Analysis Overview
SHA256
277e3f881ff5937e48da7594ba43f306dfb9d0ed2e7cfa90360ab60ea05f8e4e
Threat Level: Known bad
The file 73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-26 12:03
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 12:03
Reported
2024-07-26 12:06
Platform
win7-20240708-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\Rs-Pin-Generator" | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\Rs-Pin-Generator" | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P85R1QDH-R3MK-OE53-2DO1-6Y745S6P50E2} | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P85R1QDH-R3MK-OE53-2DO1-6Y745S6P50E2}\StubPath = "C:\\Windows\\system32\\install\\Rs-Pin-Generator Restart" | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\Rs-Pin-Generator" | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\Rs-Pin-Generator" | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\Rs-Pin-Generator | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\Rs-Pin-Generator | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2416-18-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2416-13-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2416-7-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2384-2-0x0000000024010000-0x000000002406F000-memory.dmp
memory/2384-6-0x0000000024070000-0x00000000240CF000-memory.dmp
memory/2416-304-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 7430c0e8b7bafa451b23ddad72197f78 |
| SHA1 | 083f4d2fdb8449034f7bb6e770e5ac7e98c919b4 |
| SHA256 | 2e287b6bf77e7a7432a6952696279f00e786ece6ae71e5efa1511a49cd0e4df5 |
| SHA512 | 3bef58d50ccf90b5f4652e4eebf97d544b48b4a00f31166b1e4e9b2cfa28d16b1bcf5d0715f8cf2adb5f4e8e5ab51c92945d727856e508f9c607e16ba646fd86 |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 118ca90a7f349c60ab8bdc793112ee80 |
| SHA1 | a5ec12c263b194a1a344c51f1188ec019fbf8838 |
| SHA256 | c901d72ac2bef5dfdc47c9da9c8ec63c096b3a6dbfcd1a93c0c5412b1ed97641 |
| SHA512 | 059ab11082c47f71aa19baf3babc3c4755f1d952b07db679758976e4a817138fe81d2bf506a35219515a849234d910d16f23637129332dad7a7ad176a73a40ba |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 126b421b20ed9aff4c43748d4f53ae9b |
| SHA1 | 7b380037a93cb958cf86dcd83144b3d704b4953b |
| SHA256 | d53b3f9dc181f85812e0f67d4e83912f5ffee77502f80fd7842b94a91b526010 |
| SHA512 | 6ffdb84c4f87027e6c9b9e7eab7ceb9bf3e5e9e7fcf4fcec5a352be67c3b92ecc2f2ce4a0815c5ec4b979dea8965b470ed2423e6621c3569a0e8dd4d8c5b7ff9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 00511fed01b1b5e5b92f0baa695a45a9 |
| SHA1 | e6ea2e865fd2759d6773f0bcc2947222c5559815 |
| SHA256 | b79fd212fdf6be43f4202ebccae368a07cc5f0163e74a6d2b7d8f66ead58ca22 |
| SHA512 | 47b4834c68c1f86eaddaa7e528c884e939a774a0e488e604525a975493a4e706d4d7a7aab3bb446c65f7c22798cbc09f6485d09528b2fc0beed5f0de6258dd0a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 54a0f3483af81f48dcd8be910266a081 |
| SHA1 | a9e9f726e8ecef94fab52d83b47fdb8caab87050 |
| SHA256 | fa19e7b7a007d7aa9145e4874c524554c107e087198965c264e789e4dfd01a42 |
