cybergate | f2885293397e2fa2fb685a94c0619644015aa98860478efdd8db2b5821ba891d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Size

556KB
MD5

af804b4395b81caec9fbc54b945c5f2f
SHA1

b4a3fed5277a21d96b37a09109519fe573d7084a
SHA256

f2885293397e2fa2fb685a94c0619644015aa98860478efdd8db2b5821ba891d
SHA512

19aea01695afe75568a93bd373179065f868aa9b8c054cf58cf35a4843504efc87d5fc58ad530607430f62f32bd59b9725d89952aac6991b69a1b62533aa7d8f
SSDEEP

6144:9++yM3HiP/qp9LGM+yM3HCP/54pcNJcF4Y+Ox3ZP9nC+mCEjknHKuEb4naZDRS:9+niHV3VniH24+Y4Y39zntHKuEwiS

Score

10^/10

cybergate mamacitas discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Mamacitas

spy2281.no-ip.org:777

Mutex

MICROSOF

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
System32
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Try again
message_box_title
Application error
password
cache
regkey_hkcu
USER\windows
regkey_hklm
MACHINE

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe"	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe"	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ULRWT220-U16X-4Q25-45AD-N18X88L4K71Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{ULRWT220-U16X-4Q25-45AD-N18X88L4K71Q}	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ULRWT220-U16X-4Q25-45AD-N18X88L4K71Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe Restart"	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{ULRWT220-U16X-4Q25-45AD-N18X88L4K71Q}	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
1988	svchost.exe
2816	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2752-3-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2752-5-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2752-7-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2752-8-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2752-9-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2752-12-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2752-309-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2676-537-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2752-871-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2816-3499-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2676-3734-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2816-3742-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MACHINE = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe"	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\USER\windows = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe"	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchost.exe	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2876 set thread context of 2752	2876	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	30
PID 1988 set thread context of 2816	1988	svchost.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Token: SeDebugPrivilege	1944	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2876	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
1988	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2752	2876	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2752	2876	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2752	2876	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2752	2876	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2752	2876	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2752	2876	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2752	2876	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2752	2876	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2752	2876	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	30
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1208	2752	af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe	21

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1620
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:344
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:1032
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:7840
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:8636
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:740
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:840
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2688
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:108
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:296
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1072
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1092
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1432
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2364
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1476
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1944
    - - C:\Users\Admin\AppData\Roaming\System32\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1988
      - C:\Users\Admin\AppData\Roaming\System32\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\svchost.exe"
        6⤵
        Executes dropped EXE
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
9eaf9c54897df5a0ef8fde576b608e6a

SHA1
f82ef4eb6826f906b9b9bd3acd34391d2e059c39

SHA256
21bb97a5d2439fea315b61a9591da3478f8d035193cbdbc8d73996b5942201ac

SHA512
f275839e40c0f905f56f94513beeb12a3601c5da0694d2f96a2ee9b7ec73e208615ff0602ae1fd1167bcc6d27e04318091979a0672e252cbe96d914f61b8a733

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6cac44900e872c60d803b6ee6bfb297e

SHA1
a254f465d2f83a48775713abf9bb00320b00a79e

SHA256
417d6b7baf28abc4175158bfb1cce5ea8f42274a0a0548ef64d4b3c1ce875792

SHA512
78352c98fdf1d80c10daa5c6331f046e8b0348451578d1a8e5c2bf82380f0f2c1a7dec65760dc18576e3f47af505d249b458a2eefffbb0e48488643aee29e8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cebdbf447096913dcae1de4a1e6608be

SHA1
4add59d07bd57d8dbe72e31b01f07747774638de

SHA256
d9267e1b18fbc25aef761ff04ed842cc6877fc8d46884595afb3101790f7ab8a

SHA512
14a7a5dc3129cd7801865fe71e0e83cbb7259cd793b2f48017687a44216abf39e0bc129bfa9eb1881fd0c5995c797957720cdf287a88339067537aa2f465e565

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5712a367a587f81093a0c7357ebbba25

SHA1
1fce2025508f5eefd1119e1b49391c19120b5044

SHA256
6082fd06b4eb299da47896b17f37cb8b256ea3133dbd7e2a8058a25000498567

SHA512
546374a0df4ce257a8241eb1032cf2f4f54da28b4fb44d46b1a50dde4a8fca39d94b3115cd5a20f96c311729770f3a4ff352a68811a04e61db4d934a89dde578

