Malware Analysis Report

2025-01-02 13:59

Sample ID 240830-vk31kawcjq
Target cb44cafd8070323fe108f19c9afcae10_JaffaCakes118
SHA256 2324baf9b9e29806f6e4346c5ab351acd474b182aa138d87ca4ccdca701a75c0
Tags
cybergate remote discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2324baf9b9e29806f6e4346c5ab351acd474b182aa138d87ca4ccdca701a75c0

Threat Level: Known bad

The file cb44cafd8070323fe108f19c9afcae10_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate remote discovery persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

UPX packed file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-30 17:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 17:03

Reported

2024-08-30 17:06

Platform

win7-20240704-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q} C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q}\StubPath = "C:\\Windows\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File opened for modification C:\Windows\install\ C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 2288 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 2288 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 2288 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 2288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 2288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 2288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 2288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE

"C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE"

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

\Users\Admin\AppData\Local\Temp\RESOLVER.EXE

MD5 2f16426a0274725cf8ff7c44ffcbd275
SHA1 fd9937938d814ab83d78983b17f941b4e0139794
SHA256 59e0a784eb6f56e411946e86e015672786d830f69b2fc1f8886692f10f197ac7
SHA512 e6031d309b81b1ee3e88efa3eea80523098d6dda5018949b48ed63682569c776ba3956fd18151fa853b54955f0f248487bd1fff9bdd73d80cbc035229353a014

\Users\Admin\AppData\Local\Temp\SERVER.EXE

MD5 dde3e497c0924260d286ff11bccbb6ec
SHA1 de0847cca9180e94d0d20fbdaa3e23189f9a4454
SHA256 64e43c1240b8c762720a9e0754cc2fb27a498a444b3918e285ad0ceb598b1962
SHA512 60b874446c4fbdfd0a3bbf05c67105a39e24033834b4af74b1e89438249cca996a073d3aa54bb5711a79300e507590554ea65eb2366ed6b069f72a55c484e364

memory/2288-15-0x0000000002910000-0x0000000002A13000-memory.dmp

memory/2228-17-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/2228-18-0x0000000000F70000-0x0000000000FE6000-memory.dmp

memory/2608-22-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2608-23-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2796-34-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2796-46-0x0000000000400000-0x0000000000503000-memory.dmp

memory/2608-44-0x0000000001D60000-0x0000000001E63000-memory.dmp

memory/2796-43-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2796-28-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2608-27-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2608-354-0x0000000000400000-0x0000000000503000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 b87bf5a04d6f0aa4ead70d655c0af299
SHA1 52160184112c0bec6c539d939d71d6dcef6a07a3
SHA256 9052750374fc200907798ff1b08216b54f0ffc0eaeb56c1f4b609264b9eb6668
SHA512 415fee417e51c8ed741a10130f809e4e83e4c12d70deaa7291418bedc562ed14da800ce66952d9616e76ecbcc7bc2ef3357d231372e47325700c6accafcd5d59

memory/1856-378-0x0000000000400000-0x0000000000503000-memory.dmp

memory/2228-379-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/1856-381-0x0000000000400000-0x0000000000503000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 561fa0b9e5bb5922528e07658fe60f1e
SHA1 84a4c9e10d9648643891512e46b1305ca57c195a
SHA256 bc6454b5b0d2baea39920e94c1a101e76507598f711ba2d9b1d5efe41707591b
SHA512 41d73da2475048a332882da6033252f7d5818746fdb92c59149809405a8d2ab3ee5e7805df37d9b6e9c3d2436cbb13b275103d117d672d841a29614ea69a1684

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4af95d72603353c9829f9ba923c3146b
SHA1 8b3a131426eb5e2613289f1af15da4faffc29461
SHA256 a6605acddb59e73c60caac8ce9659a0c7a8abf93a20f21e425e4d1e0ba21e3b4
SHA512 b7150d23ae31b9dea12e8c9539d322a95b65e86a8761313cf4b923dee90599064bce7522c77e7339ea294b10485e5b17064b81fb17196045ea03ac67591597e6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 793ef1e19303097630275211f5972b4b
SHA1 f890ef92a92b8869b32f576909ed226f556f0560
SHA256 4c14d2c0d81684f19a4539315a0b7b0f63f994d33186152b7c47a6baae1233fd
SHA512 810f691cffecd152099b60e05891b92116413d954d12544d5aa38fb070f7200130ac80f0b2469e351c06394cb302e55a267a6c6416930e7af29d08a709762061