| SHA512 | 38a83efe8aa359863c974b877abd50fbcc5e77048fd29e57a4fa3a632dfcc96579ab88bbc3d17e32f247975ef40169d742588916d5859401a7c92547c2a756e9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 174f16e21f9f7d45f6e741293b9620eb |
| SHA1 | ed7b9b5439669310ba28c5abeec581a1baf5426b |
| SHA256 | 3941b6d17aba23d1227b0f21b4e2c621dfef40a3cdb62c5db8f48e29254964cc |
| SHA512 | c0c1b1e77ba6c55924248dea081651b9f3134bd16c942877c0697503c185df5385f52a36a4aa7fe1457a8afa2ed40309627d4528b1cf2d0fc53a555adbb280a3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4b4367d698f6f7be42085a3a85dd0d6d |
| SHA1 | b88046f611ab07498ecd8762d33d38ab87c212c3 |
| SHA256 | 7040f5dac17dbdfbbb8a9276937f666c62cd0a92588daf5dc4a8b24da758b59b |
| SHA512 | ceb2276c86a2d165de0157f1f56cdbc5bc5d3c9a1f288d0b59f312589f3efd8bda735b16ab0d27f6fc541b2cdd65fc8b1e2352e5f4bdb47817688e3da3447bce |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2392163344527cd4c63e2f94b1b00691 |
| SHA1 | 7630c8273fc18fa78410af5f1c116c16dc3aa8f5 |
| SHA256 | 08276361f09f46375bf6ee6077e0aab710565b9322bdd5350a300ae439cbea71 |
| SHA512 | d3111cad95455d80777c9ad20a9fd1ea2743773b122282d79e92aef3e10de9987f4cf71a58c3de8a66923e14c96f33e786d5d99be0b0339d1ed5003fec193cae |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 687e09884c95606463327a97bf1247b2 |
| SHA1 | 75407eb83d341c296fd3619a5386095b6d0861bf |
| SHA256 | 1196e974e9ed06a9cc320c41999f9b83716a369ec9d17fb435d4725b523a1f64 |
| SHA512 | 1588b4a675b3801deb9c599fbbc79fe136111f0d84478dc64810890e5f889cf57889e2b185bce349e84b8cbd980adb1849d18bdcb108be83bb9a9e9bdff05cb8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a6bacfcafcce880fe691be8cce41c1c9 |
| SHA1 | 03ce5306c8cf43f35858f3e5ce3e49428c392fba |
| SHA256 | bdba0221d45d4c7a12196e9bdbac0e90ae4f2c6234f7574448e2a36468307504 |
| SHA512 | 56cc644255730972a92734249fedf2a04643dbdf56b48257f2ce52d8ee6bb7bf7514e71be79a380cf53067655256e5d49b465407ff96d9196196ad9a14a1cbea |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8b480f53d551336ba4a5ff3f18e9f1f2 |
| SHA1 | 63ee8fcf04820543c41950b20c29cd843fde78c8 |
| SHA256 | 9802a76514993649897bb390ac23dab841ac77a556b42725aaa24c3267ebd8cb |
| SHA512 | 1980801ba8b654cba05cf79c70e222e54a342ab020edc30acc4b4379f71f8f7552cf13e1040bd9ec67a34e155e8ea8479c8c5c54454d1d57bb94ba0152c9f49c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 645f86befb8908f8901505980620fe57 |
| SHA1 | 8b7e1e49ffc36466d9eb854db05271cee903eb27 |
| SHA256 | 57e8484baa82fa0e62de643a7f13c973c60344d34d7eaa253ba28c0ad2d4cb11 |
| SHA512 | 51ed8016aa469830f8e4240bbad0d82302829da281535f9cbb11f917ce49cb52fdcf8addaaf6b50f33f1f17682c8814e4eb7209b2fde583dfea6d2d5ebce1383 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3b3db13b65087dc5425f09fbf35a70c8 |
| SHA1 | b38ea5fc955b155c3e2c6d9f021e42de292e905b |
| SHA256 | 3790c9373b5fc975b888efa0aacb016194940811405064334e87f6cc4fcf9434 |
| SHA512 | 84b296dfe302dc491453e4bc4adeb4f59ac3613890ce062a0b7812eaef42a008bf2f78d8c260c0c65ec1c518680d5210625d6a22b3f14269facba59135d6feda |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b48a634a3cc9152a8f3542589c082333 |
