Malware Analysis Report

2025-01-22 13:45

Sample ID 240826-nj6xhaselq
Target c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118
SHA256 ee10ca5c80f4ed47a1ceff0ffac5f520e55f3a4b0c5b5ba7f7604a63cc69575d
Tags
hacked cybergate discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee10ca5c80f4ed47a1ceff0ffac5f520e55f3a4b0c5b5ba7f7604a63cc69575d

Threat Level: Known bad

The file c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hacked cybergate discovery persistence stealer trojan upx

Cybergate family

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Checks computer location settings

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 11:26

Signatures

Cybergate family

cybergate

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 11:26

Reported

2024-08-26 11:29

Platform

win7-20240729-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\Taskbar.exe" C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\Taskbar.exe" C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{S1MKAS1C-6N70-74AM-5S8H-1838050037S0}\StubPath = "C:\\Windows\\install\\Taskbar.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{S1MKAS1C-6N70-74AM-5S8H-1838050037S0} C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{S1MKAS1C-6N70-74AM-5S8H-1838050037S0}\StubPath = "C:\\Windows\\install\\Taskbar.exe Restart" C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{S1MKAS1C-6N70-74AM-5S8H-1838050037S0} C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\Taskbar.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\install\Taskbar.exe C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\Taskbar.exe C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\ C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
File created C:\Windows\install\Taskbar.exe C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe"

C:\Windows\install\Taskbar.exe

"C:\Windows\install\Taskbar.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 username.comeze.com udp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp

Files

memory/1244-3-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/2036-246-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2036-248-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2036-539-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 561b4f32d31b498d22503d4f6dabc090
SHA1 a567bc8e2e856953abccc393eca56594c5a3cb71
SHA256 477ba79653c0b34dfb3174d43a889330800b545ecede2f505b2547db3e98788d
SHA512 f3123f2c876c4108628de1d58cd26b03bfd99360e6cfcbfdfedd72c1a2417be29ef50a1e5688f9fc6d4c1ff74abce69aca03b52e981c7abeeed58e071be866bd

C:\Windows\install\Taskbar.exe

MD5 c2e534b4097688a5c1633a6ecb03ba87
SHA1 c0e490b3593cf0f4fcabe1db279c26a8424289b0
SHA256 ee10ca5c80f4ed47a1ceff0ffac5f520e55f3a4b0c5b5ba7f7604a63cc69575d
SHA512 1b8cd5c6f1c487510ea4d14f5f863b76ee52a93f3dcb041df320b281407963ae8cd6e4294004dd9b2fda432317ff9aed88bb019db70d9f6a87304923e2858b7e

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2036-894-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8eb84741ae7a1d0460c5b3af151b5120
SHA1 1adbbc3e38c5a48f17d25fb4ede657f2a3f33afe
SHA256 2aa4c3891304564caf1a1d232a38d7aab64555054f915eb4205d2f0796405e38
SHA512 28683f74ce58648fb65d21cd928de2eb40ca9dce3f24e16183e6a62779751d68879c96b6b4668c09092307e5def7fdb6cedb6855ba00b038a8f4821cb181bafb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 915c08e11dde15c0e6ba017f673d6b8e
SHA1 8d9bdc7b3185098dfafedb543387407bb9f2a4cd
SHA256 8efbb9dbc100d3405dd171845da690e53d09a822e23f1df1d654347f7581e017
SHA512 1c5d9edc4de18ed7646e72a2d05b65712dac1a78f2b90f6b746786fcf9e621d1d7fd358dabef4cd9c3b1adf4910f8d414dea53632c3bb694bc6eebeb6bc238f7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cdf7781b36d4182d1f94185764c57baf
SHA1 cc531bce28cbe4b4371a27e827d3ed2efb36ee34
SHA256 5ce4918c2735eb3f94c1117f4a5e2c3aa04952fda9e028b06b6e356553b4cd94
SHA512 673a3649c76bbab9f420bcc90583ede14b32c6088d8ac402184dc8e7b109f7f1810227b5d63f2798ba51b78f9bed0af8b7c3ed1a64caae39423a27daffec754f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 57486498e252f5d3f56f163ee3863b61
SHA1 39d1c17426362e0f9b777275e2f8a3a5ed023a66
SHA256 654488c65bf864ca8adebe67ee9d3c2abab5085498e4279072cf1369081896e4
SHA512 08b666e49ca71e5e33c734b26a838fa539944739929c5e86321aee0fdd11060dcad56f83c7fb08b89bf3cd90a57a7f5ac4529c81327ababddd6034a6b31170f4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b32882b1693f6a0e60d36c9cbfa993b8
SHA1 6b65e9d899cce2bb9e9fa8687077cc73ea9ea06e
SHA256 632a0783f70e430430ad797dcb440de34003725de803df3d14b6c2a8c5598e90
SHA512 97eaa1a94d890783437c0b9e542e70cceb92d676c61a1cb919862202a6242d02ddad9ef9f99396ef9c86e6513ef0c8dbb7dcce04eba9724e5f6ae3def359bb47