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 778880950cf1fcc510735918503f70b6
SHA1 43871cf027a03bbadf499258dbe9bcaf48b83c35
SHA256 f75a35db4a95f9fbc0f9d7e27a9feb3f6f9d3f08db4d5c4ca80a574dc05f80f8
SHA512 135f65409372108ca7aafdcf1511251e3ab15b93eb2c311689e8b661e752978fb07fe949e0383b067e8f2464c20a378cdfaac888a5710c8b45c75363bc817b9e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 396bedf26c40485516bb5b676b3197fd
SHA1 162c5d4a1a28a81966a097bb9470f573bfc51091
SHA256 1b2b7517d053a2f10bcfedaf6589e68144c2d4a2585b292551f53699c51f0520
SHA512 0fd6262ff8648caf087f53902b9138a8d2d907cefc1d53ef35820cd8c65de556c6abc35b75051df4001c9c05b1dfbdfc2d35fa878f7b3a775d9673609341254d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4e5ce4ff62e3f0246d787bb818b32326
SHA1 7d2e061def799121e6241a95a2dfea307a987942
SHA256 e7a21ad4f923ce07a1c578aa06c98bf64e2357b1ac0b5bf8b6618032d1dfeae7
SHA512 add1088cc673b667c24d24416613a839f4f058fa3af8f5c8d774174f357fa1954a4a6ea5e082290aad27c7a8f1c494ec99c5abdfddc4e9f8ba023bc0ff68cee6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 808c6653dbae28bbefd2c7489c9e90d3
SHA1 7dde2de14e5bf1946a07f8e7efd32f3ea88e23fa
SHA256 31692b79d2e635c1b767834d42691c1c4b6d22f44b2c2833744794312bca98b8
SHA512 0d67f10e33805ce680bbfa655f84472ea26823da03d467100ff116e3ae22474e8cf695cc172b467d7384d73c076757b55770ec123ba5b5972c1e1b10a632eecb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 66f2f713cf9623b4c3cbba8585868339
SHA1 a923df2d4b1bbe9a5c72f4c644db732698b97b39
SHA256 82b9a0955e9f437be8205cdf81e8558fef7e4af66799dec961ed709bb229ef77
SHA512 6bf9e779a0cc54dc2dd1897a3dd98d52dd011b9c6de4fd03c00fb8c821c09569d47bcd023cf385da014fd46c0e166237ccd2620c5a45a34dfd50f63904b1aced

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4abd85b51806563bee7240e0deab1462
SHA1 6ad1059cdd392a65ea76df8462e34e97942c7f0d
SHA256 9e818ba99ddca41a9ed730d06aecb5e99867f4608d9d5f9bdae8ccbdc10382d6
SHA512 4b9b97779565b1af06b7b5f60de852793e0e4a556124cdde99c47a65e9acaf36b4e9e25033b7535e601a8585e8dc24f1da87e36d6dfd3d915a793598e417ca28

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 58a1dfa78019a0d10e41ba0cb294d259
SHA1 5664c22c886c10c191918e67c81f54be4a738afa
SHA256 a2196f6b3da68ed9ae9cba9c2d6f1228835129f230ced1efaad41e77b140a7fd
SHA512 2ae8b120c22592da12354836a9735cbfe1b9336958fa336d89f5ca1c351f579f065c797c9d3f5c040745119ca198be597f5a9af1e84b78d2d687d1cea1b67448

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cafaa838ee0cfb27d30771a1498f9706
SHA1 9569081a758700e347cb5355f97786f0f2184283
SHA256 92a69c2f36d749fa2559d3bcf9d9a63486b14035b5234f3f255a4b7d45e582f9
SHA512 c1b872d1e2e1f09eb14442c89bd1857fb5e0268dc578ea1b3874ded5d8fa42bf527f76baf6418233153808a37b8b14397783e059bbf7c21e0b2647d811e64871

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e5f0f3371f125917c47943a772bfd378
SHA1 3db7a0ba17d03f01d3d45703b01e992ffed8e0eb
SHA256 777ea10f13afd9bbcc5ea8fff82a81cda15cd5b256f36346701a287067a90ebc
SHA512 e01faa0569c9dc0a32e697262225ecf0ae32fa05a47487b67085163f8355792cd722c8d102c712c23d8e6d891b6cf99febb17bf7721eb1704ee84401c87b40ef

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f6df5c725e7114d73ee02db0493bac2a
SHA1 10fdda14aeb54c0ee279292c8c253c14aa22ddca
SHA256 4097ba88d2c50b81962ff51e794f223086bb9265e865106e5c5a168f1d8e0f9a
SHA512 3b19f6cbce138cd41eaa332268c3229ae30199667b6f8d199f0d4561732639b97607ea38367e062c75654076d4f7aab3cd845243c6182156ccde160bdfd7832a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d659f80a0ce340109ebb6d3db7a6f394
SHA1 6a51b0408072c5f7f066ee941312a9ca4027ff3f
SHA256 bd6dfd86de2c61cf6af57dfac24e1b6e096c1141f755fc9805a2302a16e37426
SHA512 dd0f2e8df9c9aed3d14b36b68672e33fc10fb1ceedc65fb2a678735048f83ff167b007365a638b59282d30f053e2f4da842e8ea58b566272d7ab6394aef51cca

