Malware Analysis Report

2025-01-02 13:04

Sample ID 240703-dh9xnaycnp
Target 20dd44c47c9f86697c04752f9e588e31_JaffaCakes118
SHA256 1ee9069339b9ba48212352b16e9ba37bfe9b00a8463e49a94e96d46a62d9c311
Tags
cybergate cyberflash persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ee9069339b9ba48212352b16e9ba37bfe9b00a8463e49a94e96d46a62d9c311

Threat Level: Known bad

The file 20dd44c47c9f86697c04752f9e588e31_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyberflash persistence stealer trojan upx

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

UPX packed file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-03 03:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-03 03:01

Reported

2024-07-03 03:04

Platform

win7-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{57QF733V-1EB0-8BA1-J828-03OG2L8T5424} C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57QF733V-1EB0-8BA1-J828-03OG2L8T5424}\StubPath = "C:\\Windows\\install\\svhost.exe Restart" C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{57QF733V-1EB0-8BA1-J828-03OG2L8T5424} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57QF733V-1EB0-8BA1-J828-03OG2L8T5424}\StubPath = "C:\\Windows\\install\\svhost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\svhost.exe N/A
N/A N/A C:\Windows\install\svhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\install\svhost.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\svhost.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\svhost.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\ C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 2428 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 2428 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 2428 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 2428 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 2428 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 2428 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 2428 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 2428 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe"

C:\Windows\install\svhost.exe

"C:\Windows\install\svhost.exe"

C:\Windows\install\svhost.exe

C:\Windows\install\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp

Files

memory/2428-0-0x0000000073FF1000-0x0000000073FF2000-memory.dmp

memory/2428-1-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/2428-2-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/2068-3-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2428-5-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/2068-6-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2068-7-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2068-8-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2068-9-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1200-13-0x0000000002540000-0x0000000002541000-memory.dmp

memory/2068-12-0x0000000010410000-0x0000000010475000-memory.dmp

memory/568-256-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/568-308-0x0000000000120000-0x0000000000121000-memory.dmp

memory/568-536-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 6b452a82c2d0f1211fb7a453162182cc
SHA1 8b2fd140d45d059dc89c67bbae77cbfb90bf3c7c
SHA256 e76c55abc396d09ac0ff5085bd57996189648a9ecae69cc595375e97db2ec9c5
SHA512 d9712897bc75b33ae84abc2bc19559e6f675d453de6ac7b9c709434ea08f2ab3c682534a8fdbf2cdcdfe854e73d85552f64de6a29b6bb51a5f4ad2784b13c86f

C:\Windows\install\svhost.exe

MD5 20dd44c47c9f86697c04752f9e588e31
SHA1 5e6058dc2fc5e5c59d121f975ea981886bc1a1bd
SHA256 1ee9069339b9ba48212352b16e9ba37bfe9b00a8463e49a94e96d46a62d9c311
SHA512 1779df89c161e0885de6cafd6de2adab6f34d248882202753983ada0c1e899833b0af5360c58f86cc42c664022c46dbff5e5c1aa6d6f7e4644e85f573e9cf450

memory/2068-868-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/576-892-0x0000000000400000-0x0000000000458000-memory.dmp

