Malware Analysis Report

2024-09-22 09:07

Sample ID 240724-12y1tstaje
Target 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118
SHA256 a76fba3723f7ca56efbf3955854243ebc2a05e277726cdb96a727ef0822bae63
Tags
upx cybergate cyber discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a76fba3723f7ca56efbf3955854243ebc2a05e277726cdb96a727ef0822bae63

Threat Level: Known bad

The file 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx cybergate cyber discovery persistence stealer trojan

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Loads dropped DLL

UPX packed file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-24 22:09

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 22:09

Reported

2024-07-24 22:13

Platform

win7-20240708-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Roaming\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Roaming\Server.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6} C:\Users\Admin\AppData\Roaming\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" C:\Users\Admin\AppData\Roaming\Server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Roaming\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Roaming\Server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\server.exe C:\Users\Admin\AppData\Roaming\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\server.exe C:\Users\Admin\AppData\Roaming\Server.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\7za.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Server.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\7za.exe
PID 2260 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\7za.exe
PID 2260 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\7za.exe
PID 2260 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\7za.exe
PID 2544 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 2544 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 2544 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 2544 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""

C:\Users\Admin\AppData\Roaming\7za.exe

"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"

C:\Users\Admin\AppData\Roaming\Server.exe

C:\Users\Admin\AppData\Roaming\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\Server.exe

"C:\Users\Admin\AppData\Roaming\Server.exe"

C:\Windows\SysWOW64\WinDir\server.exe

"C:\Windows\system32\WinDir\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2544-0-0x0000000000400000-0x0000000000528000-memory.dmp

\Users\Admin\AppData\Roaming\7za.exe

MD5 42badc1d2f03a8b1e4875740d3d49336
SHA1 cee178da1fb05f99af7a3547093122893bd1eb46
SHA256 c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA512 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

C:\Users\Admin\AppData\Roaming\Server.7z

MD5 ddd9d0d3cdda3902a869f6a84ac2eef9
SHA1 6f069bc0105017aabf6e678946ac5e6d7a752e41
SHA256 64086acbbb720217891d0cddc7b5b731dd51e2cb0aee4c4f46944469c176ca89
SHA512 83c2ab68c2e836098f3db12be3db46043a811823269e2eb1e1d5ac3519c0ec92727e8865e7b5e00068fb8a33c92ef71039a96bd2671009bf083da12e8238bbc1

\Users\Admin\AppData\Roaming\Server.exe

MD5 e3f31fe5eca07ec9ac1b76f5690583e2
SHA1 72c45c5377ca38ab978f7969eb9619d5b41176f5
SHA256 64a956320b0bc4462dcdeeb326a151f3d1ba9f1f88b91db0c9df84d6f690d896
SHA512 0091cdfaf07f19808e6991d8494d4548027c7852e620aeb4af2f9ec69b60e15e3969eae9dee1a6236ceaa5b518bbf353bd9fbb17a5c3fe1158f11bb00204d373

memory/2544-15-0x0000000002300000-0x0000000002394000-memory.dmp

memory/2240-19-0x0000000000400000-0x0000000000494000-memory.dmp

memory/2544-18-0x0000000002300000-0x0000000002394000-memory.dmp

memory/2756-47-0x0000000000400000-0x0000000000494000-memory.dmp

memory/2240-320-0x0000000000400000-0x0000000000494000-memory.dmp

memory/2756-39-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2756-33-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2756-27-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2240-22-0x0000000024010000-0x000000002406F000-memory.dmp

memory/2240-26-0x0000000024070000-0x00000000240CF000-memory.dmp

memory/2756-322-0x0000000024070000-0x00000000240CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 9aa5ee67a5bd087e97dfa33ef6b43eb6
SHA1 24bb7733caeac3e295849a7f04b24ad148769d53
SHA256 2bd8f39d14f17cdb6f318e3b1a3fe261a159a11591ff68876eaf11bd25bac5a7
SHA512 fae4d7ccf3cf2bd0b314b7ccc75fefc37ba1cd62c762d2d6398e5cfdc4806d0ca0f86f61eb8d2eccf8d479d8e43ccc291ee9dc8d8d5e8fcf86b7178f5074c946

