Malware Analysis Report

2024-09-22 09:05

Sample ID 240725-vldr3awelc
Target 7079223f4284eccaa190e7defa1153cc_JaffaCakes118
SHA256 17977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14
Tags
cybergate cyber discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14

Threat Level: Known bad

The file 7079223f4284eccaa190e7defa1153cc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber discovery persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-25 17:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 17:04

Reported

2024-07-25 17:07

Platform

win7-20240705-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audidgi.exe" C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI} C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audidgi.exe" C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 2684 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
PID 2684 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
PID 2684 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
PID 2684 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2724 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2724 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2724 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2724 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2724 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2724 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2724 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2724 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2712 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe

C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

C:\Windows\SysWOW64\WinDir\Svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2684-0-0x00000000742B1000-0x00000000742B2000-memory.dmp

memory/2684-1-0x00000000742B0000-0x000000007485B000-memory.dmp

memory/2684-3-0x00000000742B0000-0x000000007485B000-memory.dmp

memory/2712-7-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2712-23-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2712-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2712-19-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2712-17-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2712-15-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2712-13-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2712-11-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2712-9-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2712-24-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe

MD5 514efe550078fbedb88e23774742e295
SHA1 971bcc5648e1a70ef6a9a7c909663d2e01a31473
SHA256 673528eae87d1f48f9a8238de868e8f44aa92575744259a7a3e8b5ac34ca9ca2
SHA512 b952bd54f348b7d39b1a2f2a322068d31a4837988aceb09821bd6f54216f79f356868497b44f17e060e3fc6c5b130caaf247a64dc0bb49569ba4b8472cf34451

memory/2868-31-0x00000000742B0000-0x000000007485B000-memory.dmp

memory/2712-30-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2868-32-0x00000000742B0000-0x000000007485B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe

MD5 7079223f4284eccaa190e7defa1153cc
SHA1 0cc9ac32371e837b5006f4a5a39bd80178ca339a
SHA256 17977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14
SHA512 b840209bde31000983c691dc4eb74b2eef7395fdf062b7a9726b8b276264777e434b52ead2cdc9e837574fd9a20ba174df8b04afa9ed4ca731ab2b927991557d

memory/2712-38-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2868-37-0x00000000742B0000-0x000000007485B000-memory.dmp

memory/2572-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2572-42-0x0000000000010000-0x0000000000030000-memory.dmp

memory/2572-41-0x0000000000010000-0x0000000000030000-memory.dmp

memory/2572-40-0x0000000000010000-0x0000000000030000-memory.dmp

memory/1220-48-0x0000000002940000-0x0000000002941000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 ca46c5f9060503c809cb6e70f8be3a7d
SHA1 4565db2ccc1e874b3db4982d56604f00a105a9a1
SHA256 16d3c4f7c7407f1f662c694d24a87abfed3faff4d899cc5ecb125ea0c9967009
SHA512 a5fb6f2812174abdd936fafb52e469b845116069273f04d6e4be12602a6bfcd2f9363db0c5c619385bdb7832996d8b7b3f0bee7449e44406f3f49600f21f6514

memory/2712-967-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 64b1db6a7fee77b2b3a2a1a88d012e22
SHA1 5557d5598dde960b617e09fa5b9fd7592e963442
SHA256 bdb65c9986c08f754ed47e47d8510b3e0ff448c71347b93b5ecf94a1b829ef76
SHA512 b48a8a1a597191a6b078bb364c00a28e91c06ae8e9bc009032a20c1013a93edd5f126aaa67331641e61be6a7a7541292117b3251ca75203563aeecac7815b859

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6829b37bb4b7580f13a7ef2d74a6b7f5
SHA1 5798032adcb64feec5ebc945aa6904df873d3974
SHA256 3b107b880378cca694b576bad8c959c54153f1f7b3b5532a0426d51c61a1fbd3
SHA512 9a6fa4e50a8b04939ceef6cd4bf3fd6896f1de85b6ad330901f27dfa2e1ff3661c62dcd4d1447e349f6af40721c4fbd33972d73272759ef146794d2dcd740f5d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5dada78ad50a4b4c503b79cdcc074f3c
SHA1 ef3f58e63c5a04864eaf014e6ea2b0ade7f44cbb
SHA256 93cbb9ac22775a860530e71b9343024e34ed8711ad91e1fdeb96d2b76171dcb6
SHA512 65818cec282c0c427a3313e58f4ae02e0029a0ef94a0a00ef1f65a39dc44e1ba93113e39bdded6edf661dcae9952fa0d8ede924d184bd14d01e29bd2f09e7c2b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a8ca0efd1a9e5f2429f7f9cc253178d2
SHA1 161fc7e0d2c6ae99b1d1997d2cfa82c0018bc141
SHA256 b42d338c40c9eaceda89263544687e10e975fe992dc860894d6c37461d5e8ba2
SHA512 3fd6f19f4eac17fbaa14172396a5d148999c01bc28d190f93ffdab6aca1dc56b53fa2cf1b960d1cefe5fedda5ff699bf55f8893d34035776c0583b36f10dac84

