 e967a65d1759209f36bb528c18aa0b4753a4a8c7afd4983ffcce62c7a96b8e152977e7dfce9efc81820ff9970fbf3b2e079efc34a604140cad6dad557af7de02

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 65ea6f0fd66ca6fe6ea1477d3b3e88dc
SHA1 7744258b561a2ad344f75ada279d3a295facd9fb
SHA256 a9acb055f3bd317b1c9c9d38d099d1f28d0e45b926583613beb11b9b34c3eb62
SHA512 f0c37b05182eb53479360851c9d9ceab7195be27c9e4ab18acbaf0f7d3ba9fefd21b5fe12004f19b7b29d1222cb76bc6b0c68a325b40de02e436465ebd46d4fd

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 64b6a0170d0a57b13db34c491b5087f1
SHA1 7e83163c96e87b2286c3ff21c53d0d040df3b9e2
SHA256 68c4515ac054f27958c3f002427297bf73b0e0e3c54c5d1c1a69c99301070430
SHA512 d090653d2fd064a7b7cbc030a59f777e2da92f35d6b47c94ad29a1b328f5f65a2030092ba88ce4c051900b4117f0add1d753fd0d7dbcf3ecb9aceb115b7ffae2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ed8920551071a21d79d59612a4a42fd6
SHA1 9611bd34eb52e220eb630f9676a9eef30725d349
SHA256 a70a7e8569d897855b149b8d958ce6cd88c52040d6dc53c8ed5a27dde3febb96
SHA512 9bb71bf44518641b68e805c3acfd83fd4105899e84c51ca69dffe75c43f6557ba0c9e329615d767d86e30c98178c5d71a067ceccf6e9a8ab687e085d019dcbd0

memory/380-1898-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e56a590d4493496d2b3de1aa23b404fe
SHA1 f3458b887e6b35c05392be52aef1f9ea04f410b6
SHA256 424ed7ac9fda1a62fa70cf55c5ff5907c448848c0a6a3691730ad1bed1bce5f7
SHA512 aa1567ebb455d2b125021cba54cfb431725817e93e1857341f5f0f91aeba0671f683015e4a9413b4048afc00a1ccfb4ebaba13e0496266cceb6c4d705e2ea09f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 baeb96becf37db26af8f8e8b67fa0e58
SHA1 39471afdf89e32818f2b9001b8e3192cf956e729
SHA256 78a100eb11b1b5bbace7d6fdee0632112bc4371730c709f0c6e52e7c9d005dbc
SHA512 bd6294a2cf6c8cd6e52a6f06e23f6d1bcb6fd90037e28ae0b027843cb7565bc4c9b5453d1bba633307ac48f08bad5df4f5e45edd2a826cec3908d69d5a986609

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6537e19f5a17df4b5257bfc0a3a549fd
SHA1 f6c4a3fcaf5306d7e199613402cf66c0f870693f
SHA256 1989a3c6e4224c4d2eda48f580322f696324f08e2fbfd6d11fb16386627ed284
SHA512 ad491910fe0922379be5151ca425372d56064f4309e719bbce500ef430d5ce438d603786f0abe4c7a676664cd2cb5e7078707ccd1a54e2f840fe6f8e0ad56a59

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 97aa134fcf6f0b1ba2ea38a5612f3a8e
SHA1 03942bbee44c86c074113e9422efc0d74a1cd47b
SHA256 4a853a12fc0c61ffe9f93ac095c6f0d10afa286f05d70a1c4177413806776e64
SHA512 cdba8e1aecd2c95a94f6881167327629a37b167e5c8172a8e246a3b6e5a308b9f8b8eb14667e9de807c83a41a8e20a14a3dffb36452878dfe673447eb01193ac

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4631d9757e0b180ca99c807207d6b53a
SHA1 cfdad87984fd1451a20e20332d9c48138b014f77
SHA256 805ccff47bd837f690ecf7cea8bcb40b2ced45668baf0479a7639055807fcffb
SHA512 8d0e835d947850dab4799261ccad1aed7d30575d64026c5af9e14ef09cf5dff05f310fcaf03fb75f6cc9ebd3f47414918236b4566e00d44dba1afd8778255e8f

