Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 17:04
Static task
static1
Behavioral task
behavioral1
Sample
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
-
Size
369KB
-
MD5
7079223f4284eccaa190e7defa1153cc
-
SHA1
0cc9ac32371e837b5006f4a5a39bd80178ca339a
-
SHA256
17977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14
-
SHA512
b840209bde31000983c691dc4eb74b2eef7395fdf062b7a9726b8b276264777e434b52ead2cdc9e837574fd9a20ba174df8b04afa9ed4ca731ab2b927991557d
-
SSDEEP
6144:GStXQhoyq04rVmZ3k4cSbgzsdrVRRetrEpsKHAK3m+jDt+YTvLRUQSOObAIASglQ:yRyBUnZ4urEo2PmSKu44Fkm9U
Malware Config
Extracted
cybergate
v1.07.5
Cyber
1yop.no-ip.biz:100
7R65OQ0XHTGJ73
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeaudidgi.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run audidgi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audidgi.exe" audidgi.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI} 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
audidgi.exeWmiPrwSE.exeWmiPrwSE.exeSvchost.exeSvchost.exepid process 2868 audidgi.exe 2724 WmiPrwSE.exe 2572 WmiPrwSE.exe 2864 Svchost.exe 784 Svchost.exe -
Loads dropped DLL 7 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeaudidgi.exeWmiPrwSE.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeSvchost.exepid process 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2868 audidgi.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2632 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2632 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2864 Svchost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
audidgi.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audidgi.exe" audidgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\WinDir\Svchost.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\ 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeWmiPrwSE.exeSvchost.exedescription pid process target process PID 2684 set thread context of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2724 set thread context of 2572 2724 WmiPrwSE.exe WmiPrwSE.exe PID 2864 set thread context of 784 2864 Svchost.exe Svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Svchost.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeaudidgi.exeWmiPrwSE.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeexplorer.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audidgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WmiPrwSE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeaudidgi.exeWmiPrwSE.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeSvchost.exepid process 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2724 WmiPrwSE.exe 2864 Svchost.exe 2724 WmiPrwSE.exe 2864 Svchost.exe 2724 WmiPrwSE.exe 2864 Svchost.exe 2724 WmiPrwSE.exe 2864 Svchost.exe 2724 WmiPrwSE.exe 2864 Svchost.exe 2724 WmiPrwSE.exe 2864 Svchost.exe 2724 WmiPrwSE.exe 2864 Svchost.exe 2724 WmiPrwSE.exe 2864 Svchost.exe 2724 WmiPrwSE.exe 2864 Svchost.exe 2724 WmiPrwSE.exe 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2864 Svchost.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2864 Svchost.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2864 Svchost.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2864 Svchost.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2864 Svchost.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2864 Svchost.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2864 Svchost.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2864 Svchost.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2864 Svchost.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2864 Svchost.exe 2868 audidgi.exe 2724 WmiPrwSE.exe 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exepid process 2632 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeaudidgi.exeWmiPrwSE.exeexplorer.