Analysis Overview
SHA256
eec70276c9833cdd6c37eac5829317254a1faa5306ed229a77de7df75bfb9385
Threat Level: Known bad
The file 228ff578421a90d61ff535a25bd4b693_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-03 13:46
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-03 13:46
Reported
2024-07-03 13:48
Platform
win7-20240419-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\server123.exe" | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\server123.exe" | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13K01P85-GMJ1-C83B-Y38W-4R2S5UA411Q7} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13K01P85-GMJ1-C83B-Y38W-4R2S5UA411Q7}\StubPath = "C:\\Windows\\system32\\Windir\\server123.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13K01P85-GMJ1-C83B-Y38W-4R2S5UA411Q7} | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13K01P85-GMJ1-C83B-Y38W-4R2S5UA411Q7}\StubPath = "C:\\Windows\\system32\\Windir\\server123.exe Restart" | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Windir\server123.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windir\\server123.exe" | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windir\\server123.exe" | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Windir\server123.exe | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windir\server123.exe | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windir\server123.exe | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windir\ | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe"
C:\Windows\SysWOW64\Windir\server123.exe
"C:\Windows\system32\Windir\server123.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1212-3-0x0000000002DB0000-0x0000000002DB1000-memory.dmp
memory/2976-246-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2976-304-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2976-533-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | c46c2967f052dc7bd609e5a06bcf42ed |
| SHA1 | 4284fe16e6324914035831ff769f4403afeecece |
| SHA256 | e94dbfbeec90d809ef8ebcdabaf7b7ed22b86f6ece4a3ad8614226521530b716 |
| SHA512 | 58ddcb7b70271e890dd8abd590249ee6e90b7cec943255ec5a63cbc1add197b9de92bb85428df6ef6833aeb581658f9d44604289364bbea7ffa96f5cf0cd1498 |
C:\Windows\SysWOW64\Windir\server123.exe
| MD5 | 228ff578421a90d61ff535a25bd4b693 |
| SHA1 | a6abbbee693b7f99d5d2078933caaac3598cd737 |
| SHA256 | eec70276c9833cdd6c37eac5829317254a1faa5306ed229a77de7df75bfb9385 |
| SHA512 | f6b40ae991cc8f75e045481dc5ed9a9bb27fd69302e6eff56a76e4918155bb6e47fa26949eb741537c1f070ee9649c78e6bd6299da9e4bfbc114ecae6fb411dc |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5600cf57c7e5e7c608fe0299ab1cda87 |
| SHA1 | 3a55148f6f4a6755f05f9413fac68db6f61a6678 |
| SHA256 | dc9a85363d4280a7e045f1983d5af435107192dbe14884a5e796904eca5125c9 |
| SHA512 | 11f7e08f08ec9f24ade35cede146a1666ea6af29f6dbc3a3c294ae9c4fea395eabfe19e3549c76e4c82e69c212cec76ede846220ed9f5b9ede140a7b77d8892f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ac54ac00533cf81b3e962f57de59f356 |
| SHA1 | 74510a8a816574249786008f916c26c7fb4aca00 |
| SHA256 | 06c45cc0c407037b42152873042cbc660e9fa39428d0b256052ce5a3ac2d9b3e |
