cybergate | 4904ab4b745b17310800c36e1af806f95882ef77dbdaff16a047d103fa4b6cd9

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 04:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe
Size

485KB
MD5

2111b6b063cb7cd8b63ca663d0b750dd
SHA1

66367957e97a98d40db5eaa9a6022aec787971fd
SHA256

4904ab4b745b17310800c36e1af806f95882ef77dbdaff16a047d103fa4b6cd9
SHA512

e027836c1f67cefe0fe2c41e9e8ee02d306fa741c333c55ab559b04df856fef3f52fd3e1f035cb0b53dfaa20c5ac231963f5b410b7ba01823cf75efbf5562bc9
SSDEEP

12288:JoJRbY5Gu6yaXV8yLS4JTp8vQUlKLP44WpPbr5E6Fn87Gs:JoJ+wryUbp4ln5V87r

Score

10^/10

cybergate mikael11 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

mikael11

mike2375.no-ip.org:9999

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
237566
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1684-5-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1684-7-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1684-9-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1684-10-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1684-13-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1684-14-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1684-17-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1684-81-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Update = "C:\\Users\\Admin\\AppData\\Roaming\\L3G!T-Labs\\jdvs\\0.0.0.0\\Java Update.exe"	2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\rundll32.exe"	2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1820 set thread context of 1684	1820	2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe	84

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe
4988	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4988	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	vbc.exe
Token: SeDebugPrivilege	4988	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1684	1820	2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe	84
PID 1820 wrote to memory of 1684	1820	2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe	84
PID 1820 wrote to memory of 1684	1820	2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe	84
PID 1820 wrote to memory of 1684	1820	2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe	84
PID 1820 wrote to memory of 1684	1820	2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe	84
PID 1820 wrote to memory of 1684	1820	2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe	84
PID 1820 wrote to memory of 1684	1820	2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe	84
PID 1820 wrote to memory of 1684	1820	2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe	84
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87
PID 1684 wrote to memory of 2316	1684	vbc.exe	87

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:804
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2932
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3808
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3932
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4004
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3148
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3912
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4568
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1844
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1852
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2860
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4900
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:2596
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4492
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4856
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:4264
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:2720
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:3644
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:436
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:872
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4108
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2992
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:4716
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:1132
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2408
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:1960
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2392
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3000
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1176
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1476
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2616

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3404

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2316
  - - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4988
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2956
    - - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        
        PID:3360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1096

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1532

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 24e333555c7b101943b5fccdc32205a9 8AWSBPcZH0icEJtIpp9MBA.0.1.0.0.0
1⤵
PID:4288
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2772

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
cd4b58653ca921636b52a4d8da7f9878

SHA1
417d7ebe4d753f3c10402490ef89e52fe73e79db

SHA256
6a584a572d4c287e4b82018809729a4e04496e427c0566ca0a4e221b69cb70ba

SHA512
e3c9ffbb611548669dba883a5dab610e72897cdbc6711ad2760a26d930e0522a1e58a880707055a0e084e56ee2ceb6d0aa18eeeaf7aa0eef07c8ba26e5b7845d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f50493395828ee9eb30f2d04811321e3

SHA1
f0ca756a017c7640d1ea1d3aecc319e689031df1

SHA256
9a3c64d3024917c67b83e23d73e20f0c7f4cd6457ffcca4d1314b7674ac8edc0

SHA512
f28716751379962c97573479d3ad067fd50e5a1bad144fbb01ff31e8f4b2442973d11ba3b0aef65a1847c64d94e871d6a75c916131a6754f095f2c76d0425385

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cf53d88f35994829705f26a0cf396b66

SHA1
a244b6e918676e06105e097a39eadfd31a99462a

SHA256
daf6051024c6b5019a3e5b760b81dd66105881ad239d9f508bc07c438bb526eb

SHA512
f37e8e057c7908e273ee80071ca299eed9a6737bdd3a27ecb7fce7661fc601601a5fd6d742b19f9daf76f6fab06a2ca4a3d00ac64bf08b79a1753d887cf51b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5750edb34b8077ca99c7e91226e0bb52

