cybergate | da51aa0a4af4df249082e3d7dc5a00260b1c2011f378bf0369747a9c05820c91

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

697423f801c3b64542236883455e729a_JaffaCakes118.exe
Size

728KB
MD5

697423f801c3b64542236883455e729a
SHA1

23aadaaf4ac9ef19eddbf2f6d97ced030edf7b92
SHA256

da51aa0a4af4df249082e3d7dc5a00260b1c2011f378bf0369747a9c05820c91
SHA512

a8f643bc3d6187a4e90467f01306e363c2b378838f55a35582b050d9bfa7a149ed5585fc128b334a98ff23e415a2190fbb1360c84d1457e4fcc4cdc1a0600308
SSDEEP

6144:EEE3bRFcHJV+QWUL8jFZ5JI5vpF2wthUB3IPKEHs8YJbmn9AOxDAMCIXxEw3aJPs:Z2QQjL5JI3ttsBSnKccQBEwKJq

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

oceanseleven.no-ip.biz:81

riffawarzone8.no-ip.org:81

Mutex

***MUfgfTjjuEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
dlllhost
install_file
dlllhost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Please enter the serial
message_box_title
Not Registered
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	697423f801c3b64542236883455e729a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\dlllhost\\dlllhost.exe"	697423f801c3b64542236883455e729a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	697423f801c3b64542236883455e729a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\dlllhost\\dlllhost.exe"	697423f801c3b64542236883455e729a_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U7DS3431-414X-7MY8-J07F-X23YOUUE5R28}	697423f801c3b64542236883455e729a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U7DS3431-414X-7MY8-J07F-X23YOUUE5R28}\StubPath = "C:\\Windows\\system32\\dlllhost\\dlllhost.exe Restart"	697423f801c3b64542236883455e729a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U7DS3431-414X-7MY8-J07F-X23YOUUE5R28}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U7DS3431-414X-7MY8-J07F-X23YOUUE5R28}\StubPath = "C:\\Windows\\system32\\dlllhost\\dlllhost.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
412	dlllhost.exe
1820	dlllhost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4660-2-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4660-4-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4660-5-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4660-6-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4660-11-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4660-13-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3040-75-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4660-142-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4972-143-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/1820-641-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3040-894-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4972-898-0x00000000240F0000-0x0000000024152000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\dlllhost\\dlllhost.exe"	697423f801c3b64542236883455e729a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\dlllhost\\dlllhost.exe"	697423f801c3b64542236883455e729a_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	dlllhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	dlllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	697423f801c3b64542236883455e729a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	697423f801c3b64542236883455e729a_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dlllhost\	explorer.exe
File created	C:\Windows\SysWOW64\dlllhost\dlllhost.exe	697423f801c3b64542236883455e729a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dlllhost\dlllhost.exe	697423f801c3b64542236883455e729a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dlllhost\dlllhost.exe	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 4660	2400	697423f801c3b64542236883455e729a_JaffaCakes118.exe	84
PID 412 set thread context of 1820	412	dlllhost.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
464	1820	WerFault.exe	92
1920	464	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	697423f801c3b64542236883455e729a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	697423f801c3b64542236883455e729a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe
4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4972	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	explorer.exe
Token: SeDebugPrivilege	4972	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2400	697423f801c3b64542236883455e729a_JaffaCakes118.exe
412	dlllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 4660	2400	697423f801c3b64542236883455e729a_JaffaCakes118.exe	84
PID 2400 wrote to memory of 4660	2400	697423f801c3b64542236883455e729a_JaffaCakes118.exe	84
PID 2400 wrote to memory of 4660	2400	697423f801c3b64542236883455e729a_JaffaCakes118.exe	84
PID 2400 wrote to memory of 4660	2400	697423f801c3b64542236883455e729a_JaffaCakes118.exe	84
PID 2400 wrote to memory of 4660	2400	697423f801c3b64542236883455e729a_JaffaCakes118.exe	84
PID 2400 wrote to memory of 4660	2400	697423f801c3b64542236883455e729a_JaffaCakes118.exe	84
PID 2400 wrote to memory of 4660	2400	697423f801c3b64542236883455e729a_JaffaCakes118.exe	84
PID 2400 wrote to memory of 4660	2400	697423f801c3b64542236883455e729a_JaffaCakes118.exe	84
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55
PID 4660 wrote to memory of 3492	4660	697423f801c3b64542236883455e729a_JaffaCakes118.exe	55