| SHA1 | 32bd40573bf29bea606cd2e85d276cdb36da7e0d |
| SHA256 | 2d5a3afccfa28a297f1da442651a79b2e80cc335239cfb9d379fae497ad9445d |
| SHA512 | 9e44cc2ab56d95423e6b85126ceb794ea4c5a8c82eea26682184a822e8a2b9313a82418d9db2b3d1c8de49b1a3c2e053e7c7e033aa64f1c53cc58cf3bc419e76 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1336721096447e19c00dfc6c54e9fced |
| SHA1 | 55a3924e1b1a0931b871a2b8c48f8ab13833d6c9 |
| SHA256 | c9628ba91e74774231583716f43df42fec4cb6672d6a8b1b9dd8244787ceb59d |
| SHA512 | 24ae82b1bdd9df797eee0de484ed13e8e518a1cd73455b9880e48f6c3132ed4d98462f5af85767a4ec79b7aa001a0db7be82006adecc923159df82f14e0b68ba |
memory/2416-1388-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d498f4b45df5a1efa925df4d22aa5df3 |
| SHA1 | c93a48206efc488ce42113a1f75c43bc0cf5a655 |
| SHA256 | 2c15dce9827159905ed293a153f6e324d25a6a06ab19a82177725f01ec2642cc |
| SHA512 | 6208b58ae9068c3ee98fad8cbdbefc9b7ba38ad0a50456b1993ff2f1ae41da047b146bca6fb8c2f14b9c7b8b83b03887bfea6daa5dead556f10ca1b294b8a1fc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 089cc8a88be01adc50f516051cfc7f98 |
| SHA1 | 22b476120a2d91fc055b8782bbdc3750020fca15 |
| SHA256 | 751b7002c96271d4d68534e9101ad5cdbfc21fcd1adc5ddcfab5cbe31f644545 |
| SHA512 | cda73077af5b7c0e473af92ace5ebb1b2019bbceb0daaab44485a4d6945a591555ec9286cfeedff330460038790af83e74473474bde7d794b4fdc43fe83cbf3c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b58aa237b17311a8aa258fd7b57a51e5 |
| SHA1 | 977bb96ee83840ce525a1f75a12634476d05af1e |
| SHA256 | 816693ba84da380d5722ddb9391730a8b346f9a4a75cdd6b768bb3e3d3383c46 |
| SHA512 | cdd742e1b64a9ba7a768a8ea29da5da447686155ba96ac0d274a336d917f1f94ae68e2f07b3abef56a5eae88ce946af0c0cb839b5deadd05f97e62369880e8c6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4cc25466729355514a093a34e6aeeb18 |
| SHA1 | e8ccad1177d7359e685fca435fa5057c202924f2 |
| SHA256 | fbae09da4a4b533c2deb5418700a73a1f28fee252cb740a62f52b22c91c02c9f |
| SHA512 | 68fe33a3f9e0eecdaef9c1f9e729ed598e62087e0aafc0681686a8253f6ad8596a14846985b9ffceff78d083a8d2d1a0042e21d9d9caccf5e223622278b7e746 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a30596562933147b5ca00c9975b68ce8 |
| SHA1 | e4a12b15e55385d7b7319d202f685a7b2e791fc8 |
| SHA256 | bb4e429c7c838b147be875291a9d0ca340cf00ec8545b770f29c613848ec8181 |
| SHA512 | 94124320465718a1f4006f177ebf4a0fc0d5e391eacf41d91d3fd0a3722f44c7f9a078cdbd0a95cafc452073b21dab4cd28097a66623d417085a1407e2f953ae |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fd237307f7da050eca948e12d87328bd |
| SHA1 | a93f1d9ef510f8be3612f0fa97a83a4b97bd328e |
| SHA256 | 824c05ba2b9d3f6fa45e2f11483e953305d8a242ee02f1c0430293b0a2f4f76a |
| SHA512 | 44ade93ec0089ebd25a35ad55e23eb9c67c5fe8d8b17fe29fdddc55e3468ed98e891b4c3d1b47ccb58ef4f25a25359463d17638adc48abaa54ebde70c8e7ffbe |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2e30cda9db138931d4cc5f7920123546 |
| SHA1 | c1f464445a1d462c2f895c3815ef48f21c219f6b |
