Analysis Overview
SHA256
a354500c53b0042e32b9a331375eee6a572154589f9301fe827db5fc1e71d2b5
Threat Level: Known bad
The file ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
UPX packed file
Deletes itself
Executes dropped EXE
Suspicious use of SetThreadContext
Drops file in System32 directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-30 09:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 09:15
Reported
2024-08-30 09:18
Platform
win7-20240705-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\nsrss.exe" | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\nsrss.exe" | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A1XG3QB-O0EL-DJ02-1APH-447FOR40TWM4}\StubPath = "C:\\Windows\\system32\\nsrss.exe Restart" | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A1XG3QB-O0EL-DJ02-1APH-447FOR40TWM4} | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\nsrss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nsrss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nsrss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nsrss.exe | C:\Windows\SysWOW64\nsrss.exe | N/A |
| File created | C:\Windows\SysWOW64\nsrss.exe | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nsrss.exe | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nsrss.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2712 set thread context of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe |
| PID 2508 set thread context of 1828 | N/A | C:\Windows\SysWOW64\nsrss.exe | C:\Windows\SysWOW64\nsrss.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nsrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nsrss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\nsrss.exe
"C:\Windows\system32\nsrss.exe"
C:\Windows\SysWOW64\nsrss.exe
"C:\Windows\SysWOW64\nsrss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xxdepelxx.is-the-boss.com | udp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
Files
memory/2712-1-0x0000000000020000-0x0000000000023000-memory.dmp
memory/2712-0-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2836-6-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2836-7-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2836-8-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2836-9-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2712-10-0x0000000000400000-0x0000000000419000-memory.dmp
memory/1196-14-0x0000000002E10000-0x0000000002E11000-memory.dmp
memory/2836-13-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1684-257-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1684-259-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2836-320-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1684-550-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/2836-548-0x0000000000400000-0x0000000000450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 393157b7ce52c73c01291007e2fafb2f |
| SHA1 | b2955687957d4f187dcf6b3ced1aac7abac1f768 |
| SHA256 | ce58c30733cb710eb25fd69b8cb3d584e166cfd63f9b360457344803edf04376 |
| SHA512 | 000b56341474637a19ef67d3e23af6e9e3ed6a1b9fac3dbdc347c2b0ba50ffad0b7c8b2ae0141d7ac558921abaaaedf8a0f1f9e44e5891c9ac32cffa8ad2da7f |
C:\Windows\SysWOW64\nsrss.exe
| MD5 | ca8d5059de6edbdb4b0ddc061f6cf8fd |
| SHA1 | f67fd864383c55c42af4d5de17380cac755856e6 |
| SHA256 | a354500c53b0042e32b9a331375eee6a572154589f9301fe827db5fc1e71d2b5 |
| SHA512 | fbd633d5967b9189286b40c5f58a6338ce4a2b68544c422992f2ece8870f4771c9d72768995855604d966af18be34723db2f5f2e5a194ad89335d5dc78aa6935 |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/1684-571-0x0000000003860000-0x0000000003879000-memory.dmp
memory/2508-574-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1385883288-3042840365-2734249351-1000\88603cb2913a7df3fbd16b5f958e6447_0b857b27-3438-41f8-a27a-43f96d095be3
| MD5 | 5fc2ac2a310f49c14d195230b91a8885 |
| SHA1 | 90855cc11136ba31758fe33b5cf9571f9a104879 |
| SHA256 | 374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092 |
| SHA512 | ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3 |
memory/2508-583-0x0000000000400000-0x0000000000419000-memory.dmp
