Malware Analysis Report

2024-09-22 09:06

Sample ID 240730-zaqppsxcmm
Target 79ee1b8ab439125a681223920358d32d_JaffaCakes118
SHA256 075672291ff4cb62a1ea33346eed991e7bd61f7da5ffd9994d170c2b636b1c16
Tags
cyber cybergate discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

075672291ff4cb62a1ea33346eed991e7bd61f7da5ffd9994d170c2b636b1c16

Threat Level: Known bad

The file 79ee1b8ab439125a681223920358d32d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cyber cybergate discovery persistence stealer trojan upx

Cybergate family

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-30 20:31

Signatures

Cybergate family

cybergate

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-30 20:31

Reported

2024-07-30 20:33

Platform

win7-20240708-en

Max time kernel

148s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\SSychost.exe" C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\SSychost.exe" C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ}\StubPath = "C:\\Windows\\system32\\WinDir\\SSychost.exe Restart" C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ}\StubPath = "C:\\Windows\\system32\\WinDir\\SSychost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ} C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\SSychost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\SSychost.exe" C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\SSychost.exe" C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\SSychost.exe C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\SSychost.exe C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\SSychost.exe C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\SSychost.exe

"C:\Windows\system32\WinDir\SSychost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1196-3-0x0000000002470000-0x0000000002471000-memory.dmp

memory/1056-2-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2952-246-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2952-309-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2952-536-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\WinDir\SSychost.exe

MD5 79ee1b8ab439125a681223920358d32d
SHA1 e0227af1698b1ef9daf299c22986d2849483bb67
SHA256 075672291ff4cb62a1ea33346eed991e7bd61f7da5ffd9994d170c2b636b1c16
SHA512 9411ea51dcb7f01a1a621f7ab24634f23720a8bbf2a693e864dd2b4d89bcae1cfdb997825a72ca5592dcce14afb2a3fdd1973fb907876044af52c68df0493174

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 6fc1d113e4b78557ab2787c2f7ffa180
SHA1 8da78a37da41d25c42b389541bdb7fb5ca98dba0
SHA256 54eeabf2a1482afd04175bdc6f5dbff5faf798fb49740e7bf816f99b805967ea
SHA512 67db8326a6f72ff78da18b1510c1137688971ead3f0394f12f82affbf7b432f83b37f8b0d58afdea726d9184d41df06cd10bb0b3b62157bc79ba4a6a4643ca1a

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 84314c2ba99da34d8eb32c8680938152
SHA1 e3bc738b022305cbc507c715e35ebb89e187fc9b
SHA256 0359ca198244b5fbe22db1302f3c80cc1d026ab78b7d3c4d230b36c11caeea98
SHA512 3dbe43c21bf34d0b425488a907771e7e0954159b54ffddf0a5a631b2d3a835dcce147fab84dedca4496746910b99add6663c89fb774f98c93f4aab1c24ad958c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d6f8d68c2fba6112842640ddeac38ba2
SHA1 2afa9c2106701ccfc828a992562535517c63e096
SHA256 039f54c439708bbf645b7e83f452688cf00cff6f3f01d3475e4d74625d4ac924
SHA512 51360a930c577dc9dd6252095773f8feb4bbdd5f11f1f56c4ce6673ec9c5f3d0059f60e606c41f8fe572cd7bde3f473e6004e03b2e4dff25f9df90515e471b89

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4792d4b0ee22a25f85623b0211eebda1
SHA1 ee9c4fa21e79cd987a1979a98bdd7bd28abb4cba
SHA256 a5dd8fab031d98e71abf001faf3ef13cdd700477c0c08f78908167961aa94ca1
SHA512 1ab35cb6a3b943cb72011a44da9b1c633c3fb4f59366c66ac1638fa3c88c7abbee8a462dd9975a517210c41aacd0f048a52922134701d50bb9b1539f3b9b0de6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e2c278325f4e5770422bafde1e3b878b
SHA1 a67c255bd1cb7d6777e44918c9603381a6fb4335
SHA256 8bfae5f95dac70bb23182bb02ca6e8d85c198a8dbdd7f0ecf333368ae193d8b5
SHA512 7c5af6463369f9ddf454da07c6670a151f6a6c290a9763bdd8bbe1b88fc9db3ff209d14b78c3b13b31b09fe88f196ecf32cba9c254e55e7209f618130939013d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fecb6c4edf85d1277e13f5526f0b12e7
SHA1 85a52670d3d726c03df9242b522dd0018c1b264a
SHA256 9940d8aa86422adbb0c91279df4fd4d3113fa2cebf551247ec49b52e081ea440
SHA512 3ff3891b618eb96a197fc45bf4c7c8f4818026312a342373bf9dad8a8c527b108efc0fff0a069c8b642b7cef2bac893389cf8689395ea9578933217f0b53097d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2c79c1d5c891df869701bde98f405ae8
SHA1 90a5bbf7e1b4ab5c134f27052dada8fce4534bcf
SHA256 2bf627646b54fe8f97d704653917d559f0f87b3c702886338589b4321fd67a7e
SHA512 0090e0b3bcffa814a2034637e28bdded116cced25fe94a2c89ac4fa2520df7eda3b4a1a48a0f2f4bbb4ad4568b1adc7afd4639d59ffd12a5379582f82ad87485