| SHA512 | 36b507e36526d76982f25a1ede42ad6b85c6dc969d4d47227a5d5d40d8a41aeee77bff33191b3f07f2cc4481eab0f4717fbdb3220f1c4f9f26c0db2d1b2295e4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | dc8ea4b384ef7ed04039b893c968ce7f |
| SHA1 | 5078f6bc50a0d05b23bf5dfdc3f1a7a00d51ae14 |
| SHA256 | ec7f91ceee3c76b88934c45389cfaa359643cbf889b96a56a83c086f873d4e1c |
| SHA512 | ca3039544648410e67f2b918f7095fce19b2ec9fa236d39bf9d18ed4a48d3cb39561d4884096071b2782ce9b28e033ac13b2133471d8958d11522d6e5739c51b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ddce233d545d67f8d45331edf3880f6e |
| SHA1 | a6e624f65631b93f996ebb5a02272761955d0893 |
| SHA256 | dfdb550ddb117a49487c77749ccecd8bcea76985b08001bb2c26923eda71ffd5 |
| SHA512 | 19df630b8dbd0ca874f93e55de987e7a300d3f4530c11797588600a0a185f6729b84726d8ba1ab90d6fbf20658ba9c624c1e1318b8970c66f74b2e292f7eef92 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e3512358b16659b5e3ec555c1dee5561 |
| SHA1 | 7c36713b703028d6c08d24928d4b96b0cfc42c2e |
| SHA256 | 2a42e136861abbc880614f36a6488b076c1c9d793ca16e921b565650affddc98 |
| SHA512 | 7301ac5b9b1f9bcfb532707acbce32edaf992751823f91edd1f3417fc1dbacf058c079ccb6d849001e3f9d81bd61671f7787127875813c1a0474c8da9c92a4ea |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9f66a2093e1a5b74ad8c95db65f2a2f7 |
| SHA1 | 500976f2c83ebdfcd2e4cff46713a94d601ac824 |
| SHA256 | 3c58eba667a86d1da0a74a773bab6f3c9b797afd9c3286dfa72914a5ba4054ec |
| SHA512 | 070c69357f904259a719526993c63780b9edae8df76f091f6c514dfaf09aaeff5ad21471f43f8eb34a88193ff5780dba4035f50df7426a66e3f7b73a887b2fbb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a433b651b13937cf6b9ea46ae9899049 |
| SHA1 | 4695ab2e3ffb1a9dc021148bffc51698da6e263e |
| SHA256 | b0eedb6816137320bd1c97d310c95709b7e5b63998106f0279e46ebc5acc6a13 |
| SHA512 | 096375f30fce7d9c06fef74ae7e2751a41f2f39caf2321294eb13b51737ef5877d901f2e2b5c407db853b3bc95bf9acfd5e96adab2b2db58939b74173fd8aace |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4c2d07557136953d06b6c8faa0262ed0 |
| SHA1 | b774644445a04e2e5cba8c0c87bc76300c9745c7 |
| SHA256 | 84950bc6d8704775a5e444d636f26e2f42a632556a953312b6901abc312c780a |
| SHA512 | 32c86803801ecac942a79c623f3668ad0e7bce26a4d0256cdc71beac551b92d713291b8fffbaa7962d779509106f2c44a5f37324870b37da3e4ae40e27cb8a76 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 583cb2bdeef69de4f30c35b1c5ca978c |
| SHA1 | 7b82fce2ecfa0ad80cfab2dcdc7c4c9b496cf2d5 |
| SHA256 | bc08e97af70cc32c99b8908cf9f637be9440f7ad67acf97ecbea185e903aa943 |
| SHA512 | aeb5c18d586a14e71ebb6675f912196496cec0c9e96deaaa09a0028e91196f9c00e165cc5624cfed8c39f61015c95341632f927dfc1b04c5ec3799f7bdee1197 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 08544f12b1897c4947e8eb075c4a38cc |
| SHA1 | 0ef9f884e03dca881d189b1f3e107f013a95db0c |
| SHA256 | 467fe4c097997bdb252eda048a52fea01f33d825f7f78fa54ef9a1537d86a87e |
| SHA512 | b751c0bb9efe1817c474583419a14078375862d4fe853ed4476c60a09ee3c42ce65dd0ff67f56e79b005015ea3b546dad3515fc3cb4ec2bf0da81bcf1b5f6bdd |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0a84d4a4b0ecc69b30f3d2443ff3d8f8 |