| SHA256 | 1831649db14fd52d32caa58ef5569881d0d75c0743240d5cb7abbe482a827ab1 |
| SHA512 | 7e7834b1a61cc3daf1592cba4db0b417f02e99e6c6b3d3c8c0e77ce39c4686417ad7638fb0e0c21bdeec1066cb8531b99d398fdee6802f3cfc298730706a0845 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 12:03
Reported
2024-07-26 12:06
Platform
win10v2004-20240709-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\Rs-Pin-Generator" | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\Rs-Pin-Generator" | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{P85R1QDH-R3MK-OE53-2DO1-6Y745S6P50E2}\StubPath = "C:\\Windows\\system32\\install\\Rs-Pin-Generator Restart" | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{P85R1QDH-R3MK-OE53-2DO1-6Y745S6P50E2} | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\Rs-Pin-Generator" | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\Rs-Pin-Generator" | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\Rs-Pin-Generator | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\Rs-Pin-Generator | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2096-7-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2096-8-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/4956-6-0x0000000024070000-0x00000000240CF000-memory.dmp
memory/4956-3-0x0000000024010000-0x000000002406F000-memory.dmp
memory/4956-2-0x0000000024010000-0x000000002406F000-memory.dmp
memory/4956-63-0x0000000024070000-0x00000000240CF000-memory.dmp
memory/2096-68-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 7430c0e8b7bafa451b23ddad72197f78 |
| SHA1 | 083f4d2fdb8449034f7bb6e770e5ac7e98c919b4 |
| SHA256 | 2e287b6bf77e7a7432a6952696279f00e786ece6ae71e5efa1511a49cd0e4df5 |
| SHA512 | 3bef58d50ccf90b5f4652e4eebf97d544b48b4a00f31166b1e4e9b2cfa28d16b1bcf5d0715f8cf2adb5f4e8e5ab51c92945d727856e508f9c607e16ba646fd86 |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Windows\SysWOW64\install\Rs-Pin-Generator
| MD5 | 73f8b1f6e0e64a648445c575bc64aaad |
| SHA1 | 5eb0b30e36a234e2e5bcd11f1456cea6ebb914b9 |
| SHA256 | 277e3f881ff5937e48da7594ba43f306dfb9d0ed2e7cfa90360ab60ea05f8e4e |
| SHA512 | 0ae93d2bf8a949108544dab21d3d8af1d1c82405c48ec06ab89762ad02c3b73b8e0c533b9143d918feea04cce4355a193613a443e1173a373ae94d4cba0a05cf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fd237307f7da050eca948e12d87328bd |
| SHA1 | a93f1d9ef510f8be3612f0fa97a83a4b97bd328e |
| SHA256 | 824c05ba2b9d3f6fa45e2f11483e953305d8a242ee02f1c0430293b0a2f4f76a |
| SHA512 | 44ade93ec0089ebd25a35ad55e23eb9c67c5fe8d8b17fe29fdddc55e3468ed98e891b4c3d1b47ccb58ef4f25a25359463d17638adc48abaa54ebde70c8e7ffbe |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2e30cda9db138931d4cc5f7920123546 |
| SHA1 | c1f464445a1d462c2f895c3815ef48f21c219f6b |
| SHA256 | 1831649db14fd52d32caa58ef5569881d0d75c0743240d5cb7abbe482a827ab1 |
| SHA512 | 7e7834b1a61cc3daf1592cba4db0b417f02e99e6c6b3d3c8c0e77ce39c4686417ad7638fb0e0c21bdeec1066cb8531b99d398fdee6802f3cfc298730706a0845 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6dce0353e2e0cb82827ef76480049176 |
