Analysis Overview
SHA256
b685bdd04753aa7ae2596497896c6d3bfd0314e81f6d03ab1fa189af0acd2397
Threat Level: Known bad
The file 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-23 09:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-23 09:17
Reported
2024-07-23 09:56
Platform
win7-20240708-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YI5QIC5E-57CN-6MK0-MW02-YCTX4G8YO675} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YI5QIC5E-57CN-6MK0-MW02-YCTX4G8YO675}\StubPath = "C:\\Windows\\system32\\winlogin\\winlogin.exe Restart" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winlogin\winlogin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\DefaultSystem = "C:\\ProgramData\\Sys32c.exe" | C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\winlogin\\winlogin.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\winlogin\\winlogin.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winlogin\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File created | C:\Windows\SysWOW64\winlogin\winlogin.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winlogin\winlogin.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winlogin\winlogin.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2884 set thread context of 2752 | N/A | C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\winlogin\winlogin.exe
"C:\Windows\system32\winlogin\winlogin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2884-0-0x0000000074D61000-0x0000000074D62000-memory.dmp
memory/2884-1-0x0000000074D60000-0x000000007530B000-memory.dmp
memory/2884-2-0x0000000074D60000-0x000000007530B000-memory.dmp
memory/2752-3-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-14-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-18-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-20-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-22-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-21-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-17-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2752-12-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-11-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-10-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-7-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-5-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-24-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2752-23-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2884-25-0x0000000074D60000-0x000000007530B000-memory.dmp
memory/2752-28-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2668-44-0x0000000000360000-0x0000000000361000-memory.dmp
memory/2668-39-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2668-33-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2752-32-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2668-89-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2752-328-0x0000000000400000-0x0000000000455000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | efc16116272c74d95b1fa54f2e7b4516 |
| SHA1 | 9f783f505bca4adfbe9d4fde95535a0b3e1cf107 |
| SHA256 | 212c1c6962bfe12d6c3271cfdb213d92663a3dd009675b29cf752799481b6aa1 |
