Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 17:04
Static task
static1
Behavioral task
behavioral1
Sample
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
-
Size
369KB
-
MD5
7079223f4284eccaa190e7defa1153cc
-
SHA1
0cc9ac32371e837b5006f4a5a39bd80178ca339a
-
SHA256
17977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14
-
SHA512
b840209bde31000983c691dc4eb74b2eef7395fdf062b7a9726b8b276264777e434b52ead2cdc9e837574fd9a20ba174df8b04afa9ed4ca731ab2b927991557d
-
SSDEEP
6144:GStXQhoyq04rVmZ3k4cSbgzsdrVRRetrEpsKHAK3m+jDt+YTvLRUQSOObAIASglQ:yRyBUnZ4urEo2PmSKu44Fkm9U
Malware Config
Extracted
cybergate
v1.07.5
Cyber
1yop.no-ip.biz:100
7R65OQ0XHTGJ73
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
audidgi.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audidgi.exe" audidgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run audidgi.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeWmiPrwSE.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI} 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI} WmiPrwSE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" WmiPrwSE.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WmiPrwSE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation WmiPrwSE.exe -
Executes dropped EXE 6 IoCs
Processes:
audidgi.exeWmiPrwSE.exeWmiPrwSE.exeWmiPrwSE.exeSvchost.exeSvchost.exepid process 2452 audidgi.exe 3812 WmiPrwSE.exe 1760 WmiPrwSE.exe 516 WmiPrwSE.exe 1244 Svchost.exe 4936 Svchost.exe -
Processes:
resource yara_rule behavioral2/memory/2980-26-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/1760-40-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/1760-36-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
audidgi.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audidgi.exe" audidgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe -
Drops file in System32 directory 6 IoCs
Processes:
WmiPrwSE.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeWmiPrwSE.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WinDir\ WmiPrwSE.exe File created C:\Windows\SysWOW64\WinDir\Svchost.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe WmiPrwSE.exe File created C:\Windows\SysWOW64\WinDir\Svchost.exe WmiPrwSE.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe WmiPrwSE.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeWmiPrwSE.exeSvchost.exedescription pid process target process PID 4168 set thread context of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 3812 set thread context of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 1244 set thread context of 4936 1244 Svchost.exe Svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2792 916 WerFault.exe explorer.exe 3820 4936 WerFault.exe Svchost.exe 4912 3904 WerFault.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 4700 3904 WerFault.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WmiPrwSE.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeexplorer.exeSvchost.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeaudidgi.exeWmiPrwSE.exeWmiPrwSE.exeSvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WmiPrwSE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audidgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WmiPrwSE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WmiPrwSE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svchost.exe -
Modifies registry class 1 IoCs
Processes:
WmiPrwSE.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WmiPrwSE.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeaudidgi.exeWmiPrwSE.