memory/576-897-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1a7ebc40a5ac2ea6448e535166e527ae
SHA1 94b7b0c3475477f65f830d14ff6d96bc7cd99337
SHA256 d02cd209b5cc2f6dcab2f7d50db5b1564d358c6f8eb2dd987bcd816913e0ca78
SHA512 12341d564f9963389dc97905f81a476c1f607914c81a1b31e447b3b6b6d02eeae86b827b681564a5de9eac9d0c278439911fb4132e393dc0f3e4b55c32c4c4c7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0ea4d3cf71bbe853fa1d9eb9829d2ddc
SHA1 086982d53521a71b55f0d13581aaf1d57b6a3f4b
SHA256 2d595b3c5de7c2ef97deac68a4cad178f3935d285fb089ccffbbfd6f7728ccef
SHA512 b41a69b42e95829058240c8fc85c5b6fc94607bd9f80bea709dc61bd68446d17589e66cbf956b78532bd0be4fd10f42122c59666c1783846beb8f83b13136beb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f9291b23291030a3bd6cdf99f27b3a16
SHA1 e88ccd7efb4499fddd9cde9c2a0854e1eedbd2b3
SHA256 f08145c0b2ab817622e4c744fe28e761a6bd485d0f644fe64d862a326e45d6ca
SHA512 b14d250b1b4914407bb97fe89563a5444c82b1cd7c06cd19b6896f23666ebe2fdabb92e69bb4de1000fda1574ba20b522a509c726ce67b525923dd33e15d85f0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f67d7d6076313bef9c7ee9a34f81d3be
SHA1 2188f75225114842caa005e6df71a93600474a76
SHA256 5ec47cd4efe481fb545b2ab71c1ddacaad4dc531c3290f2fa25413eb737b3e3c
SHA512 535700735a95dca32836e4cfc744d3161919077dc45a1384df7937df8d2fddfaaf9d48a529e1aad78af09c46926162a5684ba25ba79ecf1e9f06d917a38dde66

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 008f07f98049f13b1e96d0c5843fde9a
SHA1 e3161aee1fdf0b48b2700d423ac46e9a2d8783c2
SHA256 78fcda228f88967151ab13ed5c3d1402c77777a36f342b8edb896fc9ab8e2278
SHA512 687e1971955a73fa3064d7fe1b5bd94b27ce77dd39d8d8df2c135dc04d55b2670964377a17e0caa98e5168d09bbc7dfcf17a5fbe772c09142b13f38c370b8686

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 97e3faca9bee5e240dd27229fcdbdae2
SHA1 325da6415662a0a625d062c2d70d6334f1243758
SHA256 f43986b41c148f4d7b92d1fa95b91dea12b250db735ae094cb63a7d459d34541
SHA512 64432171fe9114662e0abb1f1d7506233afbb370a8cfebc092af6a55e4d9c0e2069504f17db4aadbe1a81154f2e1eb21b300926f6c07669bb96ac9f91af13bec

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5f51066002c599bb7acb7bad493e60e7
SHA1 a7a6a07fc670b2fd2ef8c9eb041a69b6036e8292
SHA256 5ab987dbccb3b3972329b05655df3d138c964d4fd37b70fbb1aa2fb36885475e
SHA512 bae5a3b331e990d0040d5a13e599aca135406094f605e4ade1b18f839363a6cfeaef2a8ddc81b8aa2afae1a89e14c4b064e4c03124c023afd03312617a4cf25c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0c26fa35d9a809762fd122161b722ee5
SHA1 150a4c297f679712913b8c64dcea4e69ad86481d
SHA256 00b1392083117c3c7aedbd4db587199d230f807f6d512de834fbfaf3fe9b1973
SHA512 e6a422791c1ae5e28973624f3458779a9bed0d86ad3435904f18a883f4a3741e2ce15aff331cf091088a23f11320fe98b995899275513fec99a93c0d4883cc86

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 18b7337547059eaa0d909641fe87d89f
SHA1 07bc18ed7719a08a7f9482e1475dbd90d68bed65
SHA256 d5220345edd0adbf81e47d7311c864e9b3b59516b7226455f81b5113573f077c
SHA512 8d91750b76d6b3e19b688e5ab03b3a1c24c1cfbf03b3cde651baf9e37d7d5b301ba2bb5ba8e091758d168d9c6f0c4123e2bde8a500d267b1fa83fe4a51d36cf7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 29457d9e6f9dda32e695ecfc3c9ccbfa
SHA1 d066203e2cfc3203c3b8652e62b58e09704fe1b5
SHA256 3a398ed80f40e601f2daa5515d8362c91be8ad74006440d3254e8a76a7aa246f
SHA512 4c6a4753b1b02940ecc1ace19356435465a40ee6e605a4cac5ba5cb4bb603832110ba517ffa7cfb76c612e063a967cbf62fb6751bc553ce8cec75316582708e5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 280bb111d0b533cb93dbe40fa29c558d
SHA1 f71244d867f71c78d65baed859d9284cd56b16ea
SHA256 810747a9c2a8e8f085c418dd495cf6b42537ae97eed7eb9355527cf82a026e95
SHA512 da716d700135a9bcb547a80595f3814ab153ccf5b096c3037f03881eda4988bba376fafe186fc96b8c254ecec34883cf3b80734376e56f963d7cd87efa1989ef

memory/568-1569-0x0000000010480000-0x00000000104E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-03 03:01