| SHA512 | 7a063bc5d2185621bfb75ca5bc7be2bcc2b48d8ba44047c05994ae79c95804184ea4f9fb017027a0c455085a22901db57c8c33f0114de8f8ffca797ba5828928 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Windows\SysWOW64\winlogin\winlogin.exe
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9a633f61751a5aa3ec893e1aa0720640 |
| SHA1 | a3e495076e93150afbc6e01e653b9c1fcd97255c |
| SHA256 | eb0d435d268969b5528fddeba3a4b0d265e19b2902877d842c89732f81729539 |
| SHA512 | 0b7736d900f42dd030ba002d78023b4bde0fb6bc209ec2ca05d543d67411fd1b5e6dda26ac241c98f74333a2187ee7bd710450e1cc528deefaddea3cc943e904 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 40b1bcc66ba99b46da7419b5429604d6 |
| SHA1 | 2303acbe25d12a7c9fd7d3aee290bce1827f782b |
| SHA256 | 05dd6f41ae3ea0a2fd7d2a7d14de0b0205d447ae6475b10f7d55b5ac977f301c |
| SHA512 | 247e235b4aa0490ee1fc7f6db17a140494a3cd298342be72a9b1806c76ad783205d8807d1da86f01e5e246afe379567c35db6f871d50b16f96ed2f8d12dea79f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6ff4144e3e9d5278d4e8e237334060e4 |
| SHA1 | 24ce55526245bc4037a2a1c9d8bb4ae8ea23e4fc |
| SHA256 | 4403a89e95341070d5c3a6f30fe9729fb89df48e745dba5ed7e67d1dd8e413c8 |
| SHA512 | 7844d7c0720b51dd34c184f409c199581f9d2f6cd1910ec0a9e6e146779d81308687d20930355add5bb394c46a0d335338b75d46908e36b245f785aa9d030008 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b838a813ed6db0b843cd8dc219620131 |
| SHA1 | 9c3064cfcffaa1939f80bca2104aad72e281273d |
| SHA256 | 6425481479ca0ee668558d54975bfa252f57c7b8cdb31b2a5a4a09dfb4ce13ed |
| SHA512 | a1358f74e7ae3c35e8c5ad61592b146189d33830ba9722a5becddb842c9f192193f93fe83d6b0106414dcc29481432a0c9add18efdd505dab5963141406cee5b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b01300a895b4c7663bd82389a956ee62 |
| SHA1 | 575ee65ee3061d62d2781041a91cf2d623be1bf1 |
| SHA256 | 8610b8dc954d43b5e48d171b87f66c7601f449766733c5f7fff2885cdd7133dd |
| SHA512 | c0d7369fbb5db4f09cbdef3581d154acbc319bea3d0d41df2dc7f938af68e9b542145a00c02b9e8bf4bbb38af9610d85ecd8c5abe161916e6fbecdeb41679230 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 150cbdaa1d6f804a06f25e39cf21ebc9 |
| SHA1 | 167d20a9eb35edc9004673cb14cd0d8860a5fd94 |
| SHA256 | 6c669413653d9c8ed4ba88155d2e3939189ebbf2cd22ec70a898ef301ab12ccf |
| SHA512 | 7609bd61a981d47076a0123865afc595635a0282a951f31ec22a8d00c869fd5c98e82dcbcd2a3e7460453ce4ef4fe43aa326c31e888b0dbafeec44781da9a11a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fa34dd0e05b9140ec9674d7c376950dd |
| SHA1 | c9dacec0edb03e7dad8158f144d749ee44a29bf5 |
| SHA256 | 9f26b54f72e14bfebff24ceb40d1f1a1496bbaab951365f459b1044254c22609 |
| SHA512 | 2c40458c96f9bb5e3fcc1dab3019ad62cf25fbb4fa68574db499fd6cace2245920ac41a081142202c5b191cfc937bb6eef54637bd9dbd6daa31c27e623edcb89 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 419f53578fbead61cbaca2a2d838ab33 |
| SHA1 | cef5f9aa4ab8493c92c9434a45a6b061b776d6fe |
| SHA256 | 799bda8fa187f3042fc0e201af5b95bb96fef576adb4d58664cfbfbe91225a08 |
| SHA512 | 6a5df2d75a7125bb372cfdb2faee8209e5cb31832927ed6d2ddbab6a6847b86ea025ffe3b7610c84d675fc0c7d2e78e8008dc1ed186f03774fcfac12a8d23e21 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3a2e39a6dd4154274b418fa168d86d81 |