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cdeb3a654660912e437963918eec509e
SHA1 aa68c299aa6fc099a75665218c0413f6917817e5
SHA256 2ee49973fffab28dc59ef0c9b2bfdd9e8d452476f12b121d33020654830b5944
SHA512 0136659ad4f9b946c66305238ec7b8160f3a8c23d794f7f402a9e7aec2c619769ae387fc71b9734738896b7761479075acd96b971e8d75085bce20d7e3dbfe4e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1c87a0772d8fcc1288104517251479b2
SHA1 638b94b70a00aa3741c7d9f429ede94db8124773
SHA256 179b08ff5b8f81c29d0f1a4477ae89e66adc4a791b37850fe4321321deb93b5d
SHA512 e49e6af16ca1444d2de1f39d9f2c4f73d923ecb5bb5f9e6b23111a90d5de7e785416243862a40c2a8b05108e796e71d0e7063ba5efd30168e74dadc41d6c1a16

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 62709348c38a7e551c293ad0a8064699
SHA1 d33b5b719b4716573f9bfe84c3b4f19f02a37f59
SHA256 5c0d65be1fe4a06b8a40d9d10834f5628bf6664f2171910742a0290b6801a9a3
SHA512 3212a04b53039eb21e31070a296bd68650955b49f6937a6fa66fa67977966264e920a1b4c679bf901e0204410828ad0d397861ff7d53ba207b9bd4847efc7d4e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e4940f174d8ee75abb1561b78187b10b
SHA1 a7256ee78fa9d1c80472a2f115d74133acfc79ce
SHA256 f53ac34ad48d891de7f5d0921093c11774a26fd356cbf18d3ae1ae214687d2a9
SHA512 1c22da7a76f26d878ccbef33b4aadeb8b9b5ecf8ecca7511e294fa02a6564772a83a80978a857c59a09b9771490b3868ad9a45bdf7afd8da41f008d273f4710a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9c16217371c5b2baefbaaae9f4691e58
SHA1 9eb61dbc7e168dd5ab91981226bac4a1abc78f80
SHA256 7ed806ce75563808f0f80488a536061a55b8e134005b11baaec5cbed76ed36ee
SHA512 e23c6d6e31e322461e678f386c55bd99e7ff6b274d1f5d70af035b70d6f154f863662028acb2ad958e0f6fb4745eb701edc1dff70f3d46c71cc7e3c4e5937188

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 20d26c26b72266b533fed18f9b55d25e
SHA1 a1217b6e520a807ec44a77754849a065d4629ebd
SHA256 1d8fb3c860ab3e7599cbd2cd3840ca447425ccbfddd46c0a39d889dbce3880c5
SHA512 56bb399f609f88e0a34164deb470988c0ee4780798240c4876ebd9e69b66de5fee8a0ee0981a9d1108eb4abfd0e05f8cad41d540e2af2fb5992abf1d59058a5e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d76822bcda54c679dc0ce901ca79cf10
SHA1 0eee04e1154be61dab341bc48f78d95f680491a0
SHA256 47a7456961c63186a26b593cd0ae57b92fde6a676458d6a536b1f0128bf13e35
SHA512 b0a335cb7d325d843d2f5051922131d1ae3d3992fd733873dbe9d3045943d0fbe9b24bebeea1a8123470c60159be03b2d66da6eecbb2e1514d58ee408fc00d3a

memory/2952-1754-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6fc0c857e0d56056a82ed3847600f79d
SHA1 4efc2ab3cbfd5ea145617cd8ad66e923245c98f9
SHA256 d5300b102cdb54f5247f002e9c3d977daf00b9c2367b82338c9400449b8fec7c
SHA512 cace4de2dde6406318998de33a2e96e6099fc40a377f77b24fb5046e54b58257b3f639066e5cb819fa49a06550e6cca5e5c5a0500cbe757ac74f96241267fc58

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 adbd732b56097c95e2c7216a5e8634ec
SHA1 573acc1404a64eecbeb2f9bfdecedf97599a260d
SHA256 ea459db767719a63f17eb116fdc8132318bf0717bde18f8f3620eba812ed737c
SHA512 e12e06d48153c0a8d000933b9a697706f0529287b7e19105651b5b3801155902cc860284963405c45d71d2898a85f7e1183b26a52768a2e6e36b4384395302ce

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 43b3a2b9f23f0e14940e3080da57ff15
SHA1 c1f3a30fc84b6019d17c5f3ce938fc444481e273
SHA256 6de4c2db4966cff7fd37eac0db508634ae6e38d447550805842a48caf7680c1b
SHA512 4ab91fe07ff14cf1d6ef3d7e512619b097e50ea8d63ee73e48a33fa069d33633d1da05d22070008c4a77420a2322e16473d3b1874f17363d0694c7e6159a0386

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cdcde7a591a91192cabaf1c9e0150219
SHA1 7c26f33c2483db7c6f12bdae2b2f017627b773c2
SHA256 e029353fc6c15b0f0191bb43ac245f542cee2c69de17cfbfbdf2d2145e29699b
SHA512 cc912f20a5f68b00670e42ee12a46d3b2a80d1d90f82af5ea1159061dd931f15a70cc10a55cfe33d86b3b2cba4b7f6d142b00c0d0b3c6739c399d7bd8cee67b6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7ee19f9ec59fda92f62c613be7edd15b
SHA1 a48551c407373454ff6981a6e43e98aa77c7a1b6
SHA256 c7caff26d72526612339681de13424d5672b06b9669aac906504581d04f5d462
SHA512 e2a0b774258499959b04711791ed1a0928cccbb9c56e727018891e708b3a3bdcfc7fd4ef89bd5297c6d0978efb56b249ac9faa16338e57921b9d7fe33029e7b1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b2103cd2712570a0d25a97309040cb60
SHA1 21938bf636bfc388059b81eb41202d04b6535153
SHA256 f8b3320ae9886e16993bc9b5ca1293f661b0e91b81f1cf713be467b58fb5345c
SHA512 28af59224f60adad99bae71c42bfcad53f06d2f5b3a6faf70abab96ca803950f37467c6c41089d41d574893b669667de7b36c8f96d9db3e937ca41fd79e6e6c8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6e41c0c07d292d4fd84c7ff029c9fe75
SHA1 e2b71647061bd1c38389be1fb89e16604d5aa6d5
SHA256 e72b4b065538fa0b70f1cfc116e9bc07842d87892abb25235c2d1a408fd696ab
SHA512 399830baaa2ba220340e2c6c3ca374a2484141e4eb563446a42d10d066c020684bb5f2efaf691da3b6fecc6731b24edf0cbc959462ff13870612020327777bef

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-30 20:31

Reported

2024-07-30 20:33

Platform

win10v2004-20240730-en

Max time kernel

147s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\SSychost.exe" C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\SSychost.exe" C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ} C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ}\StubPath = "C:\\Windows\\system32\\WinDir\\SSychost.exe Restart" C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ}\StubPath = "C:\\Windows\\system32\\WinDir\\SSychost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\SSychost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\SSychost.exe" C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\SSychost.exe" C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WinDir\SSychost.exe C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\SSychost.exe C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WinDir\SSychost.exe C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WinDir\SSychost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\SSychost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 796 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\SSychost.exe

"C:\Windows\system32\WinDir\SSychost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3948 -ip 3948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 592

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 23.58.20.217.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/796-3-0x0000000010410000-0x0000000010475000-memory.dmp

memory/976-7-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/976-8-0x0000000001240000-0x0000000001241000-memory.dmp

memory/796-63-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/976-66-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

memory/976-67-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/976-68-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\WinDir\SSychost.exe

MD5 79ee1b8ab439125a681223920358d32d
SHA1 e0227af1698b1ef9daf299c22986d2849483bb67
SHA256 075672291ff4cb62a1ea33346eed991e7bd61f7da5ffd9994d170c2b636b1c16
SHA512 9411ea51dcb7f01a1a621f7ab24634f23720a8bbf2a693e864dd2b4d89bcae1cfdb997825a72ca5592dcce14afb2a3fdd1973fb907876044af52c68df0493174

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 6fc1d113e4b78557ab2787c2f7ffa180
SHA1 8da78a37da41d25c42b389541bdb7fb5ca98dba0
SHA256 54eeabf2a1482afd04175bdc6f5dbff5faf798fb49740e7bf816f99b805967ea
SHA512 67db8326a6f72ff78da18b1510c1137688971ead3f0394f12f82affbf7b432f83b37f8b0d58afdea726d9184d41df06cd10bb0b3b62157bc79ba4a6a4643ca1a

memory/3224-138-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e2c278325f4e5770422bafde1e3b878b
SHA1 a67c255bd1cb7d6777e44918c9603381a6fb4335
SHA256 8bfae5f95dac70bb23182bb02ca6e8d85c198a8dbdd7f0ecf333368ae193d8b5
SHA512 7c5af6463369f9ddf454da07c6670a151f6a6c290a9763bdd8bbe1b88fc9db3ff209d14b78c3b13b31b09fe88f196ecf32cba9c254e55e7209f618130939013d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fecb6c4edf85d1277e13f5526f0b12e7
SHA1 85a52670d3d726c03df9242b522dd0018c1b264a
SHA256 9940d8aa86422adbb0c91279df4fd4d3113fa2cebf551247ec49b52e081ea440
SHA512 3ff3891b618eb96a197fc45bf4c7c8f4818026312a342373bf9dad8a8c527b108efc0fff0a069c8b642b7cef2bac893389cf8689395ea9578933217f0b53097d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2c79c1d5c891df869701bde98f405ae8
SHA1 90a5bbf7e1b4ab5c134f27052dada8fce4534bcf
SHA256 2bf627646b54fe8f97d704653917d559f0f87b3c702886338589b4321fd67a7e
SHA512 0090e0b3bcffa814a2034637e28bdded116cced25fe94a2c89ac4fa2520df7eda3b4a1a48a0f2f4bbb4ad4568b1adc7afd4639d59ffd12a5379582f82ad87485

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cdeb3a654660912e437963918eec509e
SHA1 aa68c299aa6fc099a75665218c0413f6917817e5
SHA256 2ee49973fffab28dc59ef0c9b2bfdd9e8d452476f12b121d33020654830b5944
SHA512 0136659ad4f9b946c66305238ec7b8160f3a8c23d794f7f402a9e7aec2c619769ae387fc71b9734738896b7761479075acd96b971e8d75085bce20d7e3dbfe4e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1c87a0772d8fcc1288104517251479b2
SHA1 638b94b70a00aa3741c7d9f429ede94db8124773
SHA256 179b08ff5b8f81c29d0f1a4477ae89e66adc4a791b37850fe4321321deb93b5d
SHA512 e49e6af16ca1444d2de1f39d9f2c4f73d923ecb5bb5f9e6b23111a90d5de7e785416243862a40c2a8b05108e796e71d0e7063ba5efd30168e74dadc41d6c1a16

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 62709348c38a7e551c293ad0a8064699
SHA1 d33b5b719b4716573f9bfe84c3b4f19f02a37f59
SHA256 5c0d65be1fe4a06b8a40d9d10834f5628bf6664f2171910742a0290b6801a9a3
SHA512 3212a04b53039eb21e31070a296bd68650955b49f6937a6fa66fa67977966264e920a1b4c679bf901e0204410828ad0d397861ff7d53ba207b9bd4847efc7d4e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e4940f174d8ee75abb1561b78187b10b
SHA1 a7256ee78fa9d1c80472a2f115d74133acfc79ce
SHA256 f53ac34ad48d891de7f5d0921093c11774a26fd356cbf18d3ae1ae214687d2a9
SHA512 1c22da7a76f26d878ccbef33b4aadeb8b9b5ecf8ecca7511e294fa02a6564772a83a80978a857c59a09b9771490b3868ad9a45bdf7afd8da41f008d273f4710a

memory/976-759-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9c16217371c5b2baefbaaae9f4691e58
SHA1 9eb61dbc7e168dd5ab91981226bac4a1abc78f80
SHA256 7ed806ce75563808f0f80488a536061a55b8e134005b11baaec5cbed76ed36ee
SHA512 e23c6d6e31e322461e678f386c55bd99e7ff6b274d1f5d70af035b70d6f154f863662028acb2ad958e0f6fb4745eb701edc1dff70f3d46c71cc7e3c4e5937188