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2824-346-0x0000000000400000-0x0000000000494000-memory.dmp

memory/2756-345-0x0000000005690000-0x0000000005724000-memory.dmp

memory/2824-348-0x0000000000400000-0x0000000000494000-memory.dmp

memory/2544-351-0x0000000000400000-0x0000000000528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 63ddf9ce9e89cf20ff8ef2a5e35c37fb
SHA1 95258782120c620cdd2f61d845fc16eda98809ad
SHA256 72d0a5db4c540dd46a6d2644e4f5703d0e6af7d25ef6f9b51fae3d1b1ef4b8c5
SHA512 e9384e39e9b9b93261e387ce2de0e3021547704bd8e17289e2407b5c98e4d414493ad5cc46418b01419c92280c729226fde0cd2e6aa0f76fc49bfd7464e1e4f1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9c4940df5fb176d2bfa101145ca043c3
SHA1 77016de684d868b49b995c517f5d6200b2ef9dd6
SHA256 5010bfce59bef537b061aae670bc876f00ed224b0df6dd6ddb5176c67401e2d4
SHA512 8ae977c822bcfbcaf8c7dc1f0e83c72fde6a7d24172a143bc9f10d1825ca6e28da1de5bba4cad05f613bf885adf8d71806c1a960363ee751e87a32864d5b29ef

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fae7799711c543c319cd7f5326186d20
SHA1 25561311dd56c78af5ad6d3d52decfa79f0e66ec
SHA256 ee391200a40340ad949745bb6289cd41bfef091f8ad94db8e6dea1d91b95f1b7
SHA512 8e4d61e3a451f99ff6be919b76e1831138cb25f235d96794b1dbbb6322598d913c1abbe501b084e61f93a5807e2931472cdc9c8f37c75acf20526d8316dab5ac

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ead123d36eb9c26c81b5c5092d5d4c04
SHA1 b6c0bb3a1177e4be3bd96a6bb5b3057917493c8a
SHA256 bea4e7d31419bbc69d9471cc961cb7fa69c91b9d31bae814f55733b58aa5458e
SHA512 832d793801338fa7f0a81bf36bae9a416dc12e851e1a329b7491e4aae4cbc0a65ddbec0eaf46c9f6644ebdd8f8c7b9e504d52a4926c760215b6acaf5ca32a6dc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e3135f94e006e13fcb39ffea14fabe55
SHA1 4984a26108173ec50b604931654acc6943622110
SHA256 a80132e9bcf515deab7ab919ee1c2ff6c14ee32fa65e42a65028b9399d763b24
SHA512 1e33a4eb60170a7c76e0c5d2549553f241cff280e3bc0f0783854f4d0c871253a412e3ee26bd38040cbb1c5d23336c658eed1b0c9155d0ec8cbecc724e2c90c3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c43f7d24c5eafe6de317101b87a94220
SHA1 1fb7e37760e3513c8d2d09cf3a969bed28da929f
SHA256 d679ee132d6319f599d4153a13bd673ac58827b4d80d3dc6b8103d54751fd1ad
SHA512 703beef03cdc5db1cde1d91dde10b4b96f1f28f1e725de7c7833ab4eac6b20acb3a53cb391f6b6489222e2eac2af4663f761fec8956488dab847165b46f9a3d8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b8455d1bc06c4c34ee8452fd02985537
SHA1 e1fa585a706ffeaf8b6686b5ab230f7f57cb5b8e
SHA256 408393a0b478d573f351e807ab4a135b0039de517275cbc55b3c38934e3acc87
SHA512 a6f584be259b8c92b08bc3e160135e4a86d81922d3bf77f2c83cb7dd01e733d3f5fff33c1c83a7f30a4457f5637af05a2e3a57ccb0b7acad4475115691327b7b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 231befed527e967b3b4186f70e4fcdc7
SHA1 16e7932dd9bcdae8fb715fce535e2151d7e30379
SHA256 8465f2023ecfcfc8644a7cb4aa51faeac815d8285aa54dd849709234445ee5e7
SHA512 02adf730e4976152672fdea6809901f7b7572aaed8a1684e11db79048b6645a79b11e2a005871f624d1772ca472e69989f172566016a53cd707c3b9d35d527cf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f94f584f878e710b2fa47040d99e06a9
SHA1 0db5b0302497aeafccd3f6692d413e2256732bf4
SHA256 508d930064405e18e8b8cdc80683a21c888b3404503901ce7726d7be27f68565
SHA512 020b85c333dc31a5c86750f607552af23c9fcc8083e72e53e249a8d4f368d265a285b53d6ec147c18a71e52c575ec1b51181840ae32a50b9d14106b345c6ce03