| SHA1 | 775058443c4aecc9b5e20203756fe76176f439db |
| SHA256 | 16b226521dd723380e2cd1a350150d0ce98b6ed5419d43285ef88bdbe38b3203 |
| SHA512 | dc2a431c9060ef4c81cae9adc7d1ceb1e89de0982b107e80fdc3fa1aab4ca67569cf90108cccc07f3520a4927eee05c12967d82d3f57b02f3dcf000d7d522e77 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 58200536baf711b80edcd7be7498faf0 |
| SHA1 | 66489cb01f493c9a5f0f5f687d442ccbc33717d4 |
| SHA256 | 1397734e862b55354b4f8dd557e5c64c4ce4ee42caaa62d0ec90e4251a69566f |
| SHA512 | b56aa9de345e1b74a71bdd822efd27b56b69458caa6f1e65878d9b0a270f3525b4d7181ab982ecf9c7d7d9657b7094018d21276c1249f0dc9af65ddbf4bdc8e2 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4beec87853d94b52e25df74ba2167725 |
| SHA1 | b11ecf17e4f21413f4813cf3fdb16d5c4c6c3181 |
| SHA256 | a4be01ea31cc4f69777178299179973ea8f53d6638b57d113cee8240f2e47285 |
| SHA512 | aedb37807ffae91935265709c0209544cbfcb56b901f2a7b8fd9757eeb3a32953327352de46d0ffdf5c4a63e5eb410095e6dcba493b0fd0934abe48835baf474 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 24a0590922e1150a097fa4103dec4321 |
| SHA1 | 68e9509551575ee5d4aa256a9a8ac011bf3fbe45 |
| SHA256 | 1241ebdeb34a8fb99b8d37df783ee76c7757eac972b509fb2c0359c78a6e8aee |
| SHA512 | e990dcc817363f6839f681c60667d2ec1ab1e5fee77a178179d81690eea93cb12239bd70de90b6df31029e96e96832fc53904000dad0f4b2de8311ea31c4df17 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bdef009b44ce422b58dfec6d3b0e712a |
| SHA1 | a9c5bcb4b93e851ddbd36acf6eb20155d6a3795d |
| SHA256 | d66e7a6a66f24dd97b3893e096e2902b6687b99af9aa7b7b735f4317bec33920 |
| SHA512 | 7a0e77ae1928b2a47fa2e3dc50cef29e71d16aa8a66f180282cede21335b6db894267cb6e351bfc5e61483cece711fd46df62ff87467257ee6d4dbdff2095c08 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 084a18a565b4430360b9b1be95b5f51a |
| SHA1 | bb0dee5ce2d4401b4c2e6078f29bb8722890d78e |
| SHA256 | 49b891e9a54edb1499ecde71429cacae1667afab15d17a5cf98bdded3e52a13c |
| SHA512 | 1ffc7a7101386c85c31ef65ae2867250ecd64e3fe6060c61cb6a84e671d61bd1fa6f5ac8a515a1b77ebbe46b819d5517a2acfa10e15aa447c7cd6ce7a147e422 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ca8ae974482131876ff0fdfed4d0ee0e |
| SHA1 | 21c0c381978ddea0fbd4ff775d2413f9f1f461b7 |
| SHA256 | 35075fea6df3c14a21eed4a61ab9d26da2f3774880300993a6e7f7d1a2731cda |
| SHA512 | b46e32911022a6ac437ac88cc0b3fee256cea5bbbdca4a2e84e8493c3eb3a5cfb9bc26ad35b4dd27e5735da43773c13c69a25aaadab6001c7d343cc13bb74f18 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8d9fa6f8bde2b5a979af91cccfe6666c |
| SHA1 | 88f90679cd0eab46e446ef1bd59a71a76e642e71 |
| SHA256 | ddbd09eb0a98eac216865c1a5a99a090af51f3810a924ee767e01460a65c6809 |
| SHA512 | 5187432390e0f8adab88d7acbda6084cea4ef7a5e16807f867e27e90ab1824dceade6458ff1196c8e2027afe9d611ef9ba5b00c71a6d1b9cd6af583164f9d9e6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d6d6e8467c7d99108420610698177776 |
| SHA1 | f3d0ad79a879154d6f52dd177482a44f3c81d748 |
| SHA256 | 0c85863f23bfb3ee2fadec3603eb9a9afe691d1ce54604b1e9222270f49e52a6 |