| SHA1 | 01f8eceadf7ccf2f965e4208ab57902fb78ecbd8 |
| SHA256 | 9eb1acd86d9d2eeb21fa8e59fcc044906af6102a92c3bb7a71a6c9b0200c196d |
| SHA512 | 6665eae4bfe188321fc1b9d7ce8bc12de54d25a76b0e44bf90151d55d8f4fb13eae9cda11b97b2eefcd6dce0f0e31d52e0de496770826f66b411493f9d0b4724 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | df3fa896bd77da5782795483f1ec7474 |
| SHA1 | d23e8cd865e243bf69e6516bb5eb60c8c20d40f7 |
| SHA256 | 29bfe4f8d52ca8e6021af424f86a3fe256ae8b2640af8ffabe51c433254c7c5c |
| SHA512 | 766e1e80c34aa0a1ca335348d1e870b92efc2fff5cb9d9ce8e5736d7b5c625d8bdcea3e5be937d4d1fa71bb2690d418aace5b1033f4a932fe008460ae7750f4a |
memory/2976-1501-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 049bcc17f5c70939246a556d389a132a |
| SHA1 | 2e4ab46f1640d2a19e9d98505c5e1a86de2b170c |
| SHA256 | f2d4fc8485874215939dd1eb4b4b84e398f5c925d867232c76be4086abeecdfb |
| SHA512 | 0c89e6e3e6ab0db1f7cff1988af80d7a0f16fea39e38a85aa13b1595a5904af21c865554feaad3fa7e761739d35c89e55798c6c4e276efaac6beb69991fab42f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 399a66fd12ff3f141a41050d363faa89 |
| SHA1 | 84c082f116949efa65f56d23af632e1c7415b2e3 |
| SHA256 | 26b1f555123edb8e43c2003f5f77b35a61e4927a88907abbbc25dd5601326a5f |
| SHA512 | 894f594cc50d1592104e76da3f46a8f6913a5d1d027f093163b8e256a811d4b98392bdde2655f996198229533b8592d6ee9af9dfbca4fbff7e6c03578e006fc2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bcde6f177654f2dea0bafab402ab5ad4 |
| SHA1 | d44c37e8c026b3fc4711a895f59d4a622329eb25 |
| SHA256 | 5d54cd29e97f5dfaf6b8083c8bac525789edeb2ddf359c22bd5324c592aef25e |
| SHA512 | f8511749ecd8cd24f1528f93093152a7afd73c23d33fe67a45527691399b5e60f21ded920acc930bdee1efbd0c502cf579d5ead6669fe266304028cccce256d5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6d186520573bd969cf0b657c95e40411 |
| SHA1 | 178287cec1a0e83d7680318f99d781c5a00032b9 |
| SHA256 | 78b65c5158cc3b39b8e23d440b31f7ca93f668ae6e30d4ca9b864ae3a226f165 |
| SHA512 | 9f3648d958da406da59814496bbb512c5bbfa424b7d9488aac62bdfad7e3a37e9a6de28d74f40590fc1e926c8b52dfbbc6450463dbb0622bd176fa97f74a81e1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a55c5e83822800a956672b2b5f831b38 |
| SHA1 | 91648091003f16cc5e1d4cf549842c43bd79f077 |
| SHA256 | 50ab7a11ab93e7fd02cd6c102684a0553b6ff9b06efcbe382afae6197929ced6 |
| SHA512 | 6b46f0d2c5a1f4df6f302cf3e62dab0cf0a4305a777917a97ad65110e38c5569681bc6ab28920a50fd1a388a23a5973c4f34400c993f45a27ad4a48d84bfc964 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 594aefbe23e53ec660c553d50a5c4dfd |
| SHA1 | dcde5482f0cbc86003638f3a51009bdeb86331dc |
| SHA256 | beefde9e68126afe1fa7808dc014a0b9f7a61eade510e48dec3619072dc62720 |
| SHA512 | 99d06ef5bd2f24ccc0c568ff18388ab6db514a88deb75916d1c62e18db725fffa70d25b2d6e6265ecbd814e60596462da865e379a8be62ba3bc0a28db0acda15 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-03 13:46
Reported
2024-07-03 13:48
Platform