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0a09f8aa2587b1f466bca2a46e0a68da
SHA1 177e62c81e708ecf6e3164043c441bec1d868024
SHA256 b1d8378d451fce49397694c93657a7be384b8798efcbc05b7d97593c3103f96f
SHA512 6cd65caa3574a5ac93e534a8ed1d7859427709919a8f0d389c16fa20e256ab585f4e4def269ea0ffc2be935f7b5d313d45afb337422fac658070eb106c9469b4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b91a20dfb5f69d4468ee5ca2cd59b6f
SHA1 dd3f53c5b15cdec665bd7961dee4142f4faf29ea
SHA256 774964dd68ec19f8e688e4cb5eb6cd75566ea81cea6d5cf522efef69f58506ed
SHA512 d5b5252afa376ba4d17b6fbace5ff0585cc6c926793a352fc77b6f5793b318146bd21cea6914bea6d20c83e956bdda9c148841fff7987d2719b2752dc3619140

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 11e0d5d61359f3d6f8afc49e832ea55a
SHA1 5e53fc33ef2a73c2b8479b12e46ed32e26e2b89b
SHA256 09d21085ce69f425cc89c04b37036dd78e3c4949f0c30d098a13409b9fcf94c3
SHA512 f4e26a3c1fa4d2b47d3f90b7e13936b06498aadcdb33ddb0dce96d12b1500e856109855e3f43f9435ac8fd03aee0ca48fa129c86d19c364569ba360ea15f9393

memory/2684-1330-0x00000000742B0000-0x000000007485B000-memory.dmp

memory/2868-1335-0x00000000742B0000-0x000000007485B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 98c97d3e37e2ef2917a136b625c61dbd
SHA1 e802fc7e6dfffb469e43c6be1a6ab28e395e9729
SHA256 1f5e742550d0fb77391d281fa8e2ecdbd66c24c4d70a08764f560037b4027b6b
SHA512 edf349d1cf361f60545a6bd539fbade1b3fd8022fbb386b5e1e40996008798c2a6293d49ff727f2903339d42687663c48dd334c87dee9da2ffaea7da8f68acae

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e7caf83f9b54eabea651f2528b207fc8
SHA1 9cad3ca5939e6e4074da809a05193ee6a3f0520a
SHA256 72330c61c04b34f8a91d5303cefb6bd6b2f143194eb475c1c561c3fc829e8e87
SHA512 c97c3e59526c2d96d3c665e98eb1095c7fc8781054394af84dbeed191afe058e37ff8904a0aa9184194f7fc3a337055b153079cb3818affd9794d2bc3b4694fa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5cfe0454657d064d7ca796d99fee21f6
SHA1 d423f713b0a8e2ea0d8e08fc0a694d1f809d35a9
SHA256 c745feac7b33643008992bf5a77c3a2b1ce3bed35f4e5604127e52fe89fb60d5
SHA512 c1d4491115571a54851f54ba98f4365846020cd8810a4e5dea0ab8b55ecf3ade25c9966de1af2074dc5cef7ab2bfcbb08414a713adbc4178ca6d5c9f2d2df1ee

memory/2868-1449-0x00000000742B0000-0x000000007485B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e31f56294cce6ef59cc29c5b56882d40
SHA1 817637d02594616d3193e2435e9edc2369917bbc
SHA256 1c01a136ac5ca620a9fac95b32373a7dd8948bbb4878a91264a44a5b7f81f388
SHA512 45b4f142856b84401efa44dcf6094bb9c19521b699436a2f19f991f07ae37d231fe71eef7758a483f55b98422784d2cf54644e5fe47ec46ef388616c64ae0ed1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d2a39291951a0aa6c85967822dfbc66a
SHA1 163782dfbcff565d1eef2a171766b0a7c367df71
SHA256 6dd2d9e53c559bfe5bef373f82ca5684af26409bba7e9fdf082704b1b5d93b32
SHA512 4aa856894ce4ba9a712326e59234765298071a835415789d76bc0c32742703dc1a1964206fc4e32fcc37b6bbc98c003e0d66779e7cde2597ebab51366207e5cb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 03be095ced0331678ffa8b8954d9e1f1
SHA1 576c200e840edb99e28dcceb26925637c32c3af3
SHA256 237a1a227e604535efd2de4ba09875b5578e6cac8ca44412fd8fad8c0ceab126
SHA512 e0b01e872cf343c37a459f76afdec9dac3d3d33e3f387e128c05e426682f3fb3742995b1d25820bbd707639f1b4ff85465f9e5b1aa87cedfe0ca10ac0e9fc856