Reported

2024-07-03 03:04

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57QF733V-1EB0-8BA1-J828-03OG2L8T5424}\StubPath = "C:\\Windows\\install\\svhost.exe Restart" C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{57QF733V-1EB0-8BA1-J828-03OG2L8T5424} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57QF733V-1EB0-8BA1-J828-03OG2L8T5424}\StubPath = "C:\\Windows\\install\\svhost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{57QF733V-1EB0-8BA1-J828-03OG2L8T5424} C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\svhost.exe N/A
N/A N/A C:\Windows\install\svhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\install\svhost.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\svhost.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\svhost.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\ C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\install\svhost.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 4848 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 4848 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 4848 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 4848 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 4848 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 4848 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 4848 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3220 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\20dd44c47c9f86697c04752f9e588e31_JaffaCakes118.exe"

C:\Windows\install\svhost.exe

"C:\Windows\install\svhost.exe"

C:\Windows\install\svhost.exe

C:\Windows\install\svhost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 32 -ip 32

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 548

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/4848-0-0x0000000075512000-0x0000000075513000-memory.dmp

memory/4848-1-0x0000000075510000-0x0000000075AC1000-memory.dmp

memory/4848-2-0x0000000075510000-0x0000000075AC1000-memory.dmp

memory/3220-3-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3220-7-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3220-8-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3220-9-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4848-10-0x0000000075510000-0x0000000075AC1000-memory.dmp

memory/3220-14-0x0000000010410000-0x0000000010475000-memory.dmp

memory/3032-19-0x0000000001190000-0x0000000001191000-memory.dmp

memory/3032-18-0x00000000010D0000-0x00000000010D1000-memory.dmp

memory/3220-17-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/3032-79-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 6b452a82c2d0f1211fb7a453162182cc
SHA1 8b2fd140d45d059dc89c67bbae77cbfb90bf3c7c
SHA256 e76c55abc396d09ac0ff5085bd57996189648a9ecae69cc595375e97db2ec9c5
SHA512 d9712897bc75b33ae84abc2bc19559e6f675d453de6ac7b9c709434ea08f2ab3c682534a8fdbf2cdcdfe854e73d85552f64de6a29b6bb51a5f4ad2784b13c86f

C:\Windows\install\svhost.exe

MD5 20dd44c47c9f86697c04752f9e588e31
SHA1 5e6058dc2fc5e5c59d121f975ea981886bc1a1bd
SHA256 1ee9069339b9ba48212352b16e9ba37bfe9b00a8463e49a94e96d46a62d9c311
SHA512 1779df89c161e0885de6cafd6de2adab6f34d248882202753983ada0c1e899833b0af5360c58f86cc42c664022c46dbff5e5c1aa6d6f7e4644e85f573e9cf450

memory/3220-150-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1900-151-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/32-175-0x0000000000400000-0x0000000000458000-memory.dmp

memory/32-178-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c493a97c6b0493b4a6eb006003c7a711
SHA1 15ac245f5b92c46f9bd69ed2e70f017d71f5e56d
SHA256 5604b4a8aaeceb8acc7d9e806ec94513e037b4c5ec419518893e359efe66e443
SHA512 43d9d2d3d058d7058a8fcf0b5a99753cd8b5252082600fc014925bcf5dc846e749708796cdbb01406e0cd98fe09edf3cd1a0987855bd7a12981086bcf98618ec