memory/1684-586-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bf513bc785ef1808a10cac4c64f955e0 |
| SHA1 | 7c98f8b52ff467425bb6c48904e6fe125721ebe8 |
| SHA256 | 6b98cca18b74278a305a40b3f21282824f92e3c6e94b306de5d06a0474de3bd9 |
| SHA512 | 2641afda0912b02b82cd41974d09b97175fb8e7fa57b51c136148a8f8df0f93abb418fc2eea283007108a8eeb7802e1a19c5cd3ca6dbc211089ca9daf23ef8f2 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c76edcc2b6543b874b3773da24716b11 |
| SHA1 | 90ad8be66ffd5db9ac5d1e7f3b2d736fa717d46d |
| SHA256 | e6f99d402bf50dac9026ecad19d50ba1baa347e3d234c0ce98b002a3abcaf8ba |
| SHA512 | f7fe1e99177ed59730b0295dfaaf587dedd2e9338c0c65a5240a848df3f3581c74e6c18d87b2a1f4c9baf3841aa083f582d3339eb874ed42f6657802689f322c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4b0eaf11ac9c4698a99f7d40f833be62 |
| SHA1 | 7c3e2d5e0e84fd43095c9202aa19d95e8951ea9f |
| SHA256 | 4151392f2b0398656de024ffd8698743d1207495dea6e7a1969a416928f4212d |
| SHA512 | d08c1f9e66ee7209d082d2c067a4db0f765db14c8c3b32bbad8edf8ccd6692c00c5a3cf0c3de3829378e398b10b127c8b37313361c7991e13853bf77a6bf5876 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c26be120589db1366709e88195d68081 |
| SHA1 | e11604be1445f93bd32d282530d32d2a78aab9fa |
| SHA256 | 5ee3c809af27629e71062c82b170f7b867165d80f8558a87d61c134eba5a8888 |
| SHA512 | ab9dd889ce450b0b46c5f7ef6427dfe8f2806e511ab04ba616057c0dd260ded333ddbac6da4f4ff0c511c045b2bafc876a2c7a1b638285bec957701427b4fc8f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f8b532c82bb52c0e1bc854f72057a459 |
| SHA1 | af518d8fc1f8d00d77f45976a28560d5eafd4b5e |
| SHA256 | 64c73c7e4e0aa70a596811b12d0ff7a1b2d393eecdffa5688bfd70fb83e28979 |
| SHA512 | 929981224607ef40bcfc1825924ed58e89140fea5370fdf176c60f22281dda775e1187f73c8355d18c1cd74654bba94aac98aee9c00a072c35ec6e3a04d6f2a4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0fc0b10c0bd281f6226143294a420c48 |
| SHA1 | d23778b73db06539ee21fde25c4d06cb6d0844ba |
| SHA256 | 9089c056a63947af75ef97bc3272d698378d1ae1e91f13794f4e0e23317eb785 |
| SHA512 | c63ac800b27ef10374ff966863a5f9d2869dd51f08ec2e46849c7d6c972522b8a1395e190177be3b554df99bd44e52026dd1ad372766b04b312db4410c15d0bb |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b329a93c612e8cf1aaedc6f1c80e3aa0 |
| SHA1 | f622566c5c85490ef3f199674bf8223a689abd3d |
| SHA256 | c0cbafee0ebdc35ea8e20669430fc8e7a291eaad91d6a7e00fc3e6b96ff91177 |
| SHA512 | 8b295866b4cdf6accb468dc7ead8384cf034c49cf1f501cb9d58cc6d1081d721af5f2b03f54cec9a51258b3b1574ca8697c2ac92e2bc880ac3540fef7164a863 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 42f1d5b978fd46033faa4532f54c9160 |
| SHA1 | 4b0a56aec3d1de5d2d8f6200226c40d5756e7d19 |
| SHA256 | 3bff3af5e9848499239ae7f038f258b0475d277e4bf709d0983e1bc57b66ee6a |
| SHA512 | b9f9925d10fdb6cc7a35016e936be245f89e81b5e6863fb769446cd6b43f8db376b87d1cbe93df75cd2ac224d0ae8af0d7207f6ea7f0bcec8a1f23bb40a72707 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 54969670862de186d2981b6bef509e5d |
| SHA1 | faa0e023b20aa34f2ba362efb383e9ca3c467756 |
| SHA256 | d572f17066d4e84f225ff62588415e60ad688bf627608de5a1df600aed84bf9c |
| SHA512 | fe64701cf68e4e77f844f3cf9b15dcd26780863d9844f3fc807ce06209d878c17383e37ef6d33be2f78207b4b5982c76bc1630966acd89741261b9db32e26ac2 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 89eef747891ad5ea24ba3742c5d8756a |
| SHA1 | 17369a210330052365d905489a76874c6ac89b80 |
| SHA256 | 95a1ebdd4e7484f04e673385d0bd32b1299ccb500ad7633d51666a2be4e579dc |
| SHA512 | cfb6a06aa1f9f388d2439058f87e1fe17906d851e7e9e92b8801a33b38bf52dccb2aa5d5d367408e2741d8bd5693a7eff90379a9ce27ff98786a6e7b4d198a4b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 702e8d773193557d8f96db4a9e80c2a9 |
| SHA1 | be2222ae26b652c1ec454c292cda9bc0bec477d9 |
| SHA256 | 6f0d0851223023e332fc417f2b7d822c0413d1d292daebad8a2671de461e23d2 |
| SHA512 | 08a251e0a74f97c86d5bc0accf3547c9f4f2be2ccafd271f0de0a73a8d6e20cbc9035e651cb3ea1433a048da6c5c83aafc501f578432d3b96593908359031b87 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 15895d1d7189d31cad1125c2e97b7250 |
| SHA1 | ae8f60d405de5d2390c2a00c912d55625886e8e9 |
| SHA256 | 2b3c0e6f602a9b7dd2ff66d4780b8576f99454b760c56be2540b814b6c12e52d |