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeSvchost.exedescription pid process Token: SeDebugPrivilege 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Token: SeDebugPrivilege 2868 audidgi.exe Token: SeDebugPrivilege 2724 WmiPrwSE.exe Token: SeBackupPrivilege 2288 explorer.exe Token: SeRestorePrivilege 2288 explorer.exe Token: SeBackupPrivilege 2632 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Token: SeRestorePrivilege 2632 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Token: SeDebugPrivilege 2632 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Token: SeDebugPrivilege 2632 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Token: SeDebugPrivilege 2864 Svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exepid process 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeaudidgi.exeWmiPrwSE.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exedescription pid process target process PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2712 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 2684 wrote to memory of 2868 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe audidgi.exe PID 2684 wrote to memory of 2868 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe audidgi.exe PID 2684 wrote to memory of 2868 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe audidgi.exe PID 2684 wrote to memory of 2868 2684 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe audidgi.exe PID 2868 wrote to memory of 2724 2868 audidgi.exe WmiPrwSE.exe PID 2868 wrote to memory of 2724 2868 audidgi.exe WmiPrwSE.exe PID 2868 wrote to memory of 2724 2868 audidgi.exe WmiPrwSE.exe PID 2868 wrote to memory of 2724 2868 audidgi.exe WmiPrwSE.exe PID 2724 wrote to memory of 2572 2724 WmiPrwSE.exe WmiPrwSE.exe PID 2724 wrote to memory of 2572 2724 WmiPrwSE.exe WmiPrwSE.exe PID 2724 wrote to memory of 2572 2724 WmiPrwSE.exe WmiPrwSE.exe PID 2724 wrote to memory of 2572 2724 WmiPrwSE.exe WmiPrwSE.exe PID 2724 wrote to memory of 2572 2724 WmiPrwSE.exe WmiPrwSE.exe PID 2724 wrote to memory of 2572 2724 WmiPrwSE.exe WmiPrwSE.exe PID 2724 wrote to memory of 2572 2724 WmiPrwSE.exe WmiPrwSE.exe PID 2724 wrote to memory of 2572 2724 WmiPrwSE.exe WmiPrwSE.exe PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2712 wrote to memory of 1220 2712 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\system32\WinDir\Svchost.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exeC:\Windows\SysWOW64\WinDir\Svchost.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\System\audidgi.exeC:\Users\Admin\AppData\Local\Temp\System\audidgi.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exeC:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exeC:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5ca46c5f9060503c809cb6e70f8be3a7d
SHA14565db2ccc1e874b3db4982d56604f00a105a9a1
SHA25616d3c4f7c7407f1f662c694d24a87abfed3faff4d899cc5ecb125ea0c9967009
SHA512a5fb6f2812174abdd936fafb52e469b845116069273f04d6e4be12602a6bfcd2f9363db0c5c619385bdb7832996d8b7b3f0bee7449e44406f3f49600f21f6514
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD564b1db6a7fee77b2b3a2a1a88d012e22
SHA15557d5598dde960b617e09fa5b9fd7592e963442
SHA256bdb65c9986c08f754ed47e47d8510b3e0ff448c71347b93b5ecf94a1b829ef76
SHA512b48a8a1a597191a6b078bb364c00a28e91c06ae8e9bc009032a20c1013a93edd5f126aaa67331641e61be6a7a7541292117b3251ca75203563aeecac7815b859
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e10b0fad19664950ed7825b7bc14774b
SHA1c3f27ff9a735091953cb51caedf66d68d382106e
SHA2561473d289a4dfa02654a355d32b15f3a6b31bceaa40eddc109c2fe347609aa4a5
SHA5129ae73e7af4ef0ac35d3519de4039c08a39011304d65a6eee43d928b0868a8022dac0a6ba16f3a7f63839a6a970a12bcea7c1de0eb5b7ecee0d9c41bc06caf6dd
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD56829b37bb4b7580f13a7ef2d74a6b7f5
SHA15798032adcb64feec5ebc945aa6904df873d3974
SHA2563b107b880378cca694b576bad8c959c54153f1f7b3b5532a0426d51c61a1fbd3