SHA1
53ea62a664cc691df17c65f2ccdeeb520a1afbe1

SHA256
95e0092a50aec570fdbdb8c609b9741b6a556544fd66ff4bcd54e848ce3114ae

SHA512
d51209a25f669c4017e4f92e671627e518da800c180ce62c7106468b572a2a771a981bab966f151d822d1a29835c29a73201b19fdab1224f094dbe52d3a32a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
66742a6d829c0d670cda5342afcbe382

SHA1
dc347afe13b51d09a0e131dff73d7fb91fdc4abc

SHA256
7095e1eb729aabca4cb1aa99ab78b9fff8d730a5350572128073003717dfab7e

SHA512
96d5dcb2b9b3ad078812884d14a3c24f4923bf8aba0071180d92115120e532cce2cc0f3282c39ef4aa82a07f55b3451e1cc313b56fd76921cba73194d719e805

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
82fe60625713d0d8414e629ea9e4cff2

SHA1
8710a32a38265daf84aad80f2c773e78a1ddc4ba

SHA256
738df9fd9383c4362953bd83b978d4df23cf4fab5abde1e033ed49b13005a379

SHA512
451353e0424fd022f73519163372bf08c19c2a6ce284b75aead111498798258688f40d2e159bb55a9c74e2002d95b2945a4c9eca168cbb84743ce1937914b5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3a4a757dd62dbe87c28fdacfd11a92f7

SHA1
dba3882d60a936360407c692188fca687f355486

SHA256
a6bab715e95738d232256ad01d765bb149698f214d28cdc4a28c7a21dc36705c

SHA512
ceba8d5cdd06de846eee630331fd6138cc3dd06a927e8f5a980d9b6199c52da4909723d29c4d9af0d1ce7a79236c8945a5e793c86436621b25f53fe237b4954f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
986d3bd450a7e60517b235166f32ba02

SHA1
c17baad281a9a0380539f98fde5984c05e97fbac

SHA256
a024382983ddfa1a5db554ad95ef4572af86e8194572c6f1ee0584f169479bda

SHA512
0fb4c25706c7fd0f548761bc48ace740db89ead4ca84c1482ea20ac9809b50fb6e11be466e3c7f4f169094249b63cc0df6ab31caa50830244a7c3ee79d5d0e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1fc18a69f489a686ab4fa6bba71f56d0

SHA1
3c8625b867bc53db05b7cc804edeff2acb4b235c

SHA256
a7363acc813270cc609494daef58889ed30c03ce04ee316684b00b8147fc8cdd

SHA512
c46abdb445fe2b36b8c61ef0a4cd5c6f453cb9e541eb4cf62237b43ebc3c5554d9f3f68cf25d4405c2c4cc270c3ee130224e7df89200ef028582ae47e97f687f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9dea6404b277d11d6153829ab3694f70

SHA1
89a1c6be190151e915e1c25f958c9694468205e9

SHA256
d64f0a5f578d23a1859881e459688f14d7cd011253ce3e09b84befee286f1434

SHA512
f07734bd6e2341f7c4090489ba523986919cb8529b13d0249c51f655b2c5a5023df1003a4d990ea95eeda95674e444b9f4dfcba2ff7c8a149087a84f1dac6207

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
db8018de920395cdaab960c0d90dd0ce

SHA1
91f69526088b3aaae6da0159b192ce23da2176b5

SHA256
93c37d992da10ba9cadefeb081f7de38242804277ac6d1028c2ef44b2f5581ad

SHA512
6799cdb73950f844e13f37aa42f9c64d3a425cd84f3ef8b1de594f16656844e6af2ccec19c93e016d73c16a2f43a25c88be7d57639a9219921004adf5ddff7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
376ac6e1bdd07892be18111c885bb1ed

SHA1
6075e4d44404f2e1bd9dad92934c133cd7bf9f91

SHA256
ded5203eabe8a896150a95987c30bdf5d57ee1aec90c4958f94ec18c003dcc2f

SHA512
e4a2046f40f8cf5b78007bc1d3f91b616ce1df4de0a15b6e90ca463f5ef4d6d559c066fa94a5a2ac1df0912f83c23fdd5419aae80c066b7a5c1603d48cbd02a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e3f36043940a11f291e66070d79e195f