| SHA512 | b94ff67463e64a135ac0262ebbe6010061cd2912a4c12ed36d543e9359b620ae9f09bc0e6bd2bed9782b7130329fbc850c48062bf8693714ba51c2b3ed0a7a5a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b24588f90d5b6228f0da6b84a4cae762 |
| SHA1 | 2fa950e5f6ae1b19ba85a8ce0f370b8657ffa565 |
| SHA256 | 576167b84065771a235ccdfa921520636357bcf3848863348738c5dc318a29a0 |
| SHA512 | 379505ec00491afeccdc1ddd2d2bea3f5f8f04888c3183076c888779b6316eb6e95700501fe3735c31c984761028c11bb4530377d63bb63219eecc983394644c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 491ee91caf866e6ad9679902042da5d8 |
| SHA1 | c3e8f0c1696ed8f33ff793c21ade0c1d8d2886e1 |
| SHA256 | 88705c7db551e4391b916cedde00f0c12052bdd91ac7059c7454009de3ef1302 |
| SHA512 | 370428cb7bfd6d9f226aac9f4123b816950c5ce95498508a24c976931251a530da119de4f97d902f6a0464b10c3048bacc4a0d8f322b0e1163766ccbc16c0f8f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 02c6a54bf4104e2f1c55a1d376bb44e3 |
| SHA1 | 24ee98b173733a5a49a99ac44e4ce2c1f4230a6e |
| SHA256 | c54e59f8513eeb13dd0930c0c22057df579d2d998cc38208e7e016e50b4a2637 |
| SHA512 | 865d3f99bc0fcc86ac091bf829ca5929a3ca61a1719981d53d519776db06d93b4439b2e3696da07cd3c8b20c540ab368969323d3b571dc24261a72899e3d0ab2 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 65d2ce1eaa9aa1ee0e885037160b2f03 |
| SHA1 | 97a47cd3de2e4ef8c62cc97974bb4ebb8fcdaf78 |
| SHA256 | c92dd48ae73897ce183e869cd8d12fec0e5113a4b9837229cf4cfe83193421a9 |
| SHA512 | c9c239f6d9ade74da081fe30cf21a0e58425c77e17f9576da718ba04b4bba096141399bc103cebde62b126ec473da559452d37f7a0903e9e4332688c0bb4521a |
memory/2096-1371-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6840553ec98d4ceb1f35c20b1620c0b2 |
| SHA1 | 5f8d0dc08cf544309174fe64b846127e04c3204e |
| SHA256 | f2219a8211e8cc0d6b8bc24316cac268bf314d1697e0ae514cca2cc88c582e2a |
| SHA512 | d2b9e007cf4d69c2c77d08f27e7cf3f374120611e742729e6ef952842a67bde9861a7eeb5b95fe42073a339b7847e4b6b5d30465e61c86595d6a859e0537fe6e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 12d4a2ba28b61f61682f01abb1660996 |
| SHA1 | fad2069a354c7de9f2751848c851f72bed2f39b7 |
| SHA256 | 68b08f35bbad2e32e07fe315b25422f3805269fd82a4330d317e3eb8fe9e353b |
| SHA512 | 85947c5efd98e4499056d14883d62d348502cab8c62d2ba6b47c47d5245ce70f8ff7d71a8fd7708e7e7a29bef0588bbb08dc5741376aab5a18cfdd71f1d4d8c6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b844664d0c2f8ca61c3cfab5b1304a14 |
| SHA1 | 1cffabb3b10a21291511514b0d8408f6272f588d |
| SHA256 | 84e384a52e24ece84c218ef80e7bfc0b43d82208e3dc9ef0cdb0e6ac928820d6 |
| SHA512 | 29f78f5a5536702bf7603ecee526845a01065946df7daaac4349c833dce93b259afda29f2bd671ff03dd16be12a1d3aaa793c3f1fdf3b63b3513d39209a00e98 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c2d0399e927ce4801ebb79444935f297 |
| SHA1 | a05b9afea29b7993ebf862c16211d88b1d07b09a |
| SHA256 | 3f39a39d760a4ef970230dafb84040bad22da85870a702dc0da4860bc5650567 |
| SHA512 | ea412cf39de7f79023b3131725a6bc8ad48023c1efd6d2f73a0c7ca4b9263f6ee9268ae490acd956a0b7b05a23b199701a7cc387da5b76190b92e5bb47b70e15 |