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-03 01:35

Reported

2024-07-03 01:38

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\KeyGen.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\KeyGen.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361FXX5T-8053-EL5B-8J12-4Q8UT74U64TU}\StubPath = "C:\\Windows\\system32\\WinDir\\KeyGen.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{361FXX5T-8053-EL5B-8J12-4Q8UT74U64TU} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361FXX5T-8053-EL5B-8J12-4Q8UT74U64TU}\StubPath = "C:\\Windows\\system32\\WinDir\\KeyGen.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{361FXX5T-8053-EL5B-8J12-4Q8UT74U64TU} C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\KeyGen.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\KeyGen.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\KeyGen.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WinDir\KeyGen.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\KeyGen.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Windows\SysWOW64\WinDir\KeyGen.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4624 set thread context of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4624 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\20a253e7ccc6109324a48e2248bded37_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Windows\SysWOW64\WinDir\KeyGen.exe

"C:\Windows\system32\WinDir\KeyGen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 108.116.69.13.in-addr.arpa udp

Files

memory/4624-0-0x0000000074602000-0x0000000074603000-memory.dmp

memory/4624-1-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/4624-2-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/1320-4-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1320-5-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1320-6-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1320-3-0x0000000000400000-0x0000000000451000-memory.dmp

memory/4624-8-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/1320-11-0x0000000010410000-0x0000000010475000-memory.dmp

memory/4588-16-0x0000000000390000-0x0000000000391000-memory.dmp

memory/4588-17-0x0000000000650000-0x0000000000651000-memory.dmp

memory/1320-15-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/4588-77-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 edd2639d5daf5503c38e706ef5b8ac03
SHA1 f383c716afd7134770b7de4ba764a121218e0795
SHA256 98ba2d2b65ae4b2c8fe8b6b524178193512a8a432ba48524f4ef70f5d3ad219d
SHA512 0140bb944355a013b1782628fded972ddff37515ad2c4f0b0f84853f0754e942020d84f30d8086845dc359722dd015c64d07541898eb3a6e7f43d28ad4a46266

C:\Windows\SysWOW64\WinDir\KeyGen.exe

MD5 d881de17aa8f2e2c08cbb7b265f928f9
SHA1 08936aebc87decf0af6e8eada191062b5e65ac2a
SHA256 b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA512 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

memory/1320-147-0x0000000000400000-0x0000000000451000-memory.dmp

memory/744-149-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a9603af2902b457e37ed6d95893e67f4
SHA1 428a4764d60b13a41f8edf758b3b5c010b0c25b6
SHA256 73ce9df4a8861577cafbe3c29b8e467b2cddeaee2029eff5655896349a2899a3
SHA512 ec9582dab424a95f776e6e13ce166f44a37f752b9ffc9ff7865634616cf678b78d102618294e3a475a1a0f8da1a6b47f0c852f9eb20ddead21642ca703feb991

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0769244718890448563e33eed15fe776
SHA1 45fc8741d1febb609c1050f10041a44928459a40
SHA256 6d951140bcaf7e31d093ead9360f82f110b9dc2c422c3eb7db4496f27f9044c9
SHA512 7b11c6bb036c01ba281b9998b2ff668d66b1a911644dee643452421b9ab004570839bdaa5406ff8093c514e45aac550e3ceb402c68261a4189a8a3cc9fa982a7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 47e5c08bf70a43133e4c0a1006ed3f7d
SHA1 f52ee8afdd970b982660033663b4e25a65d7fad5
SHA256 57c8562e635e88e7af64abc76987dc7828ea05d33094b0d27ef6e2c2ce0b6098
SHA512 7a9b91dcf3e0dd3916c4a5b33416b675b62a057df73927d77033ffef5f76a48ffbdd23a931b616b7228641294e2559d2898ad99a771cc37817af9c5c50fbfdba