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b1b4e7dcc351a5d124756dbc7cbb891
SHA1 8e0c089171563bdef7c50394e4dba1bdf4b1c499
SHA256 a4683ff278d1b883648c9fdf0d50b8aeb4bd36ad4bf51eeb19e49b7409247592
SHA512 f4920f00ab3199696099f8e6827c59415b3b0c1730cacf0b230b9657558951db6be48a4fed45df11eb7fe61b49fab288a8cf47f5b674cbc1acb84badc61ac3cb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e366f4ab3bd52c4899ce563241338237
SHA1 af277cf57c7fdbd6142f69bcf0ef017b65d1131c
SHA256 ab77b147f8cb76691d31e0ef90a8a387e2a62e2b5b3ccb7e117fb80e0b982e93
SHA512 203f8d43461ae69cb074fd5c765ae14448249066af270c118499c6bd4a396911be68acab3b81fe400688059acc1d6c8f2e012e0fe58f237ce532ffc117e0bc95

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3f348bd8dd361a50cc58cb297b983049
SHA1 c52f6786afc695ebd4996328069429ccdcdc5936
SHA256 052fe0dc7713fdc51553a8abe4fe6b446992db1cb1c85ad2d82e6f834bac6b04
SHA512 dafababc533cac9edf77f83e7813669782df4d0a1c188c6635143382f4f5d3fe8e791b620bdc9da3ab41c0427507e693f2cda0d0e49bce5b3462ee70e34571b9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ce4365f3d211d053abe5213318bb3e88
SHA1 b3f92d0949560564d16341ff8f046e6bde1a157c
SHA256 91de322072a2f29025e560f97bc31530bd28c4286d7f07174ced7be8bc47c33e
SHA512 8cf15a27e83642c8dff524d9bcdf459e1ec3bbeab3a90f708cbbe5c26f21763523e91c1dd60b7c1c85ff688449766f8f8872c57b317db057534d9e190298d1c1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d431f989eeac31e2c082b0ddf85e118b
SHA1 d23b792850f4c79c8efb63743054198a7402838e
SHA256 72080d733c34cf6e57e0a6aba5f0b8ff2aa9472a1335e639164dec5355f7949d
SHA512 024225220dac50824eee171a96c7d3449d153f423ed8e0e3a599825daee57e1a86dd946d0d36896cddd99b5d5891f7b383db46759cfed623e5db20a68d05b93b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7794390b512d5aa813825ded40343fdb
SHA1 53b5642674488276d59080770fd1c45cf667329f
SHA256 0debda889743e08df672defbbaa1dbee39f9ab22ef8d0ca95ae3476995cbca24
SHA512 bb8717b7163ccdeb364670c49cb8fb15c83a7465af6f5a868c539b3183293e4f13d63eb6a73b545cd6edf6ca9e83b224e4a9538b7d73d856d743b0ad386843b5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 08d6bf648f7fd0e6a9db72b8d7219864
SHA1 a8ce4da78b692064c3b260b4fc6c64687272764e
SHA256 9d5e1d0391be1992f53043671ac27441ffbc44e6c09437d049d255998080c16d
SHA512 5fbc40180d1cf2ca09f2bdcc6e78a913efa37f1dae69953a24bce34a67619ef685c134636c761efcf74bfe5f9efd4f4c87d1b6e647fbadf3d8f190800e1cf078