| SHA1 | 298cbabb72a263d9b2e6360a919fe3626a376a41 |
| SHA256 | a78cd220f5d2edce76698b57fc13e034661fb70d91c65fee0a764b33fc013e24 |
| SHA512 | c9bd82f57037b047b650d900d0e4ac527ebf66259e0c75469e7558cff32beee76be9f25ba199aa9df4e522def24387d52422738a6a280240f24707fbdfc8f338 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cdf69d6d2ed42dd985c6e3cd3d17f902 |
| SHA1 | cb55213f229f411051d1fbdde2cbf8428b55e300 |
| SHA256 | 173d8c2b776b01446a87edd00fd79850570ca300a4e8134028f9823b636b7477 |
| SHA512 | a0692ad3f23fa30387c47c6180377a9e27d5b7957862263158d78afd5d15c32383a4399baad9cd4944107fb3148573ef8b3a58c8a5e52b8a46b2334807102afc |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 849894f33c3700323159af80a6240514 |
| SHA1 | 6f6e89e7d9151c6d0a8e27d4eb1fd8e074bad34b |
| SHA256 | 2744daa3cef465564c51aa9b0db7dfbe677efa83e112e55c5bc4c138bf5ff646 |
| SHA512 | 498b6eff5ff2ca39c58f4fc0d6358c69738c08a7c1482d9600e471518025f4795868415f66509fd1fc4b189b43a6cf3aebf5c4fe1acc22dd585a50ad68fd0e3b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ea686625310033538bb428094f9a53c0 |
| SHA1 | c578796af3156cef6cfdd8f51f2fcf4a8fc9e0d5 |
| SHA256 | 107bd67c640387d060f9f33896f389ab2216aad880ad391aaed0ff289241f3b0 |
| SHA512 | 1db8b6ce9ae96660e431a3fc417b7cc376db5589648d32328fe07fc0a1e8fb27d162ff6df65a8c3f03f0f0827eb6bf48d6728cbf6d948a2fd365e4f36325d7fd |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b6fbe0244fdde9f8ac49fbce935a01b5 |
| SHA1 | c7bfda933124941d0e67c63e16fa52dacfcdca0c |
| SHA256 | ca4c211162a560e3060f1567b8fa9308a2f57c4054ff6327919c3f85df9715fe |
| SHA512 | cefa8baf1e5610e7009f0245f9c3d5f364820c1210465a77f90637dffbfcdf77610f96fe30c917ce82c6784b1dabae3e691835964acf1059c68c3332afdbaeb5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 271027e94b8794a40a62591b9424bf02 |
| SHA1 | bc5ca0cdc52c1b178aa044b9753697dd9777ee7c |
| SHA256 | 38fc881825c1dcb7078d086350e817c9d50412d27dffe67f758eb3c365a73b9f |
| SHA512 | 5d0cec9eb7a261e314c4611307f5fcf9340bf12a78d961155eedd75d3161b6e777488d50fb5092cb8bd47d410a573cc57a2cda642262c14d643531046e715b8c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9947a32e1a634939b04a832b9f50030d |
| SHA1 | 04304b097434d29d4aeed16b4a39649b32ad4ff5 |
| SHA256 | 2eaac5d4ff6fd507acb04f18f5ed1181878975d4501cdcf380ac4f040e08b83f |
| SHA512 | 3351496355aa8b3eca6b97d5523888cd104d7e032d93572f624f92f6148c5fada0ec8635ca55028ab6cf97f02980522579683b61f7c3f48025d853a48bb0996c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d4e7bf80a251911e4dbd9cb6a3df4f41 |
| SHA1 | 1c640a2da865fec458cf9a407512031d1c1370a5 |
| SHA256 | d2c9c172a02ba85fa6efdb61eda04a5140c9168fcb54cb73f759819f06898c53 |
| SHA512 | f1a0fcb89818440ebcca87a85f353e02fcd4a7087830b5b357985e60ca087bd79243459bfe63a0a8403df7c459903a9ed1cf7b20876e97d683a0907e70e7cae9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f350f0f8b29a0fd2eb4c6b703aeefd80 |
| SHA1 | fce52193fb12cba1e255d899485e7cd8da0cf271 |
| SHA256 | 17f262d38844cc097920ee9dbc4610b71f0b9d8d70d0ef9574872b302cc317ba |
| SHA512 | 50f9c450b7e6f999138b57be9ba749a6cb1f2868f7f28eae1728f3433cddd9970d3c3b9c0e589403fc4f6c6433060fdb7461cc889f2ac11630a771c1addddb66 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cdccdcd3ac4f0db57c2f54835e978ed6 |