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeWmiPrwSE.exeSvchost.exepid process 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2452 audidgi.exe 3812 WmiPrwSE.exe 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 3812 WmiPrwSE.exe 1760 WmiPrwSE.exe 1760 WmiPrwSE.exe 3812 WmiPrwSE.exe 1244 Svchost.exe 1244 Svchost.exe 3812 WmiPrwSE.exe 3812 WmiPrwSE.exe 1244 Svchost.exe 1244 Svchost.exe 3812 WmiPrwSE.exe 3812 WmiPrwSE.exe 1244 Svchost.exe 1244 Svchost.exe 3812 WmiPrwSE.exe 3812 WmiPrwSE.exe 1244 Svchost.exe 1244 Svchost.exe 3812 WmiPrwSE.exe 3812 WmiPrwSE.exe 1244 Svchost.exe 1244 Svchost.exe 3812 WmiPrwSE.exe 3812 WmiPrwSE.exe 1244 Svchost.exe 1244 Svchost.exe 3812 WmiPrwSE.exe 3812 WmiPrwSE.exe 1244 Svchost.exe 1244 Svchost.exe 3812 WmiPrwSE.exe 3812 WmiPrwSE.exe 1244 Svchost.exe 1244 Svchost.exe 3812 WmiPrwSE.exe 3812 WmiPrwSE.exe 1244 Svchost.exe 1244 Svchost.exe 3812 WmiPrwSE.exe 3812 WmiPrwSE.exe 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2452 audidgi.exe 2452 audidgi.exe 1244 Svchost.exe 1244 Svchost.exe 3812 WmiPrwSE.exe 3812 WmiPrwSE.exe 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2452 audidgi.exe 2452 audidgi.exe 1244 Svchost.exe 1244 Svchost.exe 3812 WmiPrwSE.exe 3812 WmiPrwSE.exe 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 2452 audidgi.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WmiPrwSE.exepid process 516 WmiPrwSE.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeaudidgi.exeWmiPrwSE.exeexplorer.exeWmiPrwSE.exeSvchost.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Token: SeDebugPrivilege 2452 audidgi.exe Token: SeDebugPrivilege 3812 WmiPrwSE.exe Token: SeBackupPrivilege 3264 explorer.exe Token: SeRestorePrivilege 3264 explorer.exe Token: SeBackupPrivilege 516 WmiPrwSE.exe Token: SeRestorePrivilege 516 WmiPrwSE.exe Token: SeDebugPrivilege 516 WmiPrwSE.exe Token: SeDebugPrivilege 516 WmiPrwSE.exe Token: SeDebugPrivilege 1244 Svchost.exe Token: SeBackupPrivilege 3904 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Token: SeRestorePrivilege 3904 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeWmiPrwSE.exepid process 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 1760 WmiPrwSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeaudidgi.exeWmiPrwSE.exe7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exedescription pid process target process PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2980 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe PID 4168 wrote to memory of 2452 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe audidgi.exe PID 4168 wrote to memory of 2452 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe audidgi.exe PID 4168 wrote to memory of 2452 4168 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe audidgi.exe PID 2452 wrote to memory of 3812 2452 audidgi.exe WmiPrwSE.exe PID 2452 wrote to memory of 3812 2452 audidgi.exe WmiPrwSE.exe PID 2452 wrote to memory of 3812 2452 audidgi.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 3812 wrote to memory of 1760 3812 WmiPrwSE.exe WmiPrwSE.exe PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE PID 2980 wrote to memory of 3416 2980 7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 765⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 10205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 10285⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\System\audidgi.exeC:\Users\Admin\AppData\Local\Temp\System\audidgi.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exeC:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exeC:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe"C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\system32\WinDir\Svchost.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exeC:\Windows\SysWOW64\WinDir\Svchost.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 5969⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 916 -ip 9161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4936 -ip 49361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3904 -ip 39041⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5919ba70cec60edcb60768e19cd141dd3
SHA1a85d036a5870e1e93452e1fbf2038bef742aa5b1
SHA2560fef70d7ec92abd277f6c0e8edcf4763148e99510027f19588cb524181eba236
SHA51224ee99a918afbed8dd23074d8fc4261f7c91cf1eea14088dd841732cdc57e8cb903a370e98c728d4869dbd3bd831f8987f309bad2eb34c3493ee3a0018435b24
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52c360695886afe7208b71059b1e49ba7