SHA5129a6fa4e50a8b04939ceef6cd4bf3fd6896f1de85b6ad330901f27dfa2e1ff3661c62dcd4d1447e349f6af40721c4fbd33972d73272759ef146794d2dcd740f5d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD550d2e034971354d81f6291bc1ea0cfe0
SHA1d9153d29eebff478b15c8421348d275ed278b234
SHA25666fbc608152b68cec90a496074226e34fbcb763b8755f6d552fc05f885a3e72a
SHA512dcde586f6c3367aa8b6ebeb793483f220dc2d20053a53b632902be627034fddf7d264f2c147b833e226c3ee5121dc3db348977db68aa3a88cbf6cf7d766cb873
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55dada78ad50a4b4c503b79cdcc074f3c
SHA1ef3f58e63c5a04864eaf014e6ea2b0ade7f44cbb
SHA25693cbb9ac22775a860530e71b9343024e34ed8711ad91e1fdeb96d2b76171dcb6
SHA51265818cec282c0c427a3313e58f4ae02e0029a0ef94a0a00ef1f65a39dc44e1ba93113e39bdded6edf661dcae9952fa0d8ede924d184bd14d01e29bd2f09e7c2b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a8ca0efd1a9e5f2429f7f9cc253178d2
SHA1161fc7e0d2c6ae99b1d1997d2cfa82c0018bc141
SHA256b42d338c40c9eaceda89263544687e10e975fe992dc860894d6c37461d5e8ba2
SHA5123fd6f19f4eac17fbaa14172396a5d148999c01bc28d190f93ffdab6aca1dc56b53fa2cf1b960d1cefe5fedda5ff699bf55f8893d34035776c0583b36f10dac84
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50ce489ada6b851cbfb7ef59ede511861
SHA1c0f243b529353225bfefec2d7fd03e6fafbe31cb
SHA2568ea338910a2d42ebb00066d5fea915ab674c2065822a1ead5676e2da1fd95da8
SHA5127a6d1a787567675d57bf671bb8281e1b5813ab426295fa19704d6aee8f479ec631372836d1481295dcc6a367f7ed6405dc6f7f30cc8b584f00ddb94b1788f49b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50a09f8aa2587b1f466bca2a46e0a68da
SHA1177e62c81e708ecf6e3164043c441bec1d868024
SHA256b1d8378d451fce49397694c93657a7be384b8798efcbc05b7d97593c3103f96f
SHA5126cd65caa3574a5ac93e534a8ed1d7859427709919a8f0d389c16fa20e256ab585f4e4def269ea0ffc2be935f7b5d313d45afb337422fac658070eb106c9469b4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58cb8f619cfc22fd1b29e27123c637a8b
SHA1957d6b8559b8b5e0ed53bb4297c0e15e23254559
SHA256990d4e75f202c94f0977b854dd60713d58b1549a046a02d9a4cf3eeb1b57e585
SHA512d27e4cfd84cee0e55421e5311830e12e89217d14a6330adb11815ae95947e89329de304c449eee729b53dac400bd42d7a336ce4bad882f36f13dea42136fee0e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD59b91a20dfb5f69d4468ee5ca2cd59b6f
SHA1dd3f53c5b15cdec665bd7961dee4142f4faf29ea
SHA256774964dd68ec19f8e688e4cb5eb6cd75566ea81cea6d5cf522efef69f58506ed
SHA512d5b5252afa376ba4d17b6fbace5ff0585cc6c926793a352fc77b6f5793b318146bd21cea6914bea6d20c83e956bdda9c148841fff7987d2719b2752dc3619140
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD511e0d5d61359f3d6f8afc49e832ea55a
SHA15e53fc33ef2a73c2b8479b12e46ed32e26e2b89b
SHA25609d21085ce69f425cc89c04b37036dd78e3c4949f0c30d098a13409b9fcf94c3
SHA512f4e26a3c1fa4d2b47d3f90b7e13936b06498aadcdb33ddb0dce96d12b1500e856109855e3f43f9435ac8fd03aee0ca48fa129c86d19c364569ba360ea15f9393
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD598c97d3e37e2ef2917a136b625c61dbd
SHA1e802fc7e6dfffb469e43c6be1a6ab28e395e9729
SHA2561f5e742550d0fb77391d281fa8e2ecdbd66c24c4d70a08764f560037b4027b6b
SHA512edf349d1cf361f60545a6bd539fbade1b3fd8022fbb386b5e1e40996008798c2a6293d49ff727f2903339d42687663c48dd334c87dee9da2ffaea7da8f68acae
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e7caf83f9b54eabea651f2528b207fc8
SHA19cad3ca5939e6e4074da809a05193ee6a3f0520a
SHA25672330c61c04b34f8a91d5303cefb6bd6b2f143194eb475c1c561c3fc829e8e87
SHA512c97c3e59526c2d96d3c665e98eb1095c7fc8781054394af84dbeed191afe058e37ff8904a0aa9184194f7fc3a337055b153079cb3818affd9794d2bc3b4694fa
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55cfe0454657d064d7ca796d99fee21f6
SHA1d423f713b0a8e2ea0d8e08fc0a694d1f809d35a9
SHA256c745feac7b33643008992bf5a77c3a2b1ce3bed35f4e5604127e52fe89fb60d5
SHA512c1d4491115571a54851f54ba98f4365846020cd8810a4e5dea0ab8b55ecf3ade25c9966de1af2074dc5cef7ab2bfcbb08414a713adbc4178ca6d5c9f2d2df1ee
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e31f56294cce6ef59cc29c5b56882d40