| SHA1 | b90c42b788594951a9f92dac852699d7305cd793 |
| SHA256 | 56c486d59795bbe86c2e158c188972254dd53fee694bd7ef3f5aa4d1e51ba01b |
| SHA512 | 2491f016f41e5e05fa6d44ade9c14c445ef1c7f74ad03c6a8f73d1c1af6f0aca7339f9ba3c19376c3894d18c4c79622fa32ffab82c6648fb738b14698121d8ce |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-23 09:17
Reported
2024-07-23 09:57
Platform
win10v2004-20240709-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YI5QIC5E-57CN-6MK0-MW02-YCTX4G8YO675} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YI5QIC5E-57CN-6MK0-MW02-YCTX4G8YO675}\StubPath = "C:\\Windows\\system32\\winlogin\\winlogin.exe Restart" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winlogin\winlogin.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DefaultSystem = "C:\\ProgramData\\Sys32c.exe" | C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\winlogin\\winlogin.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\winlogin\\winlogin.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\winlogin\winlogin.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winlogin\winlogin.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winlogin\winlogin.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winlogin\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2028 set thread context of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\winlogin\winlogin.exe
"C:\Windows\system32\winlogin\winlogin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/2028-0-0x0000000074672000-0x0000000074673000-memory.dmp
memory/2028-1-0x0000000074670000-0x0000000074C21000-memory.dmp
memory/3616-2-0x0000000000400000-0x0000000000455000-memory.dmp
memory/3616-3-0x0000000000400000-0x0000000000455000-memory.dmp
memory/3616-4-0x0000000000400000-0x0000000000455000-memory.dmp
memory/3616-6-0x0000000000400000-0x0000000000455000-memory.dmp
memory/3616-7-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2028-9-0x0000000074670000-0x0000000074C21000-memory.dmp
memory/3616-12-0x0000000010410000-0x0000000010475000-memory.dmp
memory/3616-13-0x0000000010410000-0x0000000010475000-memory.dmp
memory/3616-16-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/564-18-0x0000000000690000-0x0000000000691000-memory.dmp
memory/564-17-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/564-20-0x0000000000400000-0x000000000051F000-memory.dmp
memory/3616-80-0x0000000000400000-0x0000000000455000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | efc16116272c74d95b1fa54f2e7b4516 |
| SHA1 | 9f783f505bca4adfbe9d4fde95535a0b3e1cf107 |
| SHA256 | 212c1c6962bfe12d6c3271cfdb213d92663a3dd009675b29cf752799481b6aa1 |
| SHA512 | 7a063bc5d2185621bfb75ca5bc7be2bcc2b48d8ba44047c05994ae79c95804184ea4f9fb017027a0c455085a22901db57c8c33f0114de8f8ffca797ba5828928 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Windows\SysWOW64\winlogin\winlogin.exe
| MD5 | d881de17aa8f2e2c08cbb7b265f928f9 |
| SHA1 | 08936aebc87decf0af6e8eada191062b5e65ac2a |
| SHA256 | b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0 |
| SHA512 | 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 06678dbabcb61e40b99b00a1d82a5ae3 |