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3068a48dfdf5907532a2275939cb0a47

SHA1
db72df322ce51db7618d7746189bcf67ea9eb2cc

SHA256
a669243e39dbdd443826e141682cc4423ec50f2ae1ca2d2701030f6e0fd9bb41

SHA512
be61970a4a580ed93c5760e98628b950e8bbd4fa4d57da336d6d49bfe5d5b568b7b9f556f8c7beec41121f61f52d6ca4dd31e3888f500f40829cf6e38d06fd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
16f6228c8f44f83ecdeb3ec5ae043b2b

SHA1
c1741a3daf7114faffe8c60d458a1b5f044196b9

SHA256
d17d9465b3e8f4bd80d60a3b832868a7b1e7d3d4f7fdc87d0cce5912b8969634

SHA512
e9ce3d98fad5949af52f7517dbe02a9404058b4d133b46073f1902d6f54e4a224025fb2da2fe60dc6af8c97fc1b5129213ac3bebfa8378dae141695b9309da1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
de31501e36adc8c12911b3b2424d0b56

SHA1
eed69b1315ffbafa653980a4712a9a341d2f8c53

SHA256
9fa5488bd941bfbdacfa6414e8326d8478981b15e99e438eb77708ad055ed483

SHA512
0b6b6b33805c3dc5813f1a50f1d3030e0857a8a926ba8e565cb3d57383cf8ef8c4fbc4baad74a1a8e50c1ebfc566392d3a89474d0d7387238181f4ff91b5f3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1becab8657c003615fc66a8187114d67

SHA1
6f42622828ff841dd7fa0b331283400a372df422

SHA256
971f5d2a1c19418618e85bd192bfe01cb064304a30d64d2425c05357d9fb4685

SHA512
522e4fdfd4a55144588855f582ee78842fb34e01f1afafdc407bd92bee92ca3eec1fed53956e2c357e92a35ea11b063bc16fc91921f5c3b5fb24beb0bfa4225e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ac410315a04930bc20b3b0a841567660

SHA1
bffdba62dd03e754a7ba872f17c470a931bbb486

SHA256
ad27b07c10b03c82411fa386ed819396f2f7fde1a56994ae59e6b429ee4f2fa4

SHA512
a7fb36cfd3bb3f090f26dc567ec4c82ba0be570028c7a41e4ecab952f31810f25d771f99eb264571d3f731e8f5a092998e44bf64f1d5baaeb7a5bfac44c331fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
261c39d517c93d0f5bc27e6ddde5c3ee

SHA1
92ab6a50edd9521255550ce6db75417d890e6d42

SHA256
b41673e3fd0770f2baf254b25df60e2524eacf150f979556d1527b3efaf47036

SHA512
691d7aec679c16b7ac75a686f470771bee2fbfd712680a42b1733ca1a73cfa0923dc8f77dce1d9a53890483278f19a954f21112ab10bb54afdb1cb7545b0e3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a4fadd66616520dc7f06a7602808da42

SHA1
888144e1f9bdf284f9d3bf75e581cfa516976eb5

SHA256
ac30028dd2c55213e9f0362b3e9c3968c1c3a320638745af046d0201e3b633ae

SHA512
a51026ad5470a4854290937f0bef1693a2c07a917e5547b9b1d46957a2c3e259172556885bf8b85c2c2aaf6fed265f9d5ef3b1a18035c51d327b0a93136d77b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5be815a58fad767f50eaaa58e8c48cc9

SHA1
0ac60e81d0d930eceb106d3e7e9859678aa476ff

SHA256
e4a0428d62a36b5d4d8b8394f39acd946a79005cf4e83eabc63f55148196e109

SHA512
3d96b42eca748ba1c09b50a8edb1d2e7e92efe81586bdcc5d2f7e8ae40c1876aa0f213acac05e69ed4f0552dac38df7f3c828f5b7e3aee19e2f819a4280158a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e1f97d19f8e76122a7d0bea98d1742b3

SHA1
3e32ca30c887f5249724459c63873fbfe9a27f18

SHA256
87369ffec55988419b9cd97d972ec07338da7d46e97698eb75a310093a7b5121

SHA512
a900e74edeeeb7cd4bc56cfbcc6bff5317f3ae101f2aa5914fcf60fa297d4bf026f4c51461c2a277e7a1f983fde0eb71a2aabfcca02daf3d4b56eb8ad1e54486