win10v2004-20240611-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\server123.exe" | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\server123.exe" | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{13K01P85-GMJ1-C83B-Y38W-4R2S5UA411Q7} | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13K01P85-GMJ1-C83B-Y38W-4R2S5UA411Q7}\StubPath = "C:\\Windows\\system32\\Windir\\server123.exe Restart" | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{13K01P85-GMJ1-C83B-Y38W-4R2S5UA411Q7} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13K01P85-GMJ1-C83B-Y38W-4R2S5UA411Q7}\StubPath = "C:\\Windows\\system32\\Windir\\server123.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Windir\server123.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windir\\server123.exe" | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windir\\server123.exe" | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Windir\server123.exe | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windir\server123.exe | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windir\server123.exe | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windir\ | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Windir\server123.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\228ff578421a90d61ff535a25bd4b693_JaffaCakes118.exe"
C:\Windows\SysWOW64\Windir\server123.exe
"C:\Windows\system32\Windir\server123.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2752 -ip 2752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 592
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 20.189.173.13:443 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/4760-2-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2572-8-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/2572-7-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/4760-6-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4760-63-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2572-68-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\Windir\server123.exe
| MD5 | 228ff578421a90d61ff535a25bd4b693 |
| SHA1 | a6abbbee693b7f99d5d2078933caaac3598cd737 |
| SHA256 | eec70276c9833cdd6c37eac5829317254a1faa5306ed229a77de7df75bfb9385 |
| SHA512 | f6b40ae991cc8f75e045481dc5ed9a9bb27fd69302e6eff56a76e4918155bb6e47fa26949eb741537c1f070ee9649c78e6bd6299da9e4bfbc114ecae6fb411dc |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | c46c2967f052dc7bd609e5a06bcf42ed |
| SHA1 | 4284fe16e6324914035831ff769f4403afeecece |
| SHA256 | e94dbfbeec90d809ef8ebcdabaf7b7ed22b86f6ece4a3ad8614226521530b716 |
| SHA512 | 58ddcb7b70271e890dd8abd590249ee6e90b7cec943255ec5a63cbc1add197b9de92bb85428df6ef6833aeb581658f9d44604289364bbea7ffa96f5cf0cd1498 |
memory/2468-138-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5600cf57c7e5e7c608fe0299ab1cda87 |
| SHA1 | 3a55148f6f4a6755f05f9413fac68db6f61a6678 |
| SHA256 | dc9a85363d4280a7e045f1983d5af435107192dbe14884a5e796904eca5125c9 |
| SHA512 | 11f7e08f08ec9f24ade35cede146a1666ea6af29f6dbc3a3c294ae9c4fea395eabfe19e3549c76e4c82e69c212cec76ede846220ed9f5b9ede140a7b77d8892f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ac54ac00533cf81b3e962f57de59f356 |
| SHA1 | 74510a8a816574249786008f916c26c7fb4aca00 |
| SHA256 | 06c45cc0c407037b42152873042cbc660e9fa39428d0b256052ce5a3ac2d9b3e |