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1e33b76c7765a702e1e3c23a561c0580
SHA1 d7513a78964c5d6d1fe0e983fb8d91a01893a46f
SHA256 f680c2c456f96b45822795bf236af77dfd031c70a74239f217dc6fcbe51de3cf
SHA512 8f574eff11cd9b4145cbedf96aa39550f25f160e75b56afe1eedfeb63bfe7373358087c17a06af6dce7266969d96d64dc2d31fc334d016e98252ffba9d404c3f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0be95fd092ece4037b27ac5555f356ae
SHA1 f2c75c0489d9480388444c370cbde17d791600de
SHA256 1dc627d25b9b08d71e9647ce3f1bb1359d62241768cef733616d8e37c7234fb1
SHA512 b1b5c8dd7b9b70a87e1c5143da7fcd056a68f4631a9c318a2c3335953fe1a3b90ac89997421b0348c2feffe3a7dd4775ccd1b02b0c9a1c719c15a0d7fe93c3b1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3e138d5fc1b36e4e5389dc4298bda9d1
SHA1 e5be70d9304f00db65c122d8ba71bd8c88d5f343
SHA256 d660cff6211c4e718227a68dae2f08e75d3bf9f1d86f9e8a65f608daf8ef5749
SHA512 afd19e22a7e7777edd7f46cc21c67419bb225fe3a31ddf4fa3bbfff36217ff449537c328f2e879e6c562d4ad92b45c74aba1337e1b3f836420e6b6e7b85eb947

memory/2756-915-0x0000000024070000-0x00000000240CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c792eb5a216e3d36e9bb2285971a1f0a
SHA1 d8ac2f1ee74c8bc3ada8dd0cd32b2d697e062c03
SHA256 a8fda5da63e87ca2a4827926163e60d3f64753e2b7abdd2c4374e9eadf0419ff
SHA512 a55a554d57e99c813c3bea448bfb86adb1e4a2239295ee7469e14f7288ee6c7a0c0f4314d88bbe21159de33b6ffc8766a8b69bf6c99b189e78d8e8f081fe7796

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5a0eb696937c3984fdabde034788357d
SHA1 99f8736c0acec650dfcd3d1f86b3a79d87f9c387
SHA256 42ef3ed12a188ed236522c4bb2d46598b036faee0105b8c6dd11ac6c9eb81c14
SHA512 ec806d034ad6a09b0319a416d0a7a28965fe617f755c6dbce18b57bd1b42f4b20e6aa50f240d2f8082da664ebe15986397626379b9fa92ea7ab9849159159b52