SHA126288135beef8b92e87e1da338a395273c421096
SHA256598df483c2c8fe22e93c53ddfd1d39b2b06e128b0a7954bba8099791b78e5454
SHA512e2a4c8dff6bef4c3b6fc641371400830268ddd6118b04f25b29161be715dd974bc3d13c6b4034ed88852221584f993635168ce477914c21a8af7767c387519e2
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5cc941502c8372c30ee1f58ffc8f78799
SHA1b50d8cf4e18ef1f32dee8baaedcd11191bc87a31
SHA25683398c7cdbe4d971934d8ee59b0e2db62de0b250b3ffc955592cd11234c42efc
SHA5121c2279f37f8df63c5b79f8234008d743ed28e834eaccfabc72942f17333c8508de544eddcecb04f8f61eb59361ceec14cbc0b040a14dd2af57a18dc5ea257ef2
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5701f2d42263c30b6a1414bdd49d788c7
SHA1f9e6e49500bf43dbeb5e1931a4cc3319db8c64c1
SHA256570731d766778063081d6e7b6b0591a4504a2a32e186616f475ad08ce18a74bb
SHA5127e377451cd77922ba4ef163464fb6609b750c12f7284315935c00bd214a0b4d0b54413254b5000a91e03002cf736348be3554923bae3fb1bac75344ee03905d8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD509102a032025408f6b4012808c287bf6
SHA1c91ac053b22fbefc448c611f20c4fdcb4b1b8729
SHA256039fde84c67d69fee84e46bd379429cdbe746115fd583a40439060ecc38f328f
SHA51206a7feba922b73a3327fbc7ffb2ad7b9546d326eefafaa99680ec5feca01fcd1c7a051e43307464d918ba66e7df3d97e47411dcb601727a366e7670a53d31021
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD583cf676b847fd9925e632dde99d9bdb3
SHA101e38037843f6f07cb8035a2e11753518f259f5b
SHA256d469e67e5cb4f28f000ae237fffd99667854cea45fbcf9d3df17a7b6dc2315ee
SHA512c12da63bb85d8a6954337f5aff36b18bfe9a067d0509982a2b2529abc4a3413f9fd93f6801f672ca305e43cca823b0d330b26080242498cdea3ce57f043381f1
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD535e287edecf363c94a4151d07ed58588
SHA1b6d7867c7b305f1443a847ebe11b762ece65b2a1
SHA256e951521cfb4a3eb8ef4cbaa3a6f881f17e4556edb315c747c1dc9a7a6cdc16c4
SHA5123a7dbbe86918fdf765f5cf3a804f5935655269799b7320d347b82d0771529cad2f1f153613fefdab6595186cfa85ce6da0595f91b4e7838778fbb2f2d87f70ee
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD548a17c2d18c5eb847e0219c4b4dca20d
SHA166a5fe81ef145de42b765d14b7eb081cb007221d
SHA256ec94a418ca61d810505609d1f69c3c8e34e68a7ff4aca49c4923fc56a2242791
SHA51206d9294c4ce2e3503bd387074302a4a5d12cda2a046d728fbd48a9b7cbdbfa5cf77c3cea90c0570079b44452c4d64971ed80ad69830df7585e2c12dc571e3054
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5cb173be46e060e86490aab9a33eeee7e
SHA1db96cdbf9469bcdd26a42290c5e611e67d181e9a
SHA256bc1ad32f6b7120349aeade9f3be4b0ff78a39f113c2859cb93b02f18c517704d
SHA51238e1ea476184e553ba4ea8a44776fc49d4486d0322e4164fd678965cd94dc0a1fb135f8ad26768511c40031b053b22d90b02855478d3f202961297cae15121fe
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD575f91e87a61df435d5f196a629528b5a
SHA1240abfd7974a65887d0378fbd354267d721dbdba
SHA2565ce2c6b00c262ac80246dc0bd122a4c4a3f63148dbdea79e4d52fd1e665cb7e4
SHA5122bfcbdaf8bc5451acf62af2bd09091798458451f01e169685810d10d696a4f5ba085f111c7edba1614cdbe69d71120743672a5a9afb25f8edc44727a21715377
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5acd70db2b704ca2ce243400f7b0b82d4
SHA1e529f3d1abd96c9a010da0f18571807ff1ac9e68
SHA256273a95e113c9342db080e3daf32594b2886683dc074737f00b32284857ec116e
SHA512bfbbbbe9271162adfbd2e4ee8b149af25c7a9e76fe3dad67ffcd1fedbfe636533d08875b9ac25adda167e04d0d5347a9c0d99421dcef9c2b82fe9a6392a21b96
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5948734250cec8fcdda6c67d29c526a91
SHA158ffbe6276285a6f3da38b2ccf47f0f744d3ba8c
SHA256c334eb37f5452f68e0e3e640cfeeec57fccfbeedad6b89791e5abcd8af8f267c
SHA51216b3d8abaeb064d4f799c510830599bc79c12c81844a22fdc517609c842e758bdfa8dc0b7bd079a6d12b2cad7f090a822657910e1ea75fbccb3b437e16176921
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5eb699d886dedf0d9a1f264a78c0b2c89
SHA114ca9b1ec8ce78d02c492b9a6232473005b29d44
SHA2567960924647e7d782838374217f1d440f791ce2348446139ae2ad427f7b847221
SHA5124d64df2685939afe1fa5ecb8441427f20552bad548f195e5140068e40a1d3054427878efd681ec4a4f898a354fbfd8de0079c813a4f7f1844a455455fcac05f8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5149582553a499982e1085aa992a11524