| SHA512 | 36b507e36526d76982f25a1ede42ad6b85c6dc969d4d47227a5d5d40d8a41aeee77bff33191b3f07f2cc4481eab0f4717fbdb3220f1c4f9f26c0db2d1b2295e4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | dc8ea4b384ef7ed04039b893c968ce7f |
| SHA1 | 5078f6bc50a0d05b23bf5dfdc3f1a7a00d51ae14 |
| SHA256 | ec7f91ceee3c76b88934c45389cfaa359643cbf889b96a56a83c086f873d4e1c |
| SHA512 | ca3039544648410e67f2b918f7095fce19b2ec9fa236d39bf9d18ed4a48d3cb39561d4884096071b2782ce9b28e033ac13b2133471d8958d11522d6e5739c51b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ddce233d545d67f8d45331edf3880f6e |
| SHA1 | a6e624f65631b93f996ebb5a02272761955d0893 |
| SHA256 | dfdb550ddb117a49487c77749ccecd8bcea76985b08001bb2c26923eda71ffd5 |
| SHA512 | 19df630b8dbd0ca874f93e55de987e7a300d3f4530c11797588600a0a185f6729b84726d8ba1ab90d6fbf20658ba9c624c1e1318b8970c66f74b2e292f7eef92 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e3512358b16659b5e3ec555c1dee5561 |
| SHA1 | 7c36713b703028d6c08d24928d4b96b0cfc42c2e |
| SHA256 | 2a42e136861abbc880614f36a6488b076c1c9d793ca16e921b565650affddc98 |
| SHA512 | 7301ac5b9b1f9bcfb532707acbce32edaf992751823f91edd1f3417fc1dbacf058c079ccb6d849001e3f9d81bd61671f7787127875813c1a0474c8da9c92a4ea |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9f66a2093e1a5b74ad8c95db65f2a2f7 |
| SHA1 | 500976f2c83ebdfcd2e4cff46713a94d601ac824 |
| SHA256 | 3c58eba667a86d1da0a74a773bab6f3c9b797afd9c3286dfa72914a5ba4054ec |
| SHA512 | 070c69357f904259a719526993c63780b9edae8df76f091f6c514dfaf09aaeff5ad21471f43f8eb34a88193ff5780dba4035f50df7426a66e3f7b73a887b2fbb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a433b651b13937cf6b9ea46ae9899049 |
| SHA1 | 4695ab2e3ffb1a9dc021148bffc51698da6e263e |
| SHA256 | b0eedb6816137320bd1c97d310c95709b7e5b63998106f0279e46ebc5acc6a13 |
| SHA512 | 096375f30fce7d9c06fef74ae7e2751a41f2f39caf2321294eb13b51737ef5877d901f2e2b5c407db853b3bc95bf9acfd5e96adab2b2db58939b74173fd8aace |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4c2d07557136953d06b6c8faa0262ed0 |
| SHA1 | b774644445a04e2e5cba8c0c87bc76300c9745c7 |
| SHA256 | 84950bc6d8704775a5e444d636f26e2f42a632556a953312b6901abc312c780a |
| SHA512 | 32c86803801ecac942a79c623f3668ad0e7bce26a4d0256cdc71beac551b92d713291b8fffbaa7962d779509106f2c44a5f37324870b37da3e4ae40e27cb8a76 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 583cb2bdeef69de4f30c35b1c5ca978c |
| SHA1 | 7b82fce2ecfa0ad80cfab2dcdc7c4c9b496cf2d5 |
| SHA256 | bc08e97af70cc32c99b8908cf9f637be9440f7ad67acf97ecbea185e903aa943 |
| SHA512 | aeb5c18d586a14e71ebb6675f912196496cec0c9e96deaaa09a0028e91196f9c00e165cc5624cfed8c39f61015c95341632f927dfc1b04c5ec3799f7bdee1197 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 08544f12b1897c4947e8eb075c4a38cc |
| SHA1 | 0ef9f884e03dca881d189b1f3e107f013a95db0c |
| SHA256 | 467fe4c097997bdb252eda048a52fea01f33d825f7f78fa54ef9a1537d86a87e |
| SHA512 | b751c0bb9efe1817c474583419a14078375862d4fe853ed4476c60a09ee3c42ce65dd0ff67f56e79b005015ea3b546dad3515fc3cb4ec2bf0da81bcf1b5f6bdd |
memory/2572-977-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0a84d4a4b0ecc69b30f3d2443ff3d8f8 |
| SHA1 | 01f8eceadf7ccf2f965e4208ab57902fb78ecbd8 |