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bb46b6fec9d38e0e93f3002353218577
SHA1 d0ae66bd7a40aaea6c1ff044ce34d92d335adf55
SHA256 f894862be19fae1b2c70a41efc8b5b1fcc730b742ee6fd640522a9a091da923e
SHA512 dac9e20289d7e69b7b6f547e4a6849ad7d78d702d3bc43c339a527d3fffb79c7592ffdf72f88020c8ad969a2651f654ac60c26d85bbd2495647e4db7eeed21ad

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2c1c3e39d24d5b95e42b144e1fe02f25
SHA1 1e4c260701f6a4d3234924a778c9cb3b99c41313
SHA256 37be30f159d77068ed0629199a6fbf9352736ca8190925f9b7f5c00a994a1e51
SHA512 1b92874ff7d4519ad4673ce2c655af35a37c79aeeba55b0ded2ee46c306e8678fb2716e1506163ab261361bbc6de16faa9ad6b6b56cb0d4d9c07eadb2e919091

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8bc112075738eedce7b86e451bf1d523
SHA1 62ac8b6bc200bfdfff4cc1edbd21deda354c2e9f
SHA256 4d75cf40d6ccb622ae69561cbcfcc356e4f397c4203346008aaded63b1595407
SHA512 7c776af684281bb1ad76c64d2810d306a7f6921710e203656af9f8c8d98821ff47ed9b032e7ca52785ba0a632ab897e32907ba57094ca6804a865b4f8520e47e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0747eaf538e8aec70f439ebcf1f15c03
SHA1 f16b44b03cf6e9024b4b7fed8d75758483079c71
SHA256 de8f72d86edef888bd47f8f3c98e3f0b27307a9a935320d0e2a8f9c64dec4d11
SHA512 b3ed8fb76b1b807fa58aa47ac53136970f4432b6b35d3f45bb3c3700211eb0d8eeed346c89332ec54f4024b30ec6d09db3cb0e7e887ae25b22cdf9efd19987e5

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 11:26

Reported

2024-08-26 11:29

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\Taskbar.exe" C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\Taskbar.exe" C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1MKAS1C-6N70-74AM-5S8H-1838050037S0} C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1MKAS1C-6N70-74AM-5S8H-1838050037S0}\StubPath = "C:\\Windows\\install\\Taskbar.exe Restart" C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1MKAS1C-6N70-74AM-5S8H-1838050037S0} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1MKAS1C-6N70-74AM-5S8H-1838050037S0}\StubPath = "C:\\Windows\\install\\Taskbar.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\Taskbar.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\install\Taskbar.exe C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\Taskbar.exe C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\Taskbar.exe C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\ C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\install\Taskbar.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\install\Taskbar.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c2e534b4097688a5c1633a6ecb03ba87_JaffaCakes118.exe"

C:\Windows\install\Taskbar.exe

"C:\Windows\install\Taskbar.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 588

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 username.comeze.com udp
US 153.92.0.100:80 username.comeze.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 153.92.0.100:80 username.comeze.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 153.92.0.100:80 username.comeze.com tcp
US 52.111.227.11:443 tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp
US 153.92.0.100:80 username.comeze.com tcp

Files

memory/3764-3-0x0000000010410000-0x0000000010475000-memory.dmp

memory/3764-6-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/3600-8-0x00000000010C0000-0x00000000010C1000-memory.dmp

memory/3600-7-0x0000000001000000-0x0000000001001000-memory.dmp

memory/3600-66-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

memory/3764-63-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/3600-68-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 561b4f32d31b498d22503d4f6dabc090
SHA1 a567bc8e2e856953abccc393eca56594c5a3cb71
SHA256 477ba79653c0b34dfb3174d43a889330800b545ecede2f505b2547db3e98788d
SHA512 f3123f2c876c4108628de1d58cd26b03bfd99360e6cfcbfdfedd72c1a2417be29ef50a1e5688f9fc6d4c1ff74abce69aca03b52e981c7abeeed58e071be866bd