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 857e2059dcceeb27104604353ada8a3a
SHA1 175adac9962285a6d1d439c1c2cce414ed88f291
SHA256 690b83ee2db1e50872a5ae21bac72455029a6042797ab55a8a8a9eccc240f774
SHA512 d8fcea2e6025ae4c77071733827dea4cc8d87ea45e8696a28fe69a87a6d4c1a330ddd02f2c96545901984f40dae539432eb5b0944ff1bd477608659af982fd6e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e10b0fad19664950ed7825b7bc14774b
SHA1 c3f27ff9a735091953cb51caedf66d68d382106e
SHA256 1473d289a4dfa02654a355d32b15f3a6b31bceaa40eddc109c2fe347609aa4a5
SHA512 9ae73e7af4ef0ac35d3519de4039c08a39011304d65a6eee43d928b0868a8022dac0a6ba16f3a7f63839a6a970a12bcea7c1de0eb5b7ecee0d9c41bc06caf6dd

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 50d2e034971354d81f6291bc1ea0cfe0
SHA1 d9153d29eebff478b15c8421348d275ed278b234
SHA256 66fbc608152b68cec90a496074226e34fbcb763b8755f6d552fc05f885a3e72a
SHA512 dcde586f6c3367aa8b6ebeb793483f220dc2d20053a53b632902be627034fddf7d264f2c147b833e226c3ee5121dc3db348977db68aa3a88cbf6cf7d766cb873

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0ce489ada6b851cbfb7ef59ede511861
SHA1 c0f243b529353225bfefec2d7fd03e6fafbe31cb
SHA256 8ea338910a2d42ebb00066d5fea915ab674c2065822a1ead5676e2da1fd95da8
SHA512 7a6d1a787567675d57bf671bb8281e1b5813ab426295fa19704d6aee8f479ec631372836d1481295dcc6a367f7ed6405dc6f7f30cc8b584f00ddb94b1788f49b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8cb8f619cfc22fd1b29e27123c637a8b
SHA1 957d6b8559b8b5e0ed53bb4297c0e15e23254559
SHA256 990d4e75f202c94f0977b854dd60713d58b1549a046a02d9a4cf3eeb1b57e585
SHA512 d27e4cfd84cee0e55421e5311830e12e89217d14a6330adb11815ae95947e89329de304c449eee729b53dac400bd42d7a336ce4bad882f36f13dea42136fee0e

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 17:04

Reported

2024-07-25 17:08

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audidgi.exe" C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI} C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI} C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audidgi.exe" C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
PID 4168 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
PID 4168 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
PID 4168 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
PID 2452 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2452 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2452 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 3812 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe

C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 916 -ip 916

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 76

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe

"C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

C:\Windows\SysWOW64\WinDir\Svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4936 -ip 4936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 596

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1028

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/4168-0-0x0000000074FF2000-0x0000000074FF3000-memory.dmp

memory/4168-1-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/4168-2-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/2980-8-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2980-7-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe

MD5 514efe550078fbedb88e23774742e295
SHA1 971bcc5648e1a70ef6a9a7c909663d2e01a31473
SHA256 673528eae87d1f48f9a8238de868e8f44aa92575744259a7a3e8b5ac34ca9ca2
SHA512 b952bd54f348b7d39b1a2f2a322068d31a4837988aceb09821bd6f54216f79f356868497b44f17e060e3fc6c5b130caaf247a64dc0bb49569ba4b8472cf34451

memory/2980-10-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe

MD5 7079223f4284eccaa190e7defa1153cc
SHA1 0cc9ac32371e837b5006f4a5a39bd80178ca339a
SHA256 17977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14
SHA512 b840209bde31000983c691dc4eb74b2eef7395fdf062b7a9726b8b276264777e434b52ead2cdc9e837574fd9a20ba174df8b04afa9ed4ca731ab2b927991557d

memory/2452-16-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/2452-21-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/3812-22-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/2980-26-0x0000000010410000-0x0000000010475000-memory.dmp

memory/916-31-0x0000000001000000-0x0000000001001000-memory.dmp

memory/916-30-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1760-40-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1760-36-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 919ba70cec60edcb60768e19cd141dd3
SHA1 a85d036a5870e1e93452e1fbf2038bef742aa5b1
SHA256 0fef70d7ec92abd277f6c0e8edcf4763148e99510027f19588cb524181eba236
SHA512 24ee99a918afbed8dd23074d8fc4261f7c91cf1eea14088dd841732cdc57e8cb903a370e98c728d4869dbd3bd831f8987f309bad2eb34c3493ee3a0018435b24