| SHA1 | 643ab20a9258d9eff5c11e78d887679a8ec4f85a |
| SHA256 | dee9054636e5f50a995e91ae04cbf9f9f655e60ca85f3e5b42757c1b69da4495 |
| SHA512 | e54a9d8a5f5d743627cbdfb2938fd6a158a4be6216b16250aa2f69e31ab86f7a3262cde49b2ed5df05c5b93619a24ce1a6a2183af10bbbb2d567a822e40a72c5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c7a5f1581ff9c94e85d672acdafb7f9a |
| SHA1 | 913b4c5cf9a10ce8a96ff8f9d046cc9b20867c97 |
| SHA256 | 76c7982e708af2917b07bc50739466eb5fd0a0612a608298f75517bbc2cbe05e |
| SHA512 | 9a4a0b158347c1e77b4e6ec795bc3db76b35e81e4313b87ced28abd9f3e2a9682e19ec675badc91c6f8078e0d3c2ab49894186685598ec3e4c2fa526460a1a8b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 894773d841729486fde007f5923e7b35 |
| SHA1 | 083b5a97d257908ffad04d471ae1e58406733f1f |
| SHA256 | ba569a8b0ae8f0e5ab4925b47d475f05864574bb3d37b84a77a00bb802ded921 |
| SHA512 | a89add1c0d62887d58c9775d2de6fb1d497510d636bd98e53802f733949094df603bdb481e8cfddd74e0feb55f08f6994f1b5fe37bda026d73a27fda802f4e4e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9d592cb605ac5a45202be154a3b6176d |
| SHA1 | e97404bdd56a1a14439bbce22a9206e209ba23a0 |
| SHA256 | 424ff62a66400959fea14d26c742328195dd553aef456db5b917f66973e5a6c2 |
| SHA512 | 491b8c6a9adc343f4cc9e7c86387ed5ad58df399926607c2845b6ceb6e588420e0d90b5d1db1fd55a508a2544865a19048d6669b22921cd702b155ddaac8f102 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c3ca31158c01605276693e8840b12c8c |
| SHA1 | a9eab290b7301d6ec3834d211a1e74a65963f808 |
| SHA256 | 828f391ab588b9e6e00848169f6e07883fb6484b63514d22c6a30105954b9dc1 |
| SHA512 | 3278f5d869a8626cace5ccdc60a902f1a623b5577e589cb19d0bc7a3b1ab4463d1355a5bbd8c9a06f15d6b905ec5b27936d7d8139342aa30cec0f789fb4f23c0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c92318d24038a56b673f85b8beaa85fa |
| SHA1 | 2f31eac1ed20df4a8c526703bed101b6407b3830 |
| SHA256 | 4fd4d7685172c82a3f2cdc52a0500034c03de2e46c3d4c493997be2f702b1c42 |
| SHA512 | 7249fabe0b49466dd9ad47bc9dcdda3011619aef2816d9dc046b6051bc7229d2b7095ce72e8f48cd6b325600bb031a9105334b0f48b3a321995529ee13050055 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 19a2f2a790da1dd05165025327a0a409 |
| SHA1 | c85d194c386b577b6c6dd4b6e4615053bfedd525 |
| SHA256 | 927c56c1c68d377d0d9a679e1f9e0304662c96219117d2c450cf59c2002c9cb3 |
| SHA512 | 9822ecc47dd59f5a3f59d5e024698b5f53d705775682b699ecc082ddd0c0c81de53aa188735808cc89201490ceaace8019d0874e1f3fff7c0de4615ffa459e47 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 25f3e66b8034e9d021ba54f317bc092b |
| SHA1 | 2977ae44f268a6da3dfba127c46a67009ecac282 |
| SHA256 | d2fdc213b884c68e32f3fa3b8b5eb9f5c8251628f0272b2fc47475bfa31e7617 |
| SHA512 | 97a642c5d1df717da3356b88b2340d17a7d2b3b0993a63a1ffcb22afc8b0674a8d627a06b7c97cbd6231226392c6239fb964897ec9033fc79520b8267f0ab453 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4d531347451bd6a15d7ddf451d7d87da |
| SHA1 | 37b738a8fc015921eca6e5607b067fe0358006ee |
| SHA256 | 91f949eecee14ffec8da85aa0bec40150f8ab8b8e9084a5fde25ded5c47f1987 |
| SHA512 | 147da50f6df0fea03fe85d54a200334225466bd1f9e227897976aa3c2e95acdead6414846d9a625dc973b0b0a155d74b0d90349da9d6e7ec8d40dfd6115bc458 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 392b8755868360bc1bbedcd6da618f0b |