memory/2756-1032-0x0000000005690000-0x0000000005724000-memory.dmp

memory/2756-1034-0x0000000005690000-0x0000000005724000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6ebbf6182cbd7d91ed9800249ed33360
SHA1 1d80dd2a9e6b6f1fd7972d9072474981ce34dae3
SHA256 7c772850d305adde377ae81920db786a6c684b747ea5cba892531637c5fb2557
SHA512 71873ad295ac98bbbba19268e8fad69ea6ca827b46a2d5d38a5907111ead384090014e0ddf6b4bdc72a2b71b8038036008e1a7d9872b2e29ca179daccc444da2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 daa0f98f17e4a0c751ad3f5273a7bfee
SHA1 de81a9e218aabdeb1369c2f8ab184ae676cae82f
SHA256 a3051ffdb62e3051069aa0dfea27036d5e65e253dc95a6f15a6ed3cf25c8b92f
SHA512 44f2c6b187bb2537c9d7fba17d25404a007a112e152be8dc4571b8fe74ab913a7255d52b450aa6d1e40c1a9072c44a53106cce18f596623943f196e0d5fb90a8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bf4edd9ad7e3271429a590f7b3baaec9
SHA1 2e02341512f8605afe1f066e004ddece58ddf9a1
SHA256 d8c9c6269600e4437eb83e8b926f0d6f0b763e08cc237c5795acaf8673d6f810
SHA512 59f154dff3f373a21b63595927458cd11d042b221b1a761f1fbf7dbfb6d31d708135ab627c375fc9ef0a4987d22cabd3d95f7e2ba8ca20b3d236bcfa0a99acf1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 08f55f464d5a899bff3e968e3b957aed
SHA1 a0e31f17958e514017d7999b393ef0c9ebb85775
SHA256 b9642cd8050c3ee223e9847071cf460f9c556a15790ac2d888b6e8bf7eef737d
SHA512 3d20ea1ab7fb37d36f507b4176d18a20a5821b70ae2694c99b559f510aae4849763df37d245999037ebe4836123442d06a8afe4ec85c5ff6fa58feb91327ffd4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0cd9e617178251efd49889ef660ef764
SHA1 a388dc19e1d188574bacdc1e9eeaf401f45dcb69
SHA256 0b073c67ee5b4b2e8a433e14fbc63e4bdf7de33b00d2687c1244f93cef5e308f
SHA512 3e0faac7e7247157bd4e517e571726241758c3ee150aae33ebdfbedc28e4c4f43235dfb7a42fdff673ade045c71e41d1f95afb61a5af6f4218284b82e5002a0a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 573f45df392d4a00ac71ef3c2d845a97
SHA1 d5546981c540480535fded947c5089f0046373ee
SHA256 88996b7cd643b8bffaa12a3121d15f4fd263e30585a909dd2559cd97a74aed02
SHA512 6b938cd9d3e445a790695f01b2914f73770d6612fc3e2e6a477255172f60f2b821fd90e58ebffe292eadf7b7286b4bbe97620ed521c1ac1747d366ceec1fcec9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2928330f0ada0ec8f090c1cc413b1851
SHA1 7b8b668da85d0bac5ef670a8dfd12dd62307d4e6
SHA256 7a6fb7fa0cde3e7c3fdbb1ca5ae64e0a836f2d3bebd808b9d3bf94e81cb3b16e
SHA512 38735f985e0abe92b8615f393b09004eaf4a38ad5f675aa0e7d61062123685b1302ae7f10c1a938f4e94d0d048301a5e36a8d61a911d365604a65569bc311350

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 22:09

Reported

2024-07-24 22:12

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Roaming\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Roaming\Server.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6} C:\Users\Admin\AppData\Roaming\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" C:\Users\Admin\AppData\Roaming\Server.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Roaming\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Roaming\Server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\server.exe C:\Users\Admin\AppData\Roaming\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\server.exe C:\Users\Admin\AppData\Roaming\Server.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WinDir\server.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\7za.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\7za.exe
PID 1736 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\7za.exe
PID 1736 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\7za.exe
PID 5112 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 5112 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 5112 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4032 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""

C:\Users\Admin\AppData\Roaming\7za.exe

"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"

C:\Users\Admin\AppData\Roaming\Server.exe

C:\Users\Admin\AppData\Roaming\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\Server.exe

"C:\Users\Admin\AppData\Roaming\Server.exe"

C:\Windows\SysWOW64\WinDir\server.exe

"C:\Windows\system32\WinDir\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2448 -ip 2448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 228

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 37.58.20.217.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/5112-0-0x0000000000400000-0x0000000000528000-memory.dmp

C:\Users\Admin\AppData\Roaming\7za.exe

MD5 42badc1d2f03a8b1e4875740d3d49336
SHA1 cee178da1fb05f99af7a3547093122893bd1eb46
SHA256 c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA512 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

C:\Users\Admin\AppData\Roaming\Server.7z

MD5 ddd9d0d3cdda3902a869f6a84ac2eef9
SHA1 6f069bc0105017aabf6e678946ac5e6d7a752e41
SHA256 64086acbbb720217891d0cddc7b5b731dd51e2cb0aee4c4f46944469c176ca89
SHA512 83c2ab68c2e836098f3db12be3db46043a811823269e2eb1e1d5ac3519c0ec92727e8865e7b5e00068fb8a33c92ef71039a96bd2671009bf083da12e8238bbc1

