cybergate | 59bf30b1704eb95f64f8c2aa947fec106e7e024f6608134da93bd004afd7b2fc

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-07-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
Size

572KB
MD5

6a3f650688c3c9affd9630bf78762cc7
SHA1

7dfdac0b1e0f2bca8cea8d17ed6c5a18ab67eb7d
SHA256

59bf30b1704eb95f64f8c2aa947fec106e7e024f6608134da93bd004afd7b2fc
SHA512

f01d1501b5d27f22c304811ed0cac8b14237288439729be3710fd473518a1d26b254a78d487e632a3f76a94512d4f3fd3ce4fc531f4e0031f0fe6c316eda0bd5
SSDEEP

12288:jnUTdzJN8TY5wof108JROFRxePw804LihhX:jnKVN8S1ZJQRob0h

Score

10^/10

cybergate mms discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

mms

buls.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
System
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
SPY_NET_RAT HKCU
regkey_hklm
SPY_NET_RAT HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\System\\svchost.exe"	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\System\\svchost.exe"	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0S051E3R-8L2V-77T7-14SA-IBE40BF58N81}	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0S051E3R-8L2V-77T7-14SA-IBE40BF58N81}\StubPath = "C:\\Windows\\System\\svchost.exe Restart"	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0S051E3R-8L2V-77T7-14SA-IBE40BF58N81}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0S051E3R-8L2V-77T7-14SA-IBE40BF58N81}\StubPath = "C:\\Windows\\System\\svchost.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2828	svchost.exe
2652	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SPY_NET_RAT HKLM = "C:\\Windows\\System\\svchost.exe"	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\SPY_NET_RAT HKCU = "C:\\Windows\\System\\svchost.exe"	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2828 set thread context of 2652	2828	svchost.exe	36

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\svchost.exe	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
File opened for modification	C:\Windows\System\svchost.exe	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
File opened for modification	C:\Windows\System\svchost.exe	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
File opened for modification	C:\Windows\System\	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
Token: SeDebugPrivilege	1872	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
2828	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1900	2132	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	30
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18
PID 1900 wrote to memory of 1068	1900	6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe	18

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2044
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:308
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:4972
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:8148
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:8780
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:684
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:772
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:824
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1040
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1688
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:972
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:268
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1092
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1112
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1180
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1156
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:588
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1068
- C:\Users\Admin\AppData\Local\Temp\6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:1436
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\6a3f650688c3c9affd9630bf78762cc7_JaffaCakes118.exe"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1872
    - - C:\Windows\System\svchost.exe
        
        "C:\Windows\System\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2828
      - C:\Windows\System\svchost.exe
        
        C:\Windows\System\svchost.exe
        6⤵
        Executes dropped EXE
        
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
9fa90d09701bb68c9e8ea956fd9e57ef

SHA1
b17f256d8a60aecd8ba6e328f297da1644ef4aee

SHA256
c12f1c5ea34973751449a738e11c9c92b2abeee63898679beaca07ab3e0e96df

SHA512
14dcfba36561172962ea58df38820e287f3bf6ba082d883a7efcd3d07228bf3001f160f4c649d7d114bf9a99838c70f2eb5c4a631a5c5e47992b0e3ec889c91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1f680bbd35a01d031e93f1564f0cc4ff

SHA1
da41dde604a347cebfe9f01b080efca197f2d33f

SHA256
c1ac8e55dce3df1499123628fd68c5653e6e6c6815f04f8676e7c31197fcf302

SHA512
7c337ba7891cd57059681c8654d5cd48fff23d19a5c36e0cd44b70d9d47c96bc2b875753d70f9c42803f01a812238848fec46dbc7983a2caf01d3b1ec19bcaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c0ae4ecec64b4dff8a723945dd7c6cbb

SHA1
c326fb7cc215f0b391dfd7b2a108ceaa80746ece

SHA256
38c2ff0b446eae26b0b2fc9811c44aa07f23c5091aa4403a4c9a8224d7dc4af3

SHA512
4b5f4b7ae396714ed2e706a5d8bfa72da3ff8332a0e9ec9d6b1c3231fd4f70853222511ded2231c2302bfaa4c012dfdd82c70bdcfe38f7809589597e0726d9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
86ea12bf5195261fe970d3ab5c653638

SHA1
d390d787dde95b847d91df295001063b8c3781e7

SHA256
f5595f672c9f36bbb138117ed7aff30ea130cf221e13200e73490c46bf88bd46

SHA512
0ddbef641772094d60c707354e71dc49887f114d686b5fed8f3d5437ba9fba6950a66e766d9d5db1705a42f99ba5f223d04d64b5fb3400512dc18b7ea979e46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b959d6bbe3736c67893a1b883e402fda