SHA1817637d02594616d3193e2435e9edc2369917bbc
SHA2561c01a136ac5ca620a9fac95b32373a7dd8948bbb4878a91264a44a5b7f81f388
SHA51245b4f142856b84401efa44dcf6094bb9c19521b699436a2f19f991f07ae37d231fe71eef7758a483f55b98422784d2cf54644e5fe47ec46ef388616c64ae0ed1
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d2a39291951a0aa6c85967822dfbc66a
SHA1163782dfbcff565d1eef2a171766b0a7c367df71
SHA2566dd2d9e53c559bfe5bef373f82ca5684af26409bba7e9fdf082704b1b5d93b32
SHA5124aa856894ce4ba9a712326e59234765298071a835415789d76bc0c32742703dc1a1964206fc4e32fcc37b6bbc98c003e0d66779e7cde2597ebab51366207e5cb
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD503be095ced0331678ffa8b8954d9e1f1
SHA1576c200e840edb99e28dcceb26925637c32c3af3
SHA256237a1a227e604535efd2de4ba09875b5578e6cac8ca44412fd8fad8c0ceab126
SHA512e0b01e872cf343c37a459f76afdec9dac3d3d33e3f387e128c05e426682f3fb3742995b1d25820bbd707639f1b4ff85465f9e5b1aa87cedfe0ca10ac0e9fc856
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5857e2059dcceeb27104604353ada8a3a
SHA1175adac9962285a6d1d439c1c2cce414ed88f291
SHA256690b83ee2db1e50872a5ae21bac72455029a6042797ab55a8a8a9eccc240f774
SHA512d8fcea2e6025ae4c77071733827dea4cc8d87ea45e8696a28fe69a87a6d4c1a330ddd02f2c96545901984f40dae539432eb5b0944ff1bd477608659af982fd6e
-
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exeFilesize
369KB
MD57079223f4284eccaa190e7defa1153cc
SHA10cc9ac32371e837b5006f4a5a39bd80178ca339a
SHA25617977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14
SHA512b840209bde31000983c691dc4eb74b2eef7395fdf062b7a9726b8b276264777e434b52ead2cdc9e837574fd9a20ba174df8b04afa9ed4ca731ab2b927991557d
-
C:\Users\Admin\AppData\Local\Temp\System\audidgi.exeFilesize
8KB
MD5514efe550078fbedb88e23774742e295
SHA1971bcc5648e1a70ef6a9a7c909663d2e01a31473
SHA256673528eae87d1f48f9a8238de868e8f44aa92575744259a7a3e8b5ac34ca9ca2
SHA512b952bd54f348b7d39b1a2f2a322068d31a4837988aceb09821bd6f54216f79f356868497b44f17e060e3fc6c5b130caaf247a64dc0bb49569ba4b8472cf34451
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
memory/1220-48-0x0000000002940000-0x0000000002941000-memory.dmpFilesize
4KB
-
memory/2572-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2572-42-0x0000000000010000-0x0000000000030000-memory.dmpFilesize
128KB
-
memory/2572-41-0x0000000000010000-0x0000000000030000-memory.dmpFilesize
128KB
-
memory/2572-40-0x0000000000010000-0x0000000000030000-memory.dmpFilesize
128KB
-
memory/2684-1330-0x00000000742B0000-0x000000007485B000-memory.dmpFilesize
5.7MB
-
memory/2684-0-0x00000000742B1000-0x00000000742B2000-memory.dmpFilesize
4KB
-
memory/2684-3-0x00000000742B0000-0x000000007485B000-memory.dmpFilesize
5.7MB
-
memory/2684-1-0x00000000742B0000-0x000000007485B000-memory.dmpFilesize
5.7MB
-
memory/2712-24-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2712-17-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2712-7-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2712-38-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2712-23-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2712-967-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2712-30-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2712-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2712-9-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2712-19-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2712-11-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2712-13-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2712-15-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2868-1335-0x00000000742B0000-0x000000007485B000-memory.dmpFilesize
5.7MB
-
memory/2868-1449-0x00000000742B0000-0x000000007485B000-memory.dmpFilesize
5.7MB
-
memory/2868-31-0x00000000742B0000-0x000000007485B000-memory.dmpFilesize
5.7MB
-
memory/2868-32-0x00000000742B0000-0x000000007485B000-memory.dmpFilesize
5.7MB
-
memory/2868-37-0x00000000742B0000-0x000000007485B000-memory.dmpFilesize
5.7MB