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 13b2eab0eff7f52b5d34426909d70b75
SHA1 307b80dc656442f6d34b9c89a4856a5872142c9e
SHA256 117a4d3aa6900c81f586835eb8b8f0f32d75d80569c3428c5fc7e440f17e27da
SHA512 172f05d910d73020427a75c44a942ce1d278f7351e70dda0b0d0ad923e0eb7d819c3e4c60cc87c003bc3283bef20d275eeb2714fe8bb1a855237a7f1e1c307c4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 435ea8ea1c32acd744a89b3021a1b062
SHA1 892f8504c8db69cb092bc82f3cdcdc9b7d2c5e42
SHA256 941204f819fddab4ea34a30a96acb2a114344c4bb166c73556d46e947db02209
SHA512 671aa1fdb76c6906c5dd86f2fc14e31ec5dcb36703a0ff5ccc9dbc23eb49bb225c8d3038c22fa40c2fd81940b8e971cb9d83d2173a8b18fe1e418d421ed4661d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b2c9ee884cb8ee67edc0b1570d6d1fe
SHA1 9e28cb50cee26cdfab8d2f09ca033125f4751cb5
SHA256 c69733b089990ce8c523cb050a3dd32c3b63358e9da394d74e52d12ae9673465
SHA512 7dccd659a90fa8d6bd10ef5c9469caa9905364ff4e256344bd45d61c44c671dd494ee782617449abc29412a25adffcea1ac5074f7eb1a84a5a6171b9c6aa07f9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1a7ebc40a5ac2ea6448e535166e527ae
SHA1 94b7b0c3475477f65f830d14ff6d96bc7cd99337
SHA256 d02cd209b5cc2f6dcab2f7d50db5b1564d358c6f8eb2dd987bcd816913e0ca78
SHA512 12341d564f9963389dc97905f81a476c1f607914c81a1b31e447b3b6b6d02eeae86b827b681564a5de9eac9d0c278439911fb4132e393dc0f3e4b55c32c4c4c7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0ea4d3cf71bbe853fa1d9eb9829d2ddc
SHA1 086982d53521a71b55f0d13581aaf1d57b6a3f4b
SHA256 2d595b3c5de7c2ef97deac68a4cad178f3935d285fb089ccffbbfd6f7728ccef
SHA512 b41a69b42e95829058240c8fc85c5b6fc94607bd9f80bea709dc61bd68446d17589e66cbf956b78532bd0be4fd10f42122c59666c1783846beb8f83b13136beb

memory/3032-626-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f9291b23291030a3bd6cdf99f27b3a16
SHA1 e88ccd7efb4499fddd9cde9c2a0854e1eedbd2b3
SHA256 f08145c0b2ab817622e4c744fe28e761a6bd485d0f644fe64d862a326e45d6ca
SHA512 b14d250b1b4914407bb97fe89563a5444c82b1cd7c06cd19b6896f23666ebe2fdabb92e69bb4de1000fda1574ba20b522a509c726ce67b525923dd33e15d85f0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f67d7d6076313bef9c7ee9a34f81d3be
SHA1 2188f75225114842caa005e6df71a93600474a76
SHA256 5ec47cd4efe481fb545b2ab71c1ddacaad4dc531c3290f2fa25413eb737b3e3c
SHA512 535700735a95dca32836e4cfc744d3161919077dc45a1384df7937df8d2fddfaaf9d48a529e1aad78af09c46926162a5684ba25ba79ecf1e9f06d917a38dde66

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 008f07f98049f13b1e96d0c5843fde9a
SHA1 e3161aee1fdf0b48b2700d423ac46e9a2d8783c2
SHA256 78fcda228f88967151ab13ed5c3d1402c77777a36f342b8edb896fc9ab8e2278
SHA512 687e1971955a73fa3064d7fe1b5bd94b27ce77dd39d8d8df2c135dc04d55b2670964377a17e0caa98e5168d09bbc7dfcf17a5fbe772c09142b13f38c370b8686

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 97e3faca9bee5e240dd27229fcdbdae2
SHA1 325da6415662a0a625d062c2d70d6334f1243758
SHA256 f43986b41c148f4d7b92d1fa95b91dea12b250db735ae094cb63a7d459d34541
SHA512 64432171fe9114662e0abb1f1d7506233afbb370a8cfebc092af6a55e4d9c0e2069504f17db4aadbe1a81154f2e1eb21b300926f6c07669bb96ac9f91af13bec