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 e3f31fe5eca07ec9ac1b76f5690583e2
SHA1 72c45c5377ca38ab978f7969eb9619d5b41176f5
SHA256 64a956320b0bc4462dcdeeb326a151f3d1ba9f1f88b91db0c9df84d6f690d896
SHA512 0091cdfaf07f19808e6991d8494d4548027c7852e620aeb4af2f9ec69b60e15e3969eae9dee1a6236ceaa5b518bbf353bd9fbb17a5c3fe1158f11bb00204d373

memory/4032-14-0x0000000000400000-0x0000000000494000-memory.dmp

memory/4032-17-0x0000000024010000-0x000000002406F000-memory.dmp

memory/4032-18-0x0000000024010000-0x000000002406F000-memory.dmp

memory/2904-27-0x0000000000400000-0x0000000000494000-memory.dmp

memory/2904-23-0x0000000000600000-0x0000000000601000-memory.dmp

memory/2904-22-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4032-21-0x0000000024070000-0x00000000240CF000-memory.dmp

memory/4032-80-0x0000000024070000-0x00000000240CF000-memory.dmp

memory/2904-85-0x0000000024070000-0x00000000240CF000-memory.dmp

memory/4032-87-0x0000000000400000-0x0000000000494000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 9aa5ee67a5bd087e97dfa33ef6b43eb6
SHA1 24bb7733caeac3e295849a7f04b24ad148769d53
SHA256 2bd8f39d14f17cdb6f318e3b1a3fe261a159a11591ff68876eaf11bd25bac5a7
SHA512 fae4d7ccf3cf2bd0b314b7ccc75fefc37ba1cd62c762d2d6398e5cfdc4806d0ca0f86f61eb8d2eccf8d479d8e43ccc291ee9dc8d8d5e8fcf86b7178f5074c946

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2448-108-0x0000000000400000-0x0000000000494000-memory.dmp

memory/2448-110-0x0000000000400000-0x0000000000494000-memory.dmp

memory/5112-113-0x0000000000400000-0x0000000000528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7f88ac45f28613914a9f2c2e457ae878
SHA1 33dd7ba3f663c97d0b8c5db7db3181b9c5673e76
SHA256 1b0e2e07f62e3f92d8c569ed366368ede72209a143495bb9ce78ba5eacf676a2
SHA512 9203612e8e7dab70c25b08c849f8e057e2e10c872e0fcccdbd10a0a8722a139abbc6420b702059bc74ca7fc8a37c79771fcb0611f15c4bd8ab6b75fd5c8c57e0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 96bc1c24d516b31e17d82329a9de096e
SHA1 2f9cdf85050a683820b2b74cf2d253c1fe241c9b
SHA256 6ae8822ba0be486f7eb11705849293d6b33468694adc323d5169a2b1cfadc24f
SHA512 ef98cc0a635faf5bfd4ff885d54dd40e8a1ba4a63fd681ba24965d2a2167a63296214abb713bbeb66fb53cd318e3a49339f5b1811329d045053b83d5cd5907af

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f58807ffb50ce6c9780f4c4a482d67bb
SHA1 f3f774272fead0fb24298dadd674df273cca7e2b
SHA256 7509a37a3d83850150d76197314326c8c0754b39987f2b3f8eb84e478a7c337c
SHA512 216d4dc2a3affb5dfb970e93991407a86d649f1e54e8315d50774faf75a44e50b9fd23c655919feeedd0ee1ca2ab26fdb194b5d17323722ab0a3f4c76b53d158