SHA14dc6a032f1287890635d7585c092fe85c4d47447
SHA2561aeebe658a2d36768a2594f07c6442c777bf998ad832fba7014dc8af1aac4f18
SHA51203caaf3f9eebce0e28a357aebad6dd22cd585b9298ccddcf5e9bdf521e8d99165c03bee4d90c99c87d3279cc835fcb8fcaaa7ae33873df42f7a0c0979f634181
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5955be95c10959f058b952f1a0f883d6f
SHA111b0da6776845fab3614dba061c7840ef01a5e9a
SHA2566e61d11fa333f4400888734cd4ae9ef9100696b7e93c94fca2942017b3bd9526
SHA512d6bbef4a85c67a01d47982a56c81c08fcf2acbeff2bf26ee4d2f140a2f329b407addeb78874d21bac4fe9fbace4fefbb21e53463902fee4a50c6514312846f5e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5861f083ae441475137ec11cca696b5de
SHA1ae7af2b788a3443e9d922117e894e3b40c7424f2
SHA2569010fdc44c7b535bc67d2cb035a99fa2f66bd97c715f188ba45ba07609a0ddba
SHA512a11588ae7bacc0b381e4c2950f81fd845600d704b0a7d0a245a6ee9da07d2d077385e0e9dc35e4508a7e2d8630106cb610aeac269163e9d5aa081c1bd7c9a8af
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD509d10ddfcf25d00a39fa26b4a5708b37
SHA1a0ac63c26a8e5927c0e5a6a67a94b063776057da
SHA25636bc62e827d9f97aed54c6af7c32d23e52fc30a8c889e4200ea9b9bb44087799
SHA5122ffe1a253b273c0ba1fbe16bdeb0c070150e259f65bef02157a305f5ac8cb4e3a001f0c89b3066677b035716e67f469e035aa2c0b716ec1cb3e7ca92d7c68bea
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53de31b4c801e3d1c6b4b1f1030ed4c8b
SHA11ba01b05c05921a46db6cb2372d4df4faedd334c
SHA256db691e41ecea70c059d98416f50c088de674862a624465b059d660ba1fd6cc46
SHA512839c64c874945b2333adc3b13cde2273316f2839538ba7565f5040a95056d90952b13a4cb5310be0fdfca79f71a7ac8a360d133519ba2050319e8f915295c784
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f2ea15b40d734fbdfd2d11dab89a71ad
SHA1ed7d202326ed2b0464646d5764b372432ddcaff6
SHA256bdd059bf6263e7d299ccdba6b3acd3de648a6375f6bb4c4a36d93ec888441cbd
SHA51297c4b32808329cb72f8311248ac8a1e175954c15c1bc037fb49024845b0887d387b42ee37fe9906d451fa082f0baa3cd06de51b9d419809a40912deea6559add
-
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exeFilesize
369KB
MD57079223f4284eccaa190e7defa1153cc
SHA10cc9ac32371e837b5006f4a5a39bd80178ca339a
SHA25617977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14
SHA512b840209bde31000983c691dc4eb74b2eef7395fdf062b7a9726b8b276264777e434b52ead2cdc9e837574fd9a20ba174df8b04afa9ed4ca731ab2b927991557d
-
C:\Users\Admin\AppData\Local\Temp\System\audidgi.exeFilesize
8KB
MD5514efe550078fbedb88e23774742e295
SHA1971bcc5648e1a70ef6a9a7c909663d2e01a31473
SHA256673528eae87d1f48f9a8238de868e8f44aa92575744259a7a3e8b5ac34ca9ca2
SHA512b952bd54f348b7d39b1a2f2a322068d31a4837988aceb09821bd6f54216f79f356868497b44f17e060e3fc6c5b130caaf247a64dc0bb49569ba4b8472cf34451
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
memory/916-30-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/916-31-0x0000000001000000-0x0000000001001000-memory.dmpFilesize
4KB
-
memory/1760-36-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1760-40-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2452-1160-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2452-928-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2452-21-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2452-16-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2980-8-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2980-10-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2980-26-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2980-7-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/3812-1402-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/3812-1161-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/3812-22-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/4168-927-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/4168-695-0x0000000074FF2000-0x0000000074FF3000-memory.dmpFilesize
4KB
-
memory/4168-2-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/4168-0-0x0000000074FF2000-0x0000000074FF3000-memory.dmpFilesize
4KB
-
memory/4168-1-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB