cybergate | 8397efdc04aead539d74e705f0dd47ddd5e26f03940446ad3fd62d6f7fcabdc5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87bcb409b6c3e7c060354e479fdd3cab_JaffaCakes118.exe
Size

857KB
MD5

87bcb409b6c3e7c060354e479fdd3cab
SHA1

193e15ec146e808ab5156952765b302ca99a7f97
SHA256

8397efdc04aead539d74e705f0dd47ddd5e26f03940446ad3fd62d6f7fcabdc5
SHA512

9b491a69b053f2b6a41b77f134a33bd423a543e13ac64a419bf7a40231b8aa33b574e344b14a187ebf8409dc7ae3102b0bd275a87be41be1a525755e41fb4714
SSDEEP

24576:7fcCIjsCJAd/QUnMaQ4Skool7J0798icV0/:7fcCUvQnF07T

Score

10^/10

cybergate windows7 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

windows7

djidane2008.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
5
ftp_password
downgradeur
ftp_port
21
ftp_server
pokemon2.solidwebhost.com
ftp_username
pokemon2
injected_process
explorer.exe
install_dir
windows
install_file
win32.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4876 created 1476	4876	WerFault.exe	97

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fIl31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windows\\win32.exe"	fIl31.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fIl31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windows\\win32.exe"	fIl31.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}\StubPath = "C:\\Windows\\windows\\win32.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}	fIl31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}\StubPath = "C:\\Windows\\windows\\win32.exe Restart"	fIl31.exe

Executes dropped EXE 2 IoCs

pid	Process
4348	fIl31.exe
1476	win32.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023482-11.dat	upx
behavioral2/memory/4348-12-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4348-17-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4348-77-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2728-81-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2728-82-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4348-147-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1476-613-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2728-976-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windows\\win32.exe"	fIl31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windows\\win32.exe"	fIl31.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\windows\win32.exe	fIl31.exe
File opened for modification	C:\Windows\windows\win32.exe	fIl31.exe
File opened for modification	C:\Windows\windows\win32.exe	explorer.exe
File opened for modification	C:\Windows\windows\	explorer.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
468	1476	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fIl31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	fIl31.exe
4348	fIl31.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
468	WerFault.exe
468	WerFault.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4964	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	explorer.exe
Token: SeDebugPrivilege	4964	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4348	fIl31.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 4348	4884	87bcb409b6c3e7c060354e479fdd3cab_JaffaCakes118.exe	87
PID 4884 wrote to memory of 4348	4884	87bcb409b6c3e7c060354e479fdd3cab_JaffaCakes118.exe	87
PID 4884 wrote to memory of 4348	4884	87bcb409b6c3e7c060354e479fdd3cab_JaffaCakes118.exe	87
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56
PID 4348 wrote to memory of 3496	4348	fIl31.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:784
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2888
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3816
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3920
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3988
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4080
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4180
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4456
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1736
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4648
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4292
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:2364
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1292
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:3980
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1352
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:1464
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:3452
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1800
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:1936
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:4968
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4104
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:5108
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:3968
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1256
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2788
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2996
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2676
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:3392
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1364
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2056

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2600

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3416

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\87bcb409b6c3e7c060354e479fdd3cab_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\87bcb409b6c3e7c060354e479fdd3cab_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\fIl31.exe
    C:\Users\Admin\AppData\Local\Temp\\fIl31.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:2728
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4964
    - - C:\Windows\windows\win32.exe
        
        "C:\Windows\windows\win32.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 576
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1588

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1840

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe a9c9e96d9de55ee9268838563a2c94fb /fE5ENUGkUGyHK8eUvAuKg.0.1.0.0.0
1⤵
PID:4524
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1476 -ip 1476
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:4876

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
5c9f9d4a7ae41c19ddc6a913ad45ace4