SHA1
d6074e364fb7045b65d72e3e2c73fbbfe45352c5

SHA256
1dd25b544a894b1bf3eb5043e91fe714d7058aeb2af1bda462ca0213acf9394e

SHA512
250fe0c54f71bf7a01b5911779bf84ce227ec2a04da4892fa3abe017c1c056bde3a452240d1e576d1ab7835f773d13c0ed392180c2145fd53d71680da40e5302

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
04a4535fa0a06890bbbc87fd9605ce10

SHA1
c8b864a02148e694e3c03496408a364957a545a9

SHA256
0d75cc80fdc5861be143bc9a9eba6ad20bdfc571b6feb286e00c3bd05ac9ad19

SHA512
d691054434a1cec7e08728935637ee353efaa32a1d0b44156cd7f3d407b25534fb98c6872577106b0816863085c82721b7e3cb8205e84646b212d02af674075b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6a504fcf13331ed271d486da084c21dc

SHA1
72c7aed622a8a860b42ddde59fb08a058aef9d4a

SHA256
b5dd2785b2c2f4437ed6e84c7999677113100a1dc5581bdc1bae50448aabfe79

SHA512
0b3885cf71a46e57d7b4f5902a8e738ace0aa82345405af1b10d20f15ee96f1149bb84e15e64a35a55ec1c19a51a35c5837b7d512cfb2275e1f179f69e90ba60

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
31ef32dc1ee507ba086d07e71681c850

SHA1
bbb846bee9306fa0ba83abd63f42b096d30bee7d

SHA256
ba0f2d645de6a005bfb76ea8b9cf11eba64a7a1ff933d3a98636dc4ff6b6e48c

SHA512
a94fea04854292c3b727aa145b628d935e3bf6e87b70a79b79ff6cfd566afb06f97fb390bc32f6c85a2a4bb026c098ff365b0a6e1dd390e06051ff1e3cf044d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef376208500ef444cc20a07e8847e9f1

SHA1
95852f2acb7fd2a677d858b694c58b95bc5363d7

SHA256
4a6c8014f32e7741d47fbc90974479cb9559399ed0b5a91706b8d3556827d279

SHA512
426e2de757e420aa643538c0bd8cd37b6579570b225716f2f5c561b64e4bbed5723027acbe9d54622881a14c01a48554946738e6e40571f4ddec60ace49f765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
880fa727f5a0db594afe083b7199414f

SHA1
dce2ba50544aca43b62d98fff18292e04f3e7b07

SHA256
76c62bee12631921c8315374e9b7cd7669bda96db2e93d0596cf76e35a31640f

SHA512
d4eb159c590667dc6d8a28a13db1d5553aff0aca9ecdcf738f9799a7350c0265684a5e06b263933d57a356af00447662b49fbfcf210d3f126fee9313c1e3050a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dc1f74d979886d7ac2ac6cfb4e449feb

SHA1
aa13858079cbd3a1b9c64be6c1e832a5b12f6a84

SHA256
16d627a4c38dee0c1c993106d654a6281bbe88e4988f1081ce1d83f071cbd3b5

SHA512
153a63163489dbc1152bf8e7ee8d0e3f09834131008d4c98f18808372d5f1a232252e4116c6e32cfa9f49d9193b1583d2c997727d3c6b8b1a355a1df1fa93fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fafd6fc32a5388c01e0491924b061d72

SHA1
b012306b49b7919915e4c9e549be425b40a7857e

SHA256
8880f689a763bd2f02d84a54b5e54ad688eb0ff6280d2d64e38187b97f160a45

SHA512
fa3447e1574c50dfb22f0c38f1961e0a17b2384b3d4e66e6bfc3387b2d8be4d39db7431dfe16538b7d0a6d6aac55a1fc974d6a02f4b5eecc6c7f2970944fc0b7

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
memory/1684-17-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1684-9-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1684-14-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1684-13-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1684-81-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1684-10-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1684-5-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1684-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1820-11-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/1820-0-0x0000000074DF2000-0x0000000074DF3000-memory.dmp

Filesize
4KB

Download
memory/1820-2-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/1820-1-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/4988-21-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/4988-18-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4988-19-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download