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:584
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:812
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3060
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3864
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3960
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4024
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:1080
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4204
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2440
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1684
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3084
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4116
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:1444
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4112
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2056
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2572
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:4908
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:4732
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:4076
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:1936
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2704
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2532
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3096
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:1556
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:4460
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:620
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:1160
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:4216
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1628
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3676

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1200
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1452
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2092

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2736

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2268

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\697423f801c3b64542236883455e729a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\697423f801c3b64542236883455e729a_JaffaCakes118.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\697423f801c3b64542236883455e729a_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\697423f801c3b64542236883455e729a_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:3040
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4972
    - - C:\Windows\SysWOW64\dlllhost\dlllhost.exe
        
        "C:\Windows\system32\dlllhost\dlllhost.exe"
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:412
      - C:\Windows\SysWOW64\dlllhost\dlllhost.exe
        
        C:\Windows\SysWOW64\dlllhost\dlllhost.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 572
        7⤵
        Program crash
        
        PID:464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 640
        8⤵
        Program crash
        System Location Discovery: System Language Discovery
        
        PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4728

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1820 -ip 1820
  2⤵
  PID:5032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 464 -ip 464
  2⤵
  PID:3584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1920 -ip 1920
  2⤵
  PID:1412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1920 -ip 1920
  2⤵
  PID:4752

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 0c7e6be5b94da8c3e4ee63e71cb1de9d sxLvOVO8t0a3iOH2Kss2+A.0.1.0.0.0
1⤵
PID:5096
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1368

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
cf4141827ce75706c4599929c2db4ef5

SHA1
bdf070b3411e3f7eb2e584da459a38a8f003c448

SHA256
729cee905adb358fd4a8f563c3d21e594fd557192cb2b688766b8bd42d41cdf4

SHA512
18c3bdf1f8f5d8dd74c1af9e6b591d34ebfac77940aeaa1171828bf28ea0ac4e9f712344136382c6aa4f848ded8aade9fafeca36db0b191ab4508ba34af5054b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e6c56b1fc9cc9eaf0294458c4ebfee9e

SHA1
ec33fe3754685785b58852df90b92fce3a21e6b1

SHA256
7ddede32b092009c4242a752e62599a5594d4b774a64d97890c143adffdf161c

SHA512
89a18d2476971f9c5cb7816624cee8835bd2ab681ef385622a6818d24996f51e9c1299ce9a665a398b825b95b686b189ef4e22ca1c11fda40095a7ae5174658d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1f99a9c01f4928f3bb91f98b8be1f22e

SHA1
73256527a530a07187a0208ffbf01a575fe9ec80

SHA256
9f766ea388f30c7e797da5c181682112f1111db472d70614eb95704476aa96e6

SHA512
ea15c1573e996c3a99ae4fc72d0e6d1cbcbe89b1d3bc3b2a8b583cbd8dc9f75f3a9738008dc4f19349e04194c7c0a3010f67ca22aecdec9cb0532b13440ce8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0cd071bfa6864e8e7920eb3dd4c02828

SHA1
d7564b7feebfe234e2e32cdebae891406ce299cd

SHA256
5c711a713b965e6c47f9f2e928c43057a715c9175fb9f6d461be703536a51413

SHA512
2111cd3cd4687da52cbed8adcd976204c0bc4d9ae429aad60366c3df317bd89721765c45d728d30caf76e639930d09d93fa7a8c9c0bb35a509eb55c047a0262c

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\dlllhost\dlllhost.exe

Filesize
728KB

MD5
697423f801c3b64542236883455e729a

SHA1
23aadaaf4ac9ef19eddbf2f6d97ced030edf7b92

SHA256
da51aa0a4af4df249082e3d7dc5a00260b1c2011f378bf0369747a9c05820c91

SHA512
a8f643bc3d6187a4e90467f01306e363c2b378838f55a35582b050d9bfa7a149ed5585fc128b334a98ff23e415a2190fbb1360c84d1457e4fcc4cdc1a0600308

Download Submit
memory/1820-641-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3040-894-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3040-75-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3040-14-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/3040-15-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4660-6-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4660-11-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4660-142-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4660-2-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4660-5-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4660-4-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4660-13-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4972-143-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/4972-898-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download