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2fd6d1624b5647dcc9148b36a4ffad97
SHA1 2c756dd35532d1f5a0b97834b1585edcd4862f2a
SHA256 eef26019d6d4eabec531a2229551b63b6eb4b7f27494689e95769e94b2f67d94
SHA512 c42fef88fc2c223108c78b42f7f500b7680349f0fe93bc3cf3d019762023ab48c90424aead43689b8f0d795dc8d7b1d8e3ce56020f4892d7844a15a34c6873d0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dcbee7cd4ff8e8f7f810650d42069f16
SHA1 50481f0e0bf659849f1f87c342910ef5ea12ee8e
SHA256 73454e9434ad372f6cfaecdd767f32f10ec9433b64c68e7fe5287e06a2f38503
SHA512 ce796b21a737d7731ca18a8de7ead76fa152bcd00a467361beaac6dc9e0f70e02a5b9f028e33fd23db370f2c5ed8ef55206afa2bf16ea6a61d3a986f670812b9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 75d7509f1e0cc715e80b7873ceec5888
SHA1 0cefdfe34832a6090bf6475f01a2ecf875455520
SHA256 86740633c5bf45d975343a2250498c2af95e8af1fe2e3b0487cc59edab2ff0f9
SHA512 bf16c13334274239262931ef9f689a19ccc083a9694674ef56f01312b0f607b31ca034c1afb13f0935868a53f16567c3361fe75561394cc5a26a8ad8f85a0c47

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 966825d176946023299e76fb5cff4b9e
SHA1 00d7a47596744d061f7a2c295a3250e197b4ffd4
SHA256 19d37cc4acb97e7cc98f68e044f4582b16783ced76e7baa1796081c14adf937b
SHA512 b8962288ff52ebaa1bc5e24cc1b2e8d669dfb9339638cd423fcc8004c7c5cb552c81aebc1bac1bf8377bbc00fdf672a17433591a00b2d9fa7d53a8eb21c6a123

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 35bb294671004e5833272d8eac18a7f9
SHA1 fae7be769c0e4f95b28308cb653f5f5256568a32
SHA256 d2579d21528624bfcb638056a7b817625f471e63bc94bf86143c02030948fc69
SHA512 2d328d47ada3beeb4b15814d8a95ecad69210e952311895add7f0dc3d8a52c422cef3eb125f0c2ee7c0d59de6603ff924d6bc0522a034b05b35b2d6a64aec65d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6279087668580d62bbef1f383816235a
SHA1 6bb2d623bf654b548ca3802172cc7f294eb225c5
SHA256 895e84d727df7fc9a7cf78622fa83a6076b25c530f29c62464e7973ddaa35761
SHA512 f7696fcc87501d627fdbc3f6e4bc1fdb1dfb3aba09e9b1ce7a0a8226d6fe6c84bdea385444fafffea1edcbb36fd7e38ad653eb80f4c2626b38d71bd707bd9348

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 435c62a8517c51f6e8dd057a0e80de73
SHA1 8eb5746c624875f0da781ae1ae240f868aaed0c5
SHA256 6c3e836fec4120e42f65de07a5165c074cf735cf8894d7f590b7689abfb32fed
SHA512 cb140dc3088e45eacf63d4ff44aeabb4fb33f2ffe3fbaa487bec2b28861d2a2f3c23598f3b658fba9ffe58d83a221f39b70ac0287fbaeceff0a9918216f196aa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 41d9a99c90261c0d30c3cbf5caa9e4ce
SHA1 44a1eed5d9bbcb5f7bf9081d1245ed9e5888703e
SHA256 4ede988873d463b308c6d52c57e19065a42be29050286461ecb0b7a858db234e
SHA512 5a203fe689617098b5474890ecba8517a94e955aec8b244522061e38b0c0f62f3fc7afa85704625d4c1ac350a192e0b421522ee9728732e6360a9f7628af9558

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5f0c3676362633629f02b4b414a9e34b
SHA1 d07282875053047ae3c009aacdc7ee03c67437c1
SHA256 031e63096affebef908ca71d12f7875b75363c2e3dc21f1f7bc892c02fa33b0f
SHA512 4d920e64ec2ba41f90a5edd733c1a72ba344222fc476501c52f088e8cc5c5580d5fd97be00a794595a7f0fb36525b9eac571a63121e6bfbf21f70075acca31c5

memory/2904-1208-0x0000000024070000-0x00000000240CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ba7923603d3ebee02a253dca149ecc02
SHA1 be9426cf6af4fc1a4d39beae5bdf99ccd83a94df
SHA256 a09be3863d8a812d8e29abb354c3d594805969a3fe816c5f839cfa472c97ebbf
SHA512 32328678db3c4ff9977460f163d8afb778d5334ae037d4e08bbe445bdb9ff75531f40ec1d60bbaf201d98b4ff7d7de46f36d1445e4d3269cf93b3dd41512faca