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 76ed80c5873aa2e2bc9e594a9bd8794e
SHA1 bc3c5ccb1e04a0b828e1beb7a8c2b73b903b9489
SHA256 6b0fe84be809672c837b57bfe7fed699d79faf4bcd7e6288c4be72bd4e95d4f4
SHA512 c69a19a5162a32c16db0b44cafb27c2802c6606a606b0d9a12ef97a3a500ead97baad123c5c7cad24f12d8562e23fe53769a822361a40897837c1ec3ed4dfb91

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0fe9f5da22bc21e8b99a25889a6688a3
SHA1 093f2d9717e4c0b8d2f1a0fa06337e5ca14be9f4
SHA256 a428b4c7c29cfc323080653c07d6ee546439b7a2406119874948f0c70fb94c0c
SHA512 56e80e127f010aaf8e9ff91f30d62060d49e00d1cb9100f881c64d5238bc7cb7ddf05a373861f4b8b63a0d989abcaa16345ae2bac3dffe8d4f3495916d22f768

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bbea0226854710e89b4e9d21732d5f4f
SHA1 314c2b5d38e7b9833e27889ceb486281d3d55bef
SHA256 07a4815b978231aedac3c05de39cbafbeba2fcb367a55835df76e7a8e4d01a41
SHA512 bd250502552868129cf7aa42d9e4bd9c5bd51ab1a53c0e54bd2676890f14c98d4f8a888bc082f36b0e98ac1e535ef4d58183350b0f1234bb9840e1e219c9dc0d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a2f8908b0f75e45816fd0463eb4df49b
SHA1 86c125a8a2e2256b700730f72bce796fe40b9cba
SHA256 c21f0f2c6ffaad99900733f71abe5a0d043eaee7fec24f778817f554e61a0c95
SHA512 456519a295573aab82447f26d729250a097f7d68c67ec71a178c7d428dccf4c79766777b40c580dbce827dea4d0a420265a19fd5d238b72eab8678d5a1f02f20

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d6b1f86f7ceaa6410e81f511feafffee
SHA1 8f4cc7952fa785f2030a747dbd19c96eb4ada823
SHA256 6a8d168e9dd06ec5ba5ae24b21306928469fb6f6ff261917f7dd221e564b3592
SHA512 bfba60e0fd62bc11f5c978302c94857c69ccb1fc64a78f2647b852f3c82a98f2f7c3efa1d2bee7cc722b68ac37b626b3d94188130d03621483dfda918318697c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3c30d660fdc7e397b1274fa0147e0440
SHA1 ada6e1564180b20ad4b9f1baaa8acb2b273c0932
SHA256 f2edb2c2021c56a98e645dcb5b422a652fcf2aab1ec35e81f70cf8072d868942
SHA512 e967a65d1759209f36bb528c18aa0b4753a4a8c7afd4983ffcce62c7a96b8e152977e7dfce9efc81820ff9970fbf3b2e079efc34a604140cad6dad557af7de02

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 65ea6f0fd66ca6fe6ea1477d3b3e88dc
SHA1 7744258b561a2ad344f75ada279d3a295facd9fb
SHA256 a9acb055f3bd317b1c9c9d38d099d1f28d0e45b926583613beb11b9b34c3eb62
SHA512 f0c37b05182eb53479360851c9d9ceab7195be27c9e4ab18acbaf0f7d3ba9fefd21b5fe12004f19b7b29d1222cb76bc6b0c68a325b40de02e436465ebd46d4fd