| SHA512 | 876cd804f7858fe2c4b336c71fa8d24a6b2f5f0a3414b211acad50b46e454b90cbff13c509fa22b52d199fd45376aef57a3caa4df1a6a41544bfef0137b64baf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e91804b34ca4422ad1dd973627c2a3d9 |
| SHA1 | 0ffb7dd2577dfc0b6697ed86ddb4d97f6b97aece |
| SHA256 | c50a35a17b293612cb2c9d3946779cc6526f1103fd37cb4cd70131fbe005c025 |
| SHA512 | 90ffce6cc17103d33e8ece0d43f43f102c503af92b081e9fc668752cc84862182716b5daa6a87bcf7d6ec02c073a01d9ed9478244aaa2cf9dc174381d7518cfa |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 10ef5202fdaf9785fb9067e51b880f1a |
| SHA1 | 91072080b8608a3e9326255a946624ca292a0da6 |
| SHA256 | 830a9e8ea585d3fb4663e0bb11d5b3e22037a770d5300ab0eccc7088138e8a29 |
| SHA512 | df7688611a0e5a6357a72803f8d94bfd112a55812caf5f34e070aed9a4444a3aab63e41b6432f842fa186cd87962effa56da23884b556656d31531dd92dd7e8a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 78cfa64d2b16820f6fc72ffa903325ea |
| SHA1 | 16df7e4845fa774d60f271fbb2fc9e684377ebd3 |
| SHA256 | 6f56e64d01ea179942d5d289b4d1e9dd58dc1811bf9900f436d16b27d7f5da84 |
| SHA512 | c03a975c2b59a9a1851727ac69e4fc7a89272409ba7eb2d86e1239196f904aa05cf23549c8ee3b8738b52c2c101855534a41d3f2c83b2bff928aeea81bb745d7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 14c6f80810acb34de9caa111c343d83e |
| SHA1 | 54fe766bbcfe44567156c1e3061ee310cf1825d8 |
| SHA256 | da51a4e4faf65a8c46cd549010fcfe445f9072cfd0d4ca30e34987bb36ff4e80 |
| SHA512 | 22e2a95432533412b3bbe562e9fec2a794c4da22a6b736373726c8bfaaffcb7c25e31b141185136428cacbc3c8a23470e1bc8627466734c21947a75dd3a192fc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 98304bd3431be54ec811188f50ab0927 |
| SHA1 | 102a72f16a5f49f323ff7fde1338fdfa3a406958 |
| SHA256 | 5a58111ca6e1a912c7e5a9f50c3ff29e8010d09deb8e59667ad20c5e2ded32f3 |
| SHA512 | f233e707e9df3bee23b7a1b03efcf985c968dc40b634068e92ac64b35015bfcd5c0299fae32917f9b8cae9280ec620bea1c3a25ffc7801c1b5d58ece8498ae48 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 55e7f3cd358c283447bc8b147859f676 |
| SHA1 | 489063f595a95a70bca85eb507ed8f6b33bd45ef |
| SHA256 | dc753f563c2302188dd0a2419fdad98bdd8e204173b00e08da2ab5795975b404 |
| SHA512 | e22afdea51d7691e8f9699c76867399a4d48c977d530654f0d786ade196e73edf0ea5f6b7935c1c81238b2e52b16303b879b196ebf945771777db2f4f207feb9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a60234668320b277e22d0644c79f2e42 |
| SHA1 | 572f9121dcf377edb8a4559438117a1b6ecaa593 |
| SHA256 | bbe00d819f82b56f12afeb7d34fd1e640db65a3ff9869ed8210d5d9eb0f7e850 |
| SHA512 | 9ba0d8a17541682cc8fd40adddf44c62a861c7c774cabe57ad3e3f1fd75a7d50730e934d240f1abce5ecd4496e99926e21243e0cacf6ad700cf53a9e3a06180b |
memory/1684-1513-0x0000000003860000-0x0000000003879000-memory.dmp
memory/1684-1514-0x0000000003860000-0x0000000003879000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 09:15
Reported
2024-08-30 09:18
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\nsrss.exe" | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\nsrss.exe" | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1XG3QB-O0EL-DJ02-1APH-447FOR40TWM4} | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1XG3QB-O0EL-DJ02-1APH-447FOR40TWM4}\StubPath = "C:\\Windows\\system32\\nsrss.exe Restart" | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\nsrss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nsrss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\nsrss.exe | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nsrss.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nsrss.exe | C:\Windows\SysWOW64\nsrss.exe | N/A |
| File created | C:\Windows\SysWOW64\nsrss.exe | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4068 set thread context of 2184 | N/A | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe |
| PID 2784 set thread context of 4152 | N/A | C:\Windows\SysWOW64\nsrss.exe | C:\Windows\SysWOW64\nsrss.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\nsrss.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nsrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nsrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nsrss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\nsrss.exe