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d11e04fc70ecaad8c32a1119bf3b091d
SHA1 54ef883d52e4d9b6dacc6e6e4ffabd84e55e948d
SHA256 484198319ecf16393c1277ca08efc582b431c7e27ab5663fc05967f4a43f88c4
SHA512 405a5f15d2772b32b69a70dd959f11ebf57d5efa707a0070d2fe640655baa7e4e66e4b17ab5b3e9078086b229ba6a9bc132a95cabbae4ca8a20a3a686aa3fb66

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9aa383aa01ce55662f506be0108a85e6
SHA1 a3d6023233d638749ff7179a48e554d8d4f492d8
SHA256 5bdc7d76aa2ee70fc9f08d46ddc32100fa2fa6d5bb69e1bcd8421afdf17660b3
SHA512 055f8760a11d5ddcb6de641ca1cf9604145b7f70c0b1d95da77293b5f95eb178496415ecddb00bbde85a64ef77978e9cffc2eee5424bb69ec7e9c707a89964fb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d755107ec7d3df6e3c6b3da8e862ac08
SHA1 b2bbf1b021b2da410dfd0d523297db6f5b0eb86c
SHA256 e980dd3c7e53a0f19c4b05fd16c882b3ba8104526ea9a7533f5285b4ec294811
SHA512 fa14bb02fc4f58fadcb9ee46ffd6d4393ff9f25eec9d66cac5a14f45d4705a5e4f1ca62c16c89510e0c52966b219b985fd4c8480d539023c6b0666b8717885c4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1d1ff834cbfdf182a0242ce3a3b8afcb
SHA1 6a25d5b18911044f9bc4ae8828fa6d039f7dd2d1
SHA256 681ed82925c2768f86596c74deddaaf55fdb4b960a362f27209213f43c475386
SHA512 4a378aed7f0ae968c76c5ce2579888629a9ef30980eb86f89ddf934b4e77beb0592dcdead19e99f7d809b56fb686a48671b2f05954e2d1f90fdce558a622bf5c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 333525d4978783346d8f96b9c302ec13
SHA1 2519045d551c87442854aec57e1f84a39361d009
SHA256 4383c1be0211d113ce638fbe496dbac2d6cf0d2e0a5e0a50aced1019d96ec352
SHA512 ba5ceb912c31cbe2ee32bdf48c413678759d5773256955174a5b6038fe61db14e8067020e5593aadbaf0965980a70bbf95e8219ce4f5acad21d09954848b87aa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f0c5956ad51ced48f9a3bfec2fc19c3b
SHA1 afbc76b08f429c05710d65b1988c7503f95adc29
SHA256 a5ae99421314a477d8136cd953045a348b7c742597d6eb25124850c4ced424d6
SHA512 d61c33f4c59192d39176b3cb1f649d7414872406b02f6f78c0c8da33b479eea13f42ac01642f3989ce941bad02a1dd8fc539d70749273c3047349c3bcef7a87e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 47ef7b6a240158c48a4d2bff1774ecef
SHA1 1d0e66da601ccf4345134b04fd7fffe56e71c594
SHA256 8b52c9e210fc4354c364a204b8fe400e64f97b1d6434e757687dae61cc14bdf1
SHA512 a4f38ab81f291ecf395b3b26be48c43c18b95b757fa0fe221816ce8a5b6d313a1bbd3b5ae99cd73f3e57ca627f833788f57e6e9f74d5d346341d8e8b13779b3c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b7c956a45bd42a6a8666aac60ce2812b
SHA1 c679886f139852935935e768b2796dcf9496edb2
SHA256 ce2f09b6bbd62443f3aa08b363c8ad0fa25e5824a32f0605b4c7c5d4b712d292
SHA512 f50ac1771c035d79ec2f309c2f7187242efb802ba8d7a81572ac5e6ca8d57f9ea20a053bc26445fb3bd001644f130e74466d2e3be8fae2237a0ae8b395dce228