C:\Windows\install\Taskbar.exe

MD5 c2e534b4097688a5c1633a6ecb03ba87
SHA1 c0e490b3593cf0f4fcabe1db279c26a8424289b0
SHA256 ee10ca5c80f4ed47a1ceff0ffac5f520e55f3a4b0c5b5ba7f7604a63cc69575d
SHA512 1b8cd5c6f1c487510ea4d14f5f863b76ee52a93f3dcb041df320b281407963ae8cd6e4294004dd9b2fda432317ff9aed88bb019db70d9f6a87304923e2858b7e

memory/720-138-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/3600-159-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/720-161-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 801f2550b7efca254a424e59567757e6
SHA1 9a82ab75995b01cd75809cf8098dd1acb3fe9500
SHA256 58811ad620a224e0cad6ea2e4584383ff3ec897d0bdb7a871d3416e72f132a80
SHA512 867ab6d056a331b03caf48ba43e362d4fa38c3091f761df7fdd7b75d3fbf4d16b8a319470bd6d5cc3d1acf010b08f6685e51045a81aee7a23f6fb9548133083c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 87355e3adaead72213862997bb887112
SHA1 3740e416a6cf8b67966a53b4730a79647d32cef7
SHA256 027df340980dd889addc6aa3849be4606230118b1b4fe19a0ebe44ac0911eafc
SHA512 e99b7ac03f427a54715fe89e64ea8b90e6d8504d28ba840f0f4559f511a1e1fec9cb909f3ecf90170502a6a0c2d52928d823ddc772581b4e12bb0aea937ed4f3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8eb84741ae7a1d0460c5b3af151b5120
SHA1 1adbbc3e38c5a48f17d25fb4ede657f2a3f33afe
SHA256 2aa4c3891304564caf1a1d232a38d7aab64555054f915eb4205d2f0796405e38
SHA512 28683f74ce58648fb65d21cd928de2eb40ca9dce3f24e16183e6a62779751d68879c96b6b4668c09092307e5def7fdb6cedb6855ba00b038a8f4821cb181bafb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 915c08e11dde15c0e6ba017f673d6b8e
SHA1 8d9bdc7b3185098dfafedb543387407bb9f2a4cd
SHA256 8efbb9dbc100d3405dd171845da690e53d09a822e23f1df1d654347f7581e017
SHA512 1c5d9edc4de18ed7646e72a2d05b65712dac1a78f2b90f6b746786fcf9e621d1d7fd358dabef4cd9c3b1adf4910f8d414dea53632c3bb694bc6eebeb6bc238f7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cdf7781b36d4182d1f94185764c57baf
SHA1 cc531bce28cbe4b4371a27e827d3ed2efb36ee34
SHA256 5ce4918c2735eb3f94c1117f4a5e2c3aa04952fda9e028b06b6e356553b4cd94
SHA512 673a3649c76bbab9f420bcc90583ede14b32c6088d8ac402184dc8e7b109f7f1810227b5d63f2798ba51b78f9bed0af8b7c3ed1a64caae39423a27daffec754f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 57486498e252f5d3f56f163ee3863b61
SHA1 39d1c17426362e0f9b777275e2f8a3a5ed023a66
SHA256 654488c65bf864ca8adebe67ee9d3c2abab5085498e4279072cf1369081896e4
SHA512 08b666e49ca71e5e33c734b26a838fa539944739929c5e86321aee0fdd11060dcad56f83c7fb08b89bf3cd90a57a7f5ac4529c81327ababddd6034a6b31170f4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b32882b1693f6a0e60d36c9cbfa993b8
SHA1 6b65e9d899cce2bb9e9fa8687077cc73ea9ea06e
SHA256 632a0783f70e430430ad797dcb440de34003725de803df3d14b6c2a8c5598e90
SHA512 97eaa1a94d890783437c0b9e542e70cceb92d676c61a1cb919862202a6242d02ddad9ef9f99396ef9c86e6513ef0c8dbb7dcce04eba9724e5f6ae3def359bb47

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b1b4e7dcc351a5d124756dbc7cbb891
SHA1 8e0c089171563bdef7c50394e4dba1bdf4b1c499
SHA256 a4683ff278d1b883648c9fdf0d50b8aeb4bd36ad4bf51eeb19e49b7409247592
SHA512 f4920f00ab3199696099f8e6827c59415b3b0c1730cacf0b230b9657558951db6be48a4fed45df11eb7fe61b49fab288a8cf47f5b674cbc1acb84badc61ac3cb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e366f4ab3bd52c4899ce563241338237
SHA1 af277cf57c7fdbd6142f69bcf0ef017b65d1131c
SHA256 ab77b147f8cb76691d31e0ef90a8a387e2a62e2b5b3ccb7e117fb80e0b982e93
SHA512 203f8d43461ae69cb074fd5c765ae14448249066af270c118499c6bd4a396911be68acab3b81fe400688059acc1d6c8f2e012e0fe58f237ce532ffc117e0bc95