SHA1
4f418a312f818378917c9a3c66c17ddee2881d6b

SHA256
f93d29ac29ba904cad028fcfa48ce2498e89a0c10d6acca9b1ad6f086305930e

SHA512
8ee4442576ee8765b3b5c7821d16efb82ade72c8bdcbf8e682942ef48b244ab7dcee8cdb89c4d307dfbeb254a079a38a69fe47c888e6a58864c7a612497e4bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d0143bac2a13b205b87c17437307bd64

SHA1
5abe904be450010da47273c158c03b961d93bf32

SHA256
0a7f0ff487eb5834411a4c72f4fc3ab8b4e2771d8957ddeb53b4d4a416fcf5ab

SHA512
d1396b3aafef46b4312c9e0635925a9101785fbd00e014e6d84f60f78e62f1561f1ae5d3085d5dcadb7d4b615cf8db523274582de7029bd195b1b0e3a7b0efad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
be62ebfb1f3e4b82b4ab084c25b39d4f

SHA1
f8529a54a43c6042f99944a9d22507185a6a7039

SHA256
80ebef503beb4b6baf281a64cfad9e89af0ec2366b5e137d745130bf62aaa0da

SHA512
d3d52ed1c16adb1b7c868bd1b92f834b7afcae519c0fd98e7ca534bce604a1336a23468319f446428bfe735912de3c5e607fa2a5514326ea8174425c4c4ffc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
daed49ed709e50d4089e7e9acecee0a4

SHA1
9bc6abe01f71449c9434acafc93d9ffc8b6cc702

SHA256
692908ee8f660fab09545d3e8db3c7afd49f986288faf6957d1b4ff22aeb7f90

SHA512
16b9fc48307afe05ecf915cc9de36b505880efb83cf0bb578d8ed776feb45246d239bf553dc067fb261f216ee2388461348abdda66a448d966535b7041416f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
447843a3a1900bac7333dfa58a5caa93

SHA1
cc63d77b3fcffb400217cfca275c0e030559d1b5

SHA256
aacc2cf61ec02e7de10dae0080cf7502415d3720d0283cac8b42bf04789da720

SHA512
4c1e86656878c920101a9d23c1727f8c40b6eda9a73828a58e610f786e1d504e36b50294d22fb6cd77a8f78ffe9133668757701e385d618740238a827c536e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0bd0247ef032060d501474eb33bf5bfe

SHA1
2d50ea341513a872a3bd48e21bf2f5918ff7d92e

SHA256
fcf19d7823f4cc8db47c5d1e77f80baa719326253221f9bd23f8344959595dcb

SHA512
59230ef063b61b017ee759c49746f4185e2d6d1a4ded541c8317b05eb9945f2ee07cc9000294a9bbe6cf45f051cf4e11bb674fd0bd95fb3154e06c1c83a88157

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cf9df702e7157bbbb3f0569a10731328

SHA1
d252197ad1722275c0e87a957fd338a436bd93ed

SHA256
c7011295b0c6d740774f4838e887eff87ede35a2644a11f02404e96046e139d9

SHA512
55a1115f897049c22565bf9d7577525d8d3ce24d305e3baa287f256bb7c583f940aa329cb155d5c0d83faa97c06733b30cde7053dc6abd91c8aa69cd45697e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8a321b8169e81baa05ce67a561e31ba2

SHA1
cd18275697c38903afd2967c85c4f1ac233b4a3d

SHA256
ffd9c064f991cf248b118027b566ab4814b7ad42da70ffc7c08eb1d977c4a685

SHA512
2f24685934f9ff269747b7d5028af2339a27330f03c7f7be3f0952948376e2d631c764500b7ff90bbe2adb7a39606ba838a96037ddb28751f4900a466893fa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
73b3c21a4b9f604991c48641ee1555cf

SHA1
f2cf1c6a9bde3b14aec4d0dd1264e07958f08252

SHA256
b9adb02e677bfc4082d1c30a26ba27a6bbf8a1be14568bd418da871308db17c9

SHA512
84f3e5dd5b0bc1595cfe640a658391786cb225518127b7e7e0c6c016ebfab3ea287a795ca45a04816c98b1a20159b47ffb9148576d836266b3eb34bd1fd4263a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2360d1d3996ddb453a848939d5baec1c