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2c360695886afe7208b71059b1e49ba7
SHA1 26288135beef8b92e87e1da338a395273c421096
SHA256 598df483c2c8fe22e93c53ddfd1d39b2b06e128b0a7954bba8099791b78e5454
SHA512 e2a4c8dff6bef4c3b6fc641371400830268ddd6118b04f25b29161be715dd974bc3d13c6b4034ed88852221584f993635168ce477914c21a8af7767c387519e2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cc941502c8372c30ee1f58ffc8f78799
SHA1 b50d8cf4e18ef1f32dee8baaedcd11191bc87a31
SHA256 83398c7cdbe4d971934d8ee59b0e2db62de0b250b3ffc955592cd11234c42efc
SHA512 1c2279f37f8df63c5b79f8234008d743ed28e834eaccfabc72942f17333c8508de544eddcecb04f8f61eb59361ceec14cbc0b040a14dd2af57a18dc5ea257ef2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 701f2d42263c30b6a1414bdd49d788c7
SHA1 f9e6e49500bf43dbeb5e1931a4cc3319db8c64c1
SHA256 570731d766778063081d6e7b6b0591a4504a2a32e186616f475ad08ce18a74bb
SHA512 7e377451cd77922ba4ef163464fb6609b750c12f7284315935c00bd214a0b4d0b54413254b5000a91e03002cf736348be3554923bae3fb1bac75344ee03905d8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 09102a032025408f6b4012808c287bf6
SHA1 c91ac053b22fbefc448c611f20c4fdcb4b1b8729
SHA256 039fde84c67d69fee84e46bd379429cdbe746115fd583a40439060ecc38f328f
SHA512 06a7feba922b73a3327fbc7ffb2ad7b9546d326eefafaa99680ec5feca01fcd1c7a051e43307464d918ba66e7df3d97e47411dcb601727a366e7670a53d31021

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 83cf676b847fd9925e632dde99d9bdb3
SHA1 01e38037843f6f07cb8035a2e11753518f259f5b
SHA256 d469e67e5cb4f28f000ae237fffd99667854cea45fbcf9d3df17a7b6dc2315ee
SHA512 c12da63bb85d8a6954337f5aff36b18bfe9a067d0509982a2b2529abc4a3413f9fd93f6801f672ca305e43cca823b0d330b26080242498cdea3ce57f043381f1

memory/4168-695-0x0000000074FF2000-0x0000000074FF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 35e287edecf363c94a4151d07ed58588
SHA1 b6d7867c7b305f1443a847ebe11b762ece65b2a1
SHA256 e951521cfb4a3eb8ef4cbaa3a6f881f17e4556edb315c747c1dc9a7a6cdc16c4
SHA512 3a7dbbe86918fdf765f5cf3a804f5935655269799b7320d347b82d0771529cad2f1f153613fefdab6595186cfa85ce6da0595f91b4e7838778fbb2f2d87f70ee

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 48a17c2d18c5eb847e0219c4b4dca20d
SHA1 66a5fe81ef145de42b765d14b7eb081cb007221d
SHA256 ec94a418ca61d810505609d1f69c3c8e34e68a7ff4aca49c4923fc56a2242791
SHA512 06d9294c4ce2e3503bd387074302a4a5d12cda2a046d728fbd48a9b7cbdbfa5cf77c3cea90c0570079b44452c4d64971ed80ad69830df7585e2c12dc571e3054

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cb173be46e060e86490aab9a33eeee7e
SHA1 db96cdbf9469bcdd26a42290c5e611e67d181e9a
SHA256 bc1ad32f6b7120349aeade9f3be4b0ff78a39f113c2859cb93b02f18c517704d
SHA512 38e1ea476184e553ba4ea8a44776fc49d4486d0322e4164fd678965cd94dc0a1fb135f8ad26768511c40031b053b22d90b02855478d3f202961297cae15121fe

memory/4168-927-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/2452-928-0x0000000074FF0000-0x00000000755A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 75f91e87a61df435d5f196a629528b5a
SHA1 240abfd7974a65887d0378fbd354267d721dbdba
SHA256 5ce2c6b00c262ac80246dc0bd122a4c4a3f63148dbdea79e4d52fd1e665cb7e4
SHA512 2bfcbdaf8bc5451acf62af2bd09091798458451f01e169685810d10d696a4f5ba085f111c7edba1614cdbe69d71120743672a5a9afb25f8edc44727a21715377