| SHA1 | 14d82a5815c3fdca7d911b43e5ce84bc21eeaede |
| SHA256 | c66f1efa5eda342d4ba6a1eaba7f554950fca6c7f42fc4ef4a743227dc0c3c7e |
| SHA512 | f13e289f521d8e8e698dc0cfda9e6dc144bfdfb3f40c74bdd5c74a2791425e59d3b04124707fa6a28f39c3cc7f4ba60d200a029854fee45eb6e97c7e3ee1cc77 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9bee6751ac57d84f4d35cb8ff32cea4c |
| SHA1 | 2d88e5d09037ae7f12da25ee6b4e157413e372e9 |
| SHA256 | fcfaac6c9144fda0a173a9908879b0c18ae25343f8776b935b703a7332660846 |
| SHA512 | 9f4a863c52cb2e81a5ca40e168b5b9e6aef83bd3110a189a53f52a53e23dbba5ef7f932a161ab6f85529d8388a9217802c73869d4993bb9c432d13c858e384b0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7c768daa8a3ce501f6106e7419d0c762 |
| SHA1 | 13bbbf5ca5bb5f2e517eb1cb67f099383218514b |
| SHA256 | 86247a0352b55e2ceeec970f63fb8ae726e0c7332230d5641cea2635402c8e03 |
| SHA512 | b26bf912281278ef12be75dece10ee122a31cac83b6c43867c993305f7441d210467b17bae6beee7879512716855467a94d94283399048adb7039554a9c5e4b6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 17c24eb2385c9d933e7d3bdfdc516f30 |
| SHA1 | 7e3919575f9691be2b5b5350c83791fbe515315b |
| SHA256 | c7e1fdb7edf1fe4feda7be790865a53f3a6ee0ba942ef28af30144f598d0eafb |
| SHA512 | e36ec456a466d339a6598e9326e1f456082d98f330b1873ec5519779266c09f0d1d6586b480938cb8ba052baf912bd7d4628ee6331ef284d1c73eae34c5aae7b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0be71ead811028c04a911f3c7dac5c5d |
| SHA1 | a8cc58807afd14d182408d069e42ba125f617d01 |
| SHA256 | f973da8d3dffa0a316fb653062644863c5aa1c480cebd2f899761987e91f2c8e |
| SHA512 | 7f6f11aba6e69f442324a60b3f5b657d6b4c33e6550fe429fb9838202b2af9ff66c0870695d49fbead57195ba635124c81aa4ec048d5fc85b82dbe50d41ab214 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 35cbf787c31ecbcf47ab3190180dddca |
| SHA1 | 5ea2534936a370ac878cbba1d39d77fd07cb6520 |
| SHA256 | 284778eb5ea1af99bfd459f91a48ebba760bc7082401d65f63b9644c45fcfaa0 |
| SHA512 | 9141e750d4542a0d47d4ab558c4d31fa0427a49e19241619f90988b0b90d8b6053d78abeb99d925be322279dd9344f329c4c5e1d206ca89228703a3ed13f187e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 790a83b1ff8d065c3509de81a10055a7 |
| SHA1 | 6bcd38ce86229d9d9ed39b2d0293123694d68d16 |
| SHA256 | b008a6e5c3fe98f33ebb1bf559e83b3ca49ef94513c7927f4dfec47874b987e4 |
| SHA512 | a852d0df44b1b7daefe5e1edfd444f8f102029d0829de1a97d2c927aba910e9f3b08911e049a1253730344459970b95dba2cbc86bd13a33a11c0e3d38c696068 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2214555e1f368a9523856fd8ff3ad849 |
| SHA1 | d4af9cb42b90c94bc75d67a0e61bed7b51b76558 |
| SHA256 | acd156d8f0c20691cff1093ccaf666c783d736dc2b8c701bad503d88794994aa |
| SHA512 | 67470f0334ba3bf15a86faff2a598f01d95c90664f80eb7297fa8add374022ee6ff906a3322ce52df6dcc1decb21ab2b7e54dbaa31b028f6d93058cc174eb4e1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c8f5637c610b6c9dc475c33d8e057533 |
| SHA1 | f7df0b3547b0c889653a2b2704a93ca814ca6cc4 |
| SHA256 | e337617ffed683c3f5b58c2fda8061bc51a659d6ffbbbe394b6c395c1503eb68 |
| SHA512 | 6a51ff4a215ccb45f422e3b8b55acb7e9dfeb45258dcc8dd5dab2ee4bbd252784c57be9da017faf877463e9c93a8c6e5f60746ab5fd6f72be5514cca245f7304 |