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c33ce1daf8949bb613428782e3a5abc

SHA1
8f41820d57fbcb974302ed12166397b2c431a83a

SHA256
3895847ea4e033b26a77f638a2fc9a64729fbd1e2cd5f08ef01cca3e6c3308cd

SHA512
638ef280c7fc4c5b6acc6ed0442ab698bd01b2630b76af95592950c554033187fa09cff3c49e37411d6febe3f1d4720bb431340fe734794f694213877d5e92c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d960b71f171c4f144ebaa72568b033b1

SHA1
f9f25d2b1fdb39ed52ac17c2e182f88df328b8f1

SHA256
2e9dc68a7495790365fd9ebc61d4cd631613e62afc7c2a38ab020c93e8b76b17

SHA512
641e8b1e919ba1be917592c9b098a113ca0e294733bc132106066dca06459490b8084612aa1f8611715bfc6abe4a2e29ba136daebee9d9a1ef187cdccb7fd953

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5f9fffc5bdae5a6acb747fab62b9f2a6

SHA1
e77c69102e4f2785bd676c4fbbaba9d949df2439

SHA256
cab28892e31de35c7e70d89b604850f9d83eaa89ad8c46461cba58eeb743fee0

SHA512
424d2180bb92315bede305a32d14831a8f9670a47ca04558917cf5cab7fb3ae284a549633b5e2686043ad38dd49029295caaa217d8fc1715d50d02cdcd1d5600

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
75bb059d87af0edf761358f8e119b470

SHA1
93fbc08b08ec258153f046f4f87dfc618f248bc3

SHA256
cc1cd819a7e38516914ed2ed7f324c14ebb12e6c8adee86d9c8e35e1cdb4ae00

SHA512
803353efd57098358cd7ace5f9b9134831781250555f0e8b9ca75a4db8221a7f19d397344a675c3157814c6489cc01e45500ff17210c18831145c87e74313721

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c7009d51f538014f97e1011c148ea5aa

SHA1
c07d93b3b27b201c18b84e36e64da85960acdfc2

SHA256
639e09ff19ce0c0fcc5ab49d6bff5362a170aa4097cd338a5962596ce514e88b

SHA512
23f6faac1b371b8815571407df0069eec86a3fb2791c8716fc0d25d6dcd5ac7e9119fb7a5f910e71546101f9e9ce436638948190203b0bbd574119a641750fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
053cc589dff62ea5a8b47891e967823c

SHA1
690b2e2e7b402e276fb7f325410320a8c5963816

SHA256
5c01168420d5329a0c3d2add08fb0a1d665c2d59f29ebeb781a5c470c11d5398

SHA512
260883258347df5af35c8eb20bb808bf609b223ef51dc8d36942ac0b50266a5b91a254f721faeedba4020629917d0320a1c72a80e1a3e12c29f23035576f87e4

Download Submit
C:\Users\Admin\AppData\Roaming\System32\svchost.exe

Filesize
556KB

MD5
af804b4395b81caec9fbc54b945c5f2f

SHA1
b4a3fed5277a21d96b37a09109519fe573d7084a

SHA256
f2885293397e2fa2fb685a94c0619644015aa98860478efdd8db2b5821ba891d

SHA512
19aea01695afe75568a93bd373179065f868aa9b8c054cf58cf35a4843504efc87d5fc58ad530607430f62f32bd59b9725d89952aac6991b69a1b62533aa7d8f

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
memory/1208-13-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1944-572-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1944-3462-0x0000000007B20000-0x0000000007BAB000-memory.dmp

Filesize
556KB

Download
memory/1944-3464-0x0000000007B20000-0x0000000007BAB000-memory.dmp

Filesize
556KB

Download
memory/1944-4929-0x0000000007B20000-0x0000000007BAB000-memory.dmp

Filesize
556KB

Download
memory/1988-3512-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2676-537-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2676-3734-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2676-256-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2676-258-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2752-871-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2752-561-0x0000000001DE0000-0x0000000001E6B000-memory.dmp

Filesize
556KB

Download
memory/2752-309-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2752-12-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2752-9-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2752-8-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2752-7-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2752-5-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2752-3-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2816-3742-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2816-3499-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2876-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2876-6-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download