SHA1
aee08e70a10f669fa535830179b44660231f2725

SHA256
2dcd88c37ff79324466f9051c6559cd0f102161285048bfaa736daf9bee474e2

SHA512
4721c1bb63565b66dfb17473ea7feba263e4551c61ab9bbe2d69b9a1d49dbc98a035fdcadc26db0c62fcef77841662eed3ec486d96afd303eaecfd6ee8fb432c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ea4dae81782465f3a0b3770c4ad37885

SHA1
ae4f79705ec222cf32e8ec7ff00d0bf54f1bd0e3

SHA256
61fe0ac557820d7eaea8cfa52d47648369c47023d4c9e082873653d28e316952

SHA512
bca51e2d0a7ef0bfeed22ddf6d1c491108c860af2ec2da3f2cc6149369272180fd0d0a192b61f74f23d4a3a2a7592577e3f13adcc9802180010ac2ef460269ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b6811573cf6acbdbdd52f871dfd7a24d

SHA1
07ef54e9a34d4210d9dae175cda1d292b97ae221

SHA256
76b2f32973674f92823ba893eae6dd62a0b5d8941f512668b6bf618cf9263db1

SHA512
a0429eb236b1b7ada7cce202d114c02a377027deeff39122acf76426f6df2027b11734367ccda268377d6b1e77d6c16cc97d8830917ec7baf2a5ab5c27f4ebf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b7361b042083ac2155194025626e67ef

SHA1
95b8c6f958ea71fbc6c271dc4a76dbae7608c536

SHA256
37e0038993022666fa495633c17f931ee412a6521cbd11288b7ba11fb5a28feb

SHA512
be84070a035c86202eef63cf654465c1d21b82c94af7627b9e0f8ba3186ac704bb531ceb0fee1ffa784f80b47dcc2998c59cf8b9f538b6a3088eaee4f67472f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d570dfeb20e49917aa6b415f4d71304d

SHA1
90b09307cd23c4d28aefc25d4236a3314034daf9

SHA256
8be108e7cbeb1bdc897a8996c6531da810b45a50dffccbd6d336812c94a83c99

SHA512
14873bb1057f816693abcf63c2591853328883e0e9dc522436f8ee4fb98ccda578903d37ccfef22621b709352adca39caee55f1820ecbb0c41b58833f87e45e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIl31.exe

Filesize
284KB

MD5
dabcb4a33b995d02ba3bfa43bc0a57d5

SHA1
80800790c04f06833d98cace18d0cb19d1cd118e

SHA256
806b0d6b86ec37d510eaa570eaf55a60fcf50c96e6a9a09f855e2ae0e962d22a

SHA512
88c05901262666ba59507af2ec6e1fb164b606f94ebdb06de1f00e0e5865247fac8a933d79e0169d37e5f12c6f34246b49149caa176da8894977864417e4fea6

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
memory/1476-613-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2728-21-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2728-976-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2728-22-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2728-80-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/2728-81-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2728-82-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4348-147-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4348-12-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4348-17-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4348-77-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4884-7-0x000000001C210000-0x000000001C25C000-memory.dmp

Filesize
304KB

Download
memory/4884-8-0x00007FF974050000-0x00007FF9749F1000-memory.dmp

Filesize
9.6MB

Download
memory/4884-0-0x00007FF974305000-0x00007FF974306000-memory.dmp

Filesize
4KB

Download
memory/4884-171-0x00007FF974050000-0x00007FF9749F1000-memory.dmp

Filesize
9.6MB

Download
memory/4884-6-0x00000000010C0000-0x00000000010C8000-memory.dmp

Filesize
32KB

Download
memory/4884-5-0x000000001C120000-0x000000001C1BC000-memory.dmp

Filesize
624KB

Download
memory/4884-3-0x000000001BC50000-0x000000001C11E000-memory.dmp

Filesize
4.8MB

Download
memory/4884-4-0x00007FF974050000-0x00007FF9749F1000-memory.dmp

Filesize
9.6MB

Download
memory/4884-2-0x00007FF974050000-0x00007FF9749F1000-memory.dmp

Filesize
9.6MB

Download
memory/4884-1-0x0000000001010000-0x00000000010B6000-memory.dmp

Filesize
664KB

Download