memory/4588-987-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 64b6a0170d0a57b13db34c491b5087f1
SHA1 7e83163c96e87b2286c3ff21c53d0d040df3b9e2
SHA256 68c4515ac054f27958c3f002427297bf73b0e0e3c54c5d1c1a69c99301070430
SHA512 d090653d2fd064a7b7cbc030a59f777e2da92f35d6b47c94ad29a1b328f5f65a2030092ba88ce4c051900b4117f0add1d753fd0d7dbcf3ecb9aceb115b7ffae2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ed8920551071a21d79d59612a4a42fd6
SHA1 9611bd34eb52e220eb630f9676a9eef30725d349
SHA256 a70a7e8569d897855b149b8d958ce6cd88c52040d6dc53c8ed5a27dde3febb96
SHA512 9bb71bf44518641b68e805c3acfd83fd4105899e84c51ca69dffe75c43f6557ba0c9e329615d767d86e30c98178c5d71a067ceccf6e9a8ab687e085d019dcbd0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e56a590d4493496d2b3de1aa23b404fe
SHA1 f3458b887e6b35c05392be52aef1f9ea04f410b6
SHA256 424ed7ac9fda1a62fa70cf55c5ff5907c448848c0a6a3691730ad1bed1bce5f7
SHA512 aa1567ebb455d2b125021cba54cfb431725817e93e1857341f5f0f91aeba0671f683015e4a9413b4048afc00a1ccfb4ebaba13e0496266cceb6c4d705e2ea09f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 baeb96becf37db26af8f8e8b67fa0e58
SHA1 39471afdf89e32818f2b9001b8e3192cf956e729
SHA256 78a100eb11b1b5bbace7d6fdee0632112bc4371730c709f0c6e52e7c9d005dbc
SHA512 bd6294a2cf6c8cd6e52a6f06e23f6d1bcb6fd90037e28ae0b027843cb7565bc4c9b5453d1bba633307ac48f08bad5df4f5e45edd2a826cec3908d69d5a986609

memory/744-1441-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6537e19f5a17df4b5257bfc0a3a549fd
SHA1 f6c4a3fcaf5306d7e199613402cf66c0f870693f
SHA256 1989a3c6e4224c4d2eda48f580322f696324f08e2fbfd6d11fb16386627ed284
SHA512 ad491910fe0922379be5151ca425372d56064f4309e719bbce500ef430d5ce438d603786f0abe4c7a676664cd2cb5e7078707ccd1a54e2f840fe6f8e0ad56a59

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 97aa134fcf6f0b1ba2ea38a5612f3a8e
SHA1 03942bbee44c86c074113e9422efc0d74a1cd47b
SHA256 4a853a12fc0c61ffe9f93ac095c6f0d10afa286f05d70a1c4177413806776e64
SHA512 cdba8e1aecd2c95a94f6881167327629a37b167e5c8172a8e246a3b6e5a308b9f8b8eb14667e9de807c83a41a8e20a14a3dffb36452878dfe673447eb01193ac

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4631d9757e0b180ca99c807207d6b53a
SHA1 cfdad87984fd1451a20e20332d9c48138b014f77
SHA256 805ccff47bd837f690ecf7cea8bcb40b2ced45668baf0479a7639055807fcffb
SHA512 8d0e835d947850dab4799261ccad1aed7d30575d64026c5af9e14ef09cf5dff05f310fcaf03fb75f6cc9ebd3f47414918236b4566e00d44dba1afd8778255e8f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2350f2f64e976509fdc08aeef68dfcdb
SHA1 77d675d5cc848a209a7342988139fc839eade92f
SHA256 2c7e419a746ac9697310bc5970185dbf04d427565b42c0aad5692771aa46eeeb
SHA512 7ac8c8be27043891c7af81bcd15b2ad53317d1014a0538c2e29a45f080ae67c165c252fae458b7865e2cf7bcdc29a00c9ef6a39f273ebb0adb26abff833b0597

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 49ab83bfc2bd7b75fc3b3fb538602a5a
SHA1 e406f7a474fe2045507bf08ecafb65884467380c
SHA256 529a63f16be512daa59eba2fef67ab8b6bf5a5dff94d3dec305c092e67727067
SHA512 5965bfea9a638f0fb0dbd525d4f13f5f3198bfc98bb102723e75872a350b1ce3d7e1d28da40ee8f595a3c8ca7f55c084835ca1dd2f97f214edc3ade0a9ec205f