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3f348bd8dd361a50cc58cb297b983049
SHA1 c52f6786afc695ebd4996328069429ccdcdc5936
SHA256 052fe0dc7713fdc51553a8abe4fe6b446992db1cb1c85ad2d82e6f834bac6b04
SHA512 dafababc533cac9edf77f83e7813669782df4d0a1c188c6635143382f4f5d3fe8e791b620bdc9da3ab41c0427507e693f2cda0d0e49bce5b3462ee70e34571b9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ce4365f3d211d053abe5213318bb3e88
SHA1 b3f92d0949560564d16341ff8f046e6bde1a157c
SHA256 91de322072a2f29025e560f97bc31530bd28c4286d7f07174ced7be8bc47c33e
SHA512 8cf15a27e83642c8dff524d9bcdf459e1ec3bbeab3a90f708cbbe5c26f21763523e91c1dd60b7c1c85ff688449766f8f8872c57b317db057534d9e190298d1c1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d431f989eeac31e2c082b0ddf85e118b
SHA1 d23b792850f4c79c8efb63743054198a7402838e
SHA256 72080d733c34cf6e57e0a6aba5f0b8ff2aa9472a1335e639164dec5355f7949d
SHA512 024225220dac50824eee171a96c7d3449d153f423ed8e0e3a599825daee57e1a86dd946d0d36896cddd99b5d5891f7b383db46759cfed623e5db20a68d05b93b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7794390b512d5aa813825ded40343fdb
SHA1 53b5642674488276d59080770fd1c45cf667329f
SHA256 0debda889743e08df672defbbaa1dbee39f9ab22ef8d0ca95ae3476995cbca24
SHA512 bb8717b7163ccdeb364670c49cb8fb15c83a7465af6f5a868c539b3183293e4f13d63eb6a73b545cd6edf6ca9e83b224e4a9538b7d73d856d743b0ad386843b5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 08d6bf648f7fd0e6a9db72b8d7219864
SHA1 a8ce4da78b692064c3b260b4fc6c64687272764e
SHA256 9d5e1d0391be1992f53043671ac27441ffbc44e6c09437d049d255998080c16d
SHA512 5fbc40180d1cf2ca09f2bdcc6e78a913efa37f1dae69953a24bce34a67619ef685c134636c761efcf74bfe5f9efd4f4c87d1b6e647fbadf3d8f190800e1cf078

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bb46b6fec9d38e0e93f3002353218577
SHA1 d0ae66bd7a40aaea6c1ff044ce34d92d335adf55
SHA256 f894862be19fae1b2c70a41efc8b5b1fcc730b742ee6fd640522a9a091da923e
SHA512 dac9e20289d7e69b7b6f547e4a6849ad7d78d702d3bc43c339a527d3fffb79c7592ffdf72f88020c8ad969a2651f654ac60c26d85bbd2495647e4db7eeed21ad

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2c1c3e39d24d5b95e42b144e1fe02f25
SHA1 1e4c260701f6a4d3234924a778c9cb3b99c41313
SHA256 37be30f159d77068ed0629199a6fbf9352736ca8190925f9b7f5c00a994a1e51
SHA512 1b92874ff7d4519ad4673ce2c655af35a37c79aeeba55b0ded2ee46c306e8678fb2716e1506163ab261361bbc6de16faa9ad6b6b56cb0d4d9c07eadb2e919091

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8bc112075738eedce7b86e451bf1d523
SHA1 62ac8b6bc200bfdfff4cc1edbd21deda354c2e9f
SHA256 4d75cf40d6ccb622ae69561cbcfcc356e4f397c4203346008aaded63b1595407
SHA512 7c776af684281bb1ad76c64d2810d306a7f6921710e203656af9f8c8d98821ff47ed9b032e7ca52785ba0a632ab897e32907ba57094ca6804a865b4f8520e47e