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 20d26c26b72266b533fed18f9b55d25e
SHA1 a1217b6e520a807ec44a77754849a065d4629ebd
SHA256 1d8fb3c860ab3e7599cbd2cd3840ca447425ccbfddd46c0a39d889dbce3880c5
SHA512 56bb399f609f88e0a34164deb470988c0ee4780798240c4876ebd9e69b66de5fee8a0ee0981a9d1108eb4abfd0e05f8cad41d540e2af2fb5992abf1d59058a5e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d76822bcda54c679dc0ce901ca79cf10
SHA1 0eee04e1154be61dab341bc48f78d95f680491a0
SHA256 47a7456961c63186a26b593cd0ae57b92fde6a676458d6a536b1f0128bf13e35
SHA512 b0a335cb7d325d843d2f5051922131d1ae3d3992fd733873dbe9d3045943d0fbe9b24bebeea1a8123470c60159be03b2d66da6eecbb2e1514d58ee408fc00d3a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6fc0c857e0d56056a82ed3847600f79d
SHA1 4efc2ab3cbfd5ea145617cd8ad66e923245c98f9
SHA256 d5300b102cdb54f5247f002e9c3d977daf00b9c2367b82338c9400449b8fec7c
SHA512 cace4de2dde6406318998de33a2e96e6099fc40a377f77b24fb5046e54b58257b3f639066e5cb819fa49a06550e6cca5e5c5a0500cbe757ac74f96241267fc58

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 adbd732b56097c95e2c7216a5e8634ec
SHA1 573acc1404a64eecbeb2f9bfdecedf97599a260d
SHA256 ea459db767719a63f17eb116fdc8132318bf0717bde18f8f3620eba812ed737c
SHA512 e12e06d48153c0a8d000933b9a697706f0529287b7e19105651b5b3801155902cc860284963405c45d71d2898a85f7e1183b26a52768a2e6e36b4384395302ce

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 43b3a2b9f23f0e14940e3080da57ff15
SHA1 c1f3a30fc84b6019d17c5f3ce938fc444481e273
SHA256 6de4c2db4966cff7fd37eac0db508634ae6e38d447550805842a48caf7680c1b
SHA512 4ab91fe07ff14cf1d6ef3d7e512619b097e50ea8d63ee73e48a33fa069d33633d1da05d22070008c4a77420a2322e16473d3b1874f17363d0694c7e6159a0386

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cdcde7a591a91192cabaf1c9e0150219
SHA1 7c26f33c2483db7c6f12bdae2b2f017627b773c2
SHA256 e029353fc6c15b0f0191bb43ac245f542cee2c69de17cfbfbdf2d2145e29699b
SHA512 cc912f20a5f68b00670e42ee12a46d3b2a80d1d90f82af5ea1159061dd931f15a70cc10a55cfe33d86b3b2cba4b7f6d142b00c0d0b3c6739c399d7bd8cee67b6

memory/3224-1439-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7ee19f9ec59fda92f62c613be7edd15b
SHA1 a48551c407373454ff6981a6e43e98aa77c7a1b6
SHA256 c7caff26d72526612339681de13424d5672b06b9669aac906504581d04f5d462
SHA512 e2a0b774258499959b04711791ed1a0928cccbb9c56e727018891e708b3a3bdcfc7fd4ef89bd5297c6d0978efb56b249ac9faa16338e57921b9d7fe33029e7b1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b2103cd2712570a0d25a97309040cb60
SHA1 21938bf636bfc388059b81eb41202d04b6535153
SHA256 f8b3320ae9886e16993bc9b5ca1293f661b0e91b81f1cf713be467b58fb5345c
SHA512 28af59224f60adad99bae71c42bfcad53f06d2f5b3a6faf70abab96ca803950f37467c6c41089d41d574893b669667de7b36c8f96d9db3e937ca41fd79e6e6c8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6e41c0c07d292d4fd84c7ff029c9fe75
SHA1 e2b71647061bd1c38389be1fb89e16604d5aa6d5
SHA256 e72b4b065538fa0b70f1cfc116e9bc07842d87892abb25235c2d1a408fd696ab
SHA512 399830baaa2ba220340e2c6c3ca374a2484141e4eb563446a42d10d066c020684bb5f2efaf691da3b6fecc6731b24edf0cbc959462ff13870612020327777bef

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d0a09057777ffabceaaeee34ad090d46
SHA1 44e6e704f586eebd6c1c55b8e0a6a4651be7e03c
SHA256 9779dd22ebbc00cb9cfd8f34c8c8de473265db71c035f046afef6d5a941b74d0
SHA512 e6927e3dfa9bceb8699a77ba8cd63c697fdcac945ca2a9385b75b6d6b7ae0301c3533554454547c8ea9c293b3e0f9a9e830e62467adf2b9effde3103333434f3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bef1966efc26325095f75a84a2ffc07c
SHA1 e6ad5b7e5f4cb951f11d6e8d71cf2ca04783956b
SHA256 5162af6247cc19eceed3e9a03a1224b3a9447ff3f6f8a9fbeba08e0fcbfc25d9
SHA512 dbbd75991805152855d9eae2119af4018564f258397cb76104825171fd99dd12c2b33a2a3e0a195d801be6d3e8da742dda9d9feb399464c79b164d60813c7964