| SHA256 | 9eb1acd86d9d2eeb21fa8e59fcc044906af6102a92c3bb7a71a6c9b0200c196d |
| SHA512 | 6665eae4bfe188321fc1b9d7ce8bc12de54d25a76b0e44bf90151d55d8f4fb13eae9cda11b97b2eefcd6dce0f0e31d52e0de496770826f66b411493f9d0b4724 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | df3fa896bd77da5782795483f1ec7474 |
| SHA1 | d23e8cd865e243bf69e6516bb5eb60c8c20d40f7 |
| SHA256 | 29bfe4f8d52ca8e6021af424f86a3fe256ae8b2640af8ffabe51c433254c7c5c |
| SHA512 | 766e1e80c34aa0a1ca335348d1e870b92efc2fff5cb9d9ce8e5736d7b5c625d8bdcea3e5be937d4d1fa71bb2690d418aace5b1033f4a932fe008460ae7750f4a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 049bcc17f5c70939246a556d389a132a |
| SHA1 | 2e4ab46f1640d2a19e9d98505c5e1a86de2b170c |
| SHA256 | f2d4fc8485874215939dd1eb4b4b84e398f5c925d867232c76be4086abeecdfb |
| SHA512 | 0c89e6e3e6ab0db1f7cff1988af80d7a0f16fea39e38a85aa13b1595a5904af21c865554feaad3fa7e761739d35c89e55798c6c4e276efaac6beb69991fab42f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 399a66fd12ff3f141a41050d363faa89 |
| SHA1 | 84c082f116949efa65f56d23af632e1c7415b2e3 |
| SHA256 | 26b1f555123edb8e43c2003f5f77b35a61e4927a88907abbbc25dd5601326a5f |
| SHA512 | 894f594cc50d1592104e76da3f46a8f6913a5d1d027f093163b8e256a811d4b98392bdde2655f996198229533b8592d6ee9af9dfbca4fbff7e6c03578e006fc2 |
memory/2468-1432-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bcde6f177654f2dea0bafab402ab5ad4 |
| SHA1 | d44c37e8c026b3fc4711a895f59d4a622329eb25 |
| SHA256 | 5d54cd29e97f5dfaf6b8083c8bac525789edeb2ddf359c22bd5324c592aef25e |
| SHA512 | f8511749ecd8cd24f1528f93093152a7afd73c23d33fe67a45527691399b5e60f21ded920acc930bdee1efbd0c502cf579d5ead6669fe266304028cccce256d5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6d186520573bd969cf0b657c95e40411 |
| SHA1 | 178287cec1a0e83d7680318f99d781c5a00032b9 |
| SHA256 | 78b65c5158cc3b39b8e23d440b31f7ca93f668ae6e30d4ca9b864ae3a226f165 |
| SHA512 | 9f3648d958da406da59814496bbb512c5bbfa424b7d9488aac62bdfad7e3a37e9a6de28d74f40590fc1e926c8b52dfbbc6450463dbb0622bd176fa97f74a81e1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a55c5e83822800a956672b2b5f831b38 |
| SHA1 | 91648091003f16cc5e1d4cf549842c43bd79f077 |
| SHA256 | 50ab7a11ab93e7fd02cd6c102684a0553b6ff9b06efcbe382afae6197929ced6 |
| SHA512 | 6b46f0d2c5a1f4df6f302cf3e62dab0cf0a4305a777917a97ad65110e38c5569681bc6ab28920a50fd1a388a23a5973c4f34400c993f45a27ad4a48d84bfc964 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 594aefbe23e53ec660c553d50a5c4dfd |
| SHA1 | dcde5482f0cbc86003638f3a51009bdeb86331dc |
| SHA256 | beefde9e68126afe1fa7808dc014a0b9f7a61eade510e48dec3619072dc62720 |
| SHA512 | 99d06ef5bd2f24ccc0c568ff18388ab6db514a88deb75916d1c62e18db725fffa70d25b2d6e6265ecbd814e60596462da865e379a8be62ba3bc0a28db0acda15 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b4fd39df2fc9284ebbf5a1a540d054c0 |
| SHA1 | 8722561a01926e29c63a72e75411a6e59c9217a2 |
| SHA256 | 5b370ddf05f60313a66a75d0070a382f068a6a1180ec1ff055eff14af691836e |
| SHA512 | 868aa061a306c608fe0180d8630d238c162989c61c026e83696d914f1216605da86ca8a09adff57aaa01de7d9823ca12ffbbe141e6e5bfc2825f4f1819e45612 |