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5f51066002c599bb7acb7bad493e60e7
SHA1 a7a6a07fc670b2fd2ef8c9eb041a69b6036e8292
SHA256 5ab987dbccb3b3972329b05655df3d138c964d4fd37b70fbb1aa2fb36885475e
SHA512 bae5a3b331e990d0040d5a13e599aca135406094f605e4ade1b18f839363a6cfeaef2a8ddc81b8aa2afae1a89e14c4b064e4c03124c023afd03312617a4cf25c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0c26fa35d9a809762fd122161b722ee5
SHA1 150a4c297f679712913b8c64dcea4e69ad86481d
SHA256 00b1392083117c3c7aedbd4db587199d230f807f6d512de834fbfaf3fe9b1973
SHA512 e6a422791c1ae5e28973624f3458779a9bed0d86ad3435904f18a883f4a3741e2ce15aff331cf091088a23f11320fe98b995899275513fec99a93c0d4883cc86

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 18b7337547059eaa0d909641fe87d89f
SHA1 07bc18ed7719a08a7f9482e1475dbd90d68bed65
SHA256 d5220345edd0adbf81e47d7311c864e9b3b59516b7226455f81b5113573f077c
SHA512 8d91750b76d6b3e19b688e5ab03b3a1c24c1cfbf03b3cde651baf9e37d7d5b301ba2bb5ba8e091758d168d9c6f0c4123e2bde8a500d267b1fa83fe4a51d36cf7

memory/1900-1305-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 29457d9e6f9dda32e695ecfc3c9ccbfa
SHA1 d066203e2cfc3203c3b8652e62b58e09704fe1b5
SHA256 3a398ed80f40e601f2daa5515d8362c91be8ad74006440d3254e8a76a7aa246f
SHA512 4c6a4753b1b02940ecc1ace19356435465a40ee6e605a4cac5ba5cb4bb603832110ba517ffa7cfb76c612e063a967cbf62fb6751bc553ce8cec75316582708e5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 280bb111d0b533cb93dbe40fa29c558d
SHA1 f71244d867f71c78d65baed859d9284cd56b16ea
SHA256 810747a9c2a8e8f085c418dd495cf6b42537ae97eed7eb9355527cf82a026e95
SHA512 da716d700135a9bcb547a80595f3814ab153ccf5b096c3037f03881eda4988bba376fafe186fc96b8c254ecec34883cf3b80734376e56f963d7cd87efa1989ef

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9ca9ef390592bf2ec9c9895fd1e0fc77
SHA1 c26ca81985c27fbd079dd471702d57020fee7d52
SHA256 9e38b9ec7541ba2f45875ceb3b95de401e4a8d487260a3c4256b0eb48bd3c1c9
SHA512 8e91e4743d4e14b9b3b95aaaf4053ce7a9926ef54ed4980ed5387bd249bf25962b61108e2336569f6de08b01002d4713b0307ccaa742aecfb5640b9b7ae8a5b3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6288eefe05461c6738192f00be00b33f
SHA1 074d4826b96a9e06741a7d5508b3fb8445b361f1
SHA256 aae49ccf6880db12f91347d7cdba53874500f1a0773ea587b49cd50fc6c5f328
SHA512 fd796c7ef170ca77ffdb28c770e224a301c578739907e14c8528c111c111c4a0b7ea97e06fe976e2223c270703a65f71a3a95e55803e4165a33e1a8ecd86d4ee

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2bc22260f88ad26ef411273f03f224e8
SHA1 2ced2846111013fce850638129759c48a8732691
SHA256 64cf5298f19f918056c97d24384ac01f82269975bb7bc81afb4409b36523930c
SHA512 c01c2439918eb2c11407b92db14c28f261275aff590c21c82541fb61fc75cb04015d31c7d7f0b8c5f93db4e452f758b81a68e7486a1fbfc72c616e22663be88a