SHA1
08ca2beb05827f699135e98a072e6f1e35d68b9e

SHA256
f481d28483654d9b4247fcf23faa26f16e8af634bc23997f6fd6856e54665ab2

SHA512
acc759fef37945324100fa3b71b7846502c06fc9ae71ddb71b0ffdacf99bf4db47b8af9f62867a82da374e035ebd144921a2ddf6ed61a4575f84ab556dfdd7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3630b5ab08031aea20653fe09e7952b8

SHA1
e7b3371f07fbe437ecd95c7c5e1608a72f4c38c3

SHA256
7293ab1c44ee6a6c5c1f0e09fce5a7b130babd5d032cd7b94a9694c86cc1857d

SHA512
097a4ff982575fef97ce31d650cd1104485cf5cb3cb1e41d1ded10c5154580aacf35c5f7c2af76ea55b92bc716cb679d38dfa74c904b0f016ee00b83607b88b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a39b5d7a8739a68d5294151ef24227fd

SHA1
35250d8b893b43624a09da695c611b0960f7d48d

SHA256
44f7f9881ca3926dbd253dc08a0d6bc94a239f401fac5d6222156a8f74a51f91

SHA512
b6178a596113492f6460048cf29b908c4f2d744f31c476100d32147f0baf66eacd107d919f2ac8fba0cbd6a4a20ce0e26e569b490c0b9d535f4c2746fa58d8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dabb8dccfe1c7800091e6013a788768f

SHA1
b5d3286692fefc85d3f0a1f199804a2df2967dba

SHA256
0d520dd73224d979a730e6bcebbb8896d74016ef0d09aecb40666714265d6d91

SHA512
2cdb712bc7459f992cd50f4391d33507d561b0d125f0cfcb1d505ceaa997784cbde45e2992176750d20a3bf4af21a5ded7cbb08e4888d1ac7272b43b016639c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d0b899fa26340b10a544d8ed761e480b

SHA1
231b20f62f75f9b342600eb476cf70dd000be818

SHA256
1a946950eb1fb4a04cc8326077103842f2a98b09cb6688cf8cdbd1f4fddb9c75

SHA512
aa0d91109a74f34b407438bde3602e6b5aa35f9fdeab75d2fe83d2537c90ed282ce67f9a59b6c88ec9477942d10eeae8498d1d0ab50a13137bd716271a13fd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cd8003c7053e09399af2fcbf69dfe79c

SHA1
9922e87fb0d8ecb6f0c9c02bd3970a133656e03a

SHA256
e4ebc1123bf49b00d45b1fb08c3b56850e831de49595a50051f061af7235b3e2

SHA512
1c13d5c213f774a1cf55c956aad748fb71110921c1e3aaefa54a123a54e6f5c5df02806a8f3e3b693ee76a3b96a473fc21993ac87ae71dc43cd7f012c1f17608

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a939e192937d71238fb850db73d38dba

SHA1
7778f33ec5d81c815e781f7b0810ca76f449a7a0

SHA256
cfaea1caa47d342278b1c83aea9f327e4781d371e8c4f65b60fcea806d7308ba

SHA512
7dbc26d63f8cc50d3003a342be174f5281a3583a820f8feec20f38a210d59a9abde730a97f85087f5d0ee63cfa5a13544a2e4396e35ca8bc7cba13f29ee712c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e6cb37733dec28bdddadfd66de80ed7f

SHA1
abed147f5d3a6f6d810891a892ce90eeb19a5d4b

SHA256
8957eeefede30a0668bf2cbca8c4714c4dfadcfe95340845a1837e3aef9e09e8

SHA512
7e051a2474b5dfa3b6474a964bc379a68c1cb01ecb4a3f3ee7e8966c8aad1f557d761baeb798b744210979e94f825fed80400899269428aff003c33cb8014dd4

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\System\svchost.exe

Filesize
572KB

MD5
6a3f650688c3c9affd9630bf78762cc7

SHA1
7dfdac0b1e0f2bca8cea8d17ed6c5a18ab67eb7d

SHA256
59bf30b1704eb95f64f8c2aa947fec106e7e024f6608134da93bd004afd7b2fc

SHA512
f01d1501b5d27f22c304811ed0cac8b14237288439729be3710fd473518a1d26b254a78d487e632a3f76a94512d4f3fd3ce4fc531f4e0031f0fe6c316eda0bd5

Download Submit
memory/1068-20-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/1436-4311-0x0000000000370000-0x00000000005F1000-memory.dmp

Filesize
2.5MB

Download
memory/1436-348-0x0000000000370000-0x00000000005F1000-memory.dmp

Filesize
2.5MB

Download
memory/1900-10-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1900-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1900-896-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1900-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1900-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2132-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2132-7-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2132-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2132-9-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2132-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2132-8-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2132-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2132-1-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2132-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2132-4-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download