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 acd70db2b704ca2ce243400f7b0b82d4
SHA1 e529f3d1abd96c9a010da0f18571807ff1ac9e68
SHA256 273a95e113c9342db080e3daf32594b2886683dc074737f00b32284857ec116e
SHA512 bfbbbbe9271162adfbd2e4ee8b149af25c7a9e76fe3dad67ffcd1fedbfe636533d08875b9ac25adda167e04d0d5347a9c0d99421dcef9c2b82fe9a6392a21b96

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 948734250cec8fcdda6c67d29c526a91
SHA1 58ffbe6276285a6f3da38b2ccf47f0f744d3ba8c
SHA256 c334eb37f5452f68e0e3e640cfeeec57fccfbeedad6b89791e5abcd8af8f267c
SHA512 16b3d8abaeb064d4f799c510830599bc79c12c81844a22fdc517609c842e758bdfa8dc0b7bd079a6d12b2cad7f090a822657910e1ea75fbccb3b437e16176921

memory/2452-1160-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/3812-1161-0x0000000074FF0000-0x00000000755A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 eb699d886dedf0d9a1f264a78c0b2c89
SHA1 14ca9b1ec8ce78d02c492b9a6232473005b29d44
SHA256 7960924647e7d782838374217f1d440f791ce2348446139ae2ad427f7b847221
SHA512 4d64df2685939afe1fa5ecb8441427f20552bad548f195e5140068e40a1d3054427878efd681ec4a4f898a354fbfd8de0079c813a4f7f1844a455455fcac05f8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 149582553a499982e1085aa992a11524
SHA1 4dc6a032f1287890635d7585c092fe85c4d47447
SHA256 1aeebe658a2d36768a2594f07c6442c777bf998ad832fba7014dc8af1aac4f18
SHA512 03caaf3f9eebce0e28a357aebad6dd22cd585b9298ccddcf5e9bdf521e8d99165c03bee4d90c99c87d3279cc835fcb8fcaaa7ae33873df42f7a0c0979f634181

memory/3812-1402-0x0000000074FF0000-0x00000000755A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 955be95c10959f058b952f1a0f883d6f
SHA1 11b0da6776845fab3614dba061c7840ef01a5e9a
SHA256 6e61d11fa333f4400888734cd4ae9ef9100696b7e93c94fca2942017b3bd9526
SHA512 d6bbef4a85c67a01d47982a56c81c08fcf2acbeff2bf26ee4d2f140a2f329b407addeb78874d21bac4fe9fbace4fefbb21e53463902fee4a50c6514312846f5e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 861f083ae441475137ec11cca696b5de
SHA1 ae7af2b788a3443e9d922117e894e3b40c7424f2
SHA256 9010fdc44c7b535bc67d2cb035a99fa2f66bd97c715f188ba45ba07609a0ddba
SHA512 a11588ae7bacc0b381e4c2950f81fd845600d704b0a7d0a245a6ee9da07d2d077385e0e9dc35e4508a7e2d8630106cb610aeac269163e9d5aa081c1bd7c9a8af

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 09d10ddfcf25d00a39fa26b4a5708b37
SHA1 a0ac63c26a8e5927c0e5a6a67a94b063776057da
SHA256 36bc62e827d9f97aed54c6af7c32d23e52fc30a8c889e4200ea9b9bb44087799
SHA512 2ffe1a253b273c0ba1fbe16bdeb0c070150e259f65bef02157a305f5ac8cb4e3a001f0c89b3066677b035716e67f469e035aa2c0b716ec1cb3e7ca92d7c68bea

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3de31b4c801e3d1c6b4b1f1030ed4c8b
SHA1 1ba01b05c05921a46db6cb2372d4df4faedd334c
SHA256 db691e41ecea70c059d98416f50c088de674862a624465b059d660ba1fd6cc46
SHA512 839c64c874945b2333adc3b13cde2273316f2839538ba7565f5040a95056d90952b13a4cb5310be0fdfca79f71a7ac8a360d133519ba2050319e8f915295c784

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f2ea15b40d734fbdfd2d11dab89a71ad
SHA1 ed7d202326ed2b0464646d5764b372432ddcaff6
SHA256 bdd059bf6263e7d299ccdba6b3acd3de648a6375f6bb4c4a36d93ec888441cbd
SHA512 97c4b32808329cb72f8311248ac8a1e175954c15c1bc037fb49024845b0887d387b42ee37fe9906d451fa082f0baa3cd06de51b9d419809a40912deea6559add