"C:\Windows\system32\nsrss.exe"
C:\Windows\SysWOW64\nsrss.exe
"C:\Windows\SysWOW64\nsrss.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4152 -ip 4152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 220
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xxdepelxx.is-the-boss.com | udp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
| DE | 213.131.252.251:80 | xxdepelxx.is-the-boss.com | tcp |
Files
memory/4068-0-0x0000000000400000-0x0000000000419000-memory.dmp
memory/4068-1-0x00000000001C0000-0x00000000001C3000-memory.dmp
memory/2184-8-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2184-9-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2184-7-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2184-6-0x0000000000400000-0x0000000000450000-memory.dmp
memory/4068-10-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2184-13-0x0000000024010000-0x0000000024072000-memory.dmp
memory/2184-14-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1164-19-0x00000000013B0000-0x00000000013B1000-memory.dmp
memory/1164-18-0x00000000012F0000-0x00000000012F1000-memory.dmp
memory/2184-34-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2184-82-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1164-83-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 393157b7ce52c73c01291007e2fafb2f |
| SHA1 | b2955687957d4f187dcf6b3ced1aac7abac1f768 |
| SHA256 | ce58c30733cb710eb25fd69b8cb3d584e166cfd63f9b360457344803edf04376 |
| SHA512 | 000b56341474637a19ef67d3e23af6e9e3ed6a1b9fac3dbdc347c2b0ba50ffad0b7c8b2ae0141d7ac558921abaaaedf8a0f1f9e44e5891c9ac32cffa8ad2da7f |
C:\Windows\SysWOW64\nsrss.exe
| MD5 | ca8d5059de6edbdb4b0ddc061f6cf8fd |
| SHA1 | f67fd864383c55c42af4d5de17380cac755856e6 |
| SHA256 | a354500c53b0042e32b9a331375eee6a572154589f9301fe827db5fc1e71d2b5 |
| SHA512 | fbd633d5967b9189286b40c5f58a6338ce4a2b68544c422992f2ece8870f4771c9d72768995855604d966af18be34723db2f5f2e5a194ad89335d5dc78aa6935 |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/2784-104-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2784-105-0x00000000001C0000-0x00000000001C3000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355097885-2402257403-2971294179-1000\88603cb2913a7df3fbd16b5f958e6447_30dd1cc1-5c25-4745-b2f5-cffa52b1a886
| MD5 | 5fc2ac2a310f49c14d195230b91a8885 |
| SHA1 | 90855cc11136ba31758fe33b5cf9571f9a104879 |
| SHA256 | 374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092 |
| SHA512 | ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3 |
memory/4152-113-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2784-115-0x0000000000400000-0x0000000000419000-memory.dmp
memory/1164-121-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c76edcc2b6543b874b3773da24716b11 |
| SHA1 | 90ad8be66ffd5db9ac5d1e7f3b2d736fa717d46d |
| SHA256 | e6f99d402bf50dac9026ecad19d50ba1baa347e3d234c0ce98b002a3abcaf8ba |
| SHA512 | f7fe1e99177ed59730b0295dfaaf587dedd2e9338c0c65a5240a848df3f3581c74e6c18d87b2a1f4c9baf3841aa083f582d3339eb874ed42f6657802689f322c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4b0eaf11ac9c4698a99f7d40f833be62 |
| SHA1 | 7c3e2d5e0e84fd43095c9202aa19d95e8951ea9f |
| SHA256 | 4151392f2b0398656de024ffd8698743d1207495dea6e7a1969a416928f4212d |
| SHA512 | d08c1f9e66ee7209d082d2c067a4db0f765db14c8c3b32bbad8edf8ccd6692c00c5a3cf0c3de3829378e398b10b127c8b37313361c7991e13853bf77a6bf5876 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c26be120589db1366709e88195d68081 |
| SHA1 | e11604be1445f93bd32d282530d32d2a78aab9fa |
| SHA256 | 5ee3c809af27629e71062c82b170f7b867165d80f8558a87d61c134eba5a8888 |
| SHA512 | ab9dd889ce450b0b46c5f7ef6427dfe8f2806e511ab04ba616057c0dd260ded333ddbac6da4f4ff0c511c045b2bafc876a2c7a1b638285bec957701427b4fc8f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f8b532c82bb52c0e1bc854f72057a459 |
| SHA1 | af518d8fc1f8d00d77f45976a28560d5eafd4b5e |
| SHA256 | 64c73c7e4e0aa70a596811b12d0ff7a1b2d393eecdffa5688bfd70fb83e28979 |
| SHA512 | 929981224607ef40bcfc1825924ed58e89140fea5370fdf176c60f22281dda775e1187f73c8355d18c1cd74654bba94aac98aee9c00a072c35ec6e3a04d6f2a4 |