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1d4785acdb999a8af36e7f63f373b371
SHA1 98e34f6caccdd9947c87c9a61f6dcc4aab52d8cc
SHA256 1cc0b9244596ff9ccb312e56b6a9832ea14c53ed186c7e898334ca3439231e67
SHA512 9d2a2b8fd3e8b6094b021ba15d0e135876223b477dd6bff4828e9495298e1d2c8a7878e7cef5c3849f5fa9644812a1fd016c9ddd0a7efb8fdc6cc3bfdecfbbd7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 87204afa86667fa001a9e109a1a030d0
SHA1 d83dbb2837683655962c683f0d30c9d4bf8087b0
SHA256 62e4609b6cf6581f570c0833894a8ae0ec3261fc2f8d60bab385af6d176884a0
SHA512 8fcb0413d68244da00c169b4bf4d9e68fac80d50416cf7a2ee0566b746d11da6b9ad13aef4f6a04e43f31444bf107fd703357661b69fbd61d95b4203c2d4d210

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a2c13b4e9f08e6f05c48a0a0cee572bd
SHA1 2d90105c52c7110017c7fcf4de01946e22066486
SHA256 af17ed472301c9693dee5a04e2c0e45d6310e8752ab1f0505e251da3c4832e81
SHA512 866c2178696f08ef3328e902d67cca0bf3913e8cf55d1f1dcdd9a01f9a418a3bca2664f2c4fee0f92943e136e43fafb9eeacdd9e1d8a0656e53f9b0062900be3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 38fc774b8d320add2faf6a9ba014e7ac
SHA1 52f9284414bd1d401b4ff7bfe7433a0f44ef2262
SHA256 2e7bd3d69675dc9e979766910375edebffd2e7fc469793767a6ed5cb8ceb12fd
SHA512 966a12c5096723a283f3624f666d03cd6b5a9b07b55d7f57b75fc5514edf5fab90984b614b89376392a36d239461b8cf0f73d207b0fc775f2fb118c50f59f4c3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0df9238064b6796fa48c5b577df6fbca
SHA1 b1b4a86f0f3a59f4d429157b9cea6f8f684e6734
SHA256 645558c3c17ced25e155603a183f272749cc6cde704ae4d9ab2db6b4f7ff0ac4
SHA512 db6b5ed8bb1b658f367e69cff1562a215f695ee4e6b765de4e379640707b2bb55b13cf9a0d0254f20c0fd9f1beee289373aab77b74042bf44a8cefed63dbf863

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0da6634ada4bd370b334c11207dfe86f
SHA1 9a5cd4004bde2fbc16211917aa97f674cb9231de
SHA256 83649976f8482501db3170c94b22fd4b3cfd8c2916a417aa1a76ddb10aaecf24
SHA512 c1e7d37fe2312d5c86e0eed0f048732e6978ddd4cc181eecc9a40ca4b3866a4a86a9baf039201aefa50fc8f408b8ac2b44d94ce9fd29370906bd65825520a8be

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 189600cc0a8b21dddb2e1e65f53ef3dd
SHA1 9e59b956a2294c14a285ff599198c21fa5bfd075
SHA256 433b4203be406097897f68f8e0dfbc79bbd476873ea7c8d5cde6d6640340f0bc
SHA512 5ba4259b2834a96dcf056ab45a22220bd2801a9e7d4db34ef2e9d737bf08d6f0bc447d68f5583dd1aae241452d7fe61daf222a6082a9116122215f2ffdbd4680

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 17:03

Reported

2024-08-30 17:06

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q} C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q}\StubPath = "C:\\Windows\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File opened for modification C:\Windows\install\ C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\install\server.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\install\server.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3864 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 3864 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 3864 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 3864 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 3864 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 3864 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE

"C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE"

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 440 -ip 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 580

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE

MD5 2f16426a0274725cf8ff7c44ffcbd275
SHA1 fd9937938d814ab83d78983b17f941b4e0139794
SHA256 59e0a784eb6f56e411946e86e015672786d830f69b2fc1f8886692f10f197ac7
SHA512 e6031d309b81b1ee3e88efa3eea80523098d6dda5018949b48ed63682569c776ba3956fd18151fa853b54955f0f248487bd1fff9bdd73d80cbc035229353a014

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

MD5 dde3e497c0924260d286ff11bccbb6ec
SHA1 de0847cca9180e94d0d20fbdaa3e23189f9a4454
SHA256 64e43c1240b8c762720a9e0754cc2fb27a498a444b3918e285ad0ceb598b1962
SHA512 60b874446c4fbdfd0a3bbf05c67105a39e24033834b4af74b1e89438249cca996a073d3aa54bb5711a79300e507590554ea65eb2366ed6b069f72a55c484e364

memory/3532-20-0x000000007350E000-0x000000007350F000-memory.dmp

memory/2200-19-0x0000000000400000-0x0000000000503000-memory.dmp

memory/3532-21-0x00000000001E0000-0x0000000000256000-memory.dmp

memory/3532-22-0x0000000004C00000-0x0000000004C9C000-memory.dmp

memory/3532-23-0x0000000005260000-0x0000000005804000-memory.dmp

memory/3532-24-0x0000000004D50000-0x0000000004DE2000-memory.dmp

memory/3532-25-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

memory/3532-26-0x0000000073500000-0x0000000073CB0000-memory.dmp

memory/3532-27-0x0000000004F90000-0x0000000004FE6000-memory.dmp

memory/2200-30-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2200-31-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1320-35-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1320-36-0x0000000000670000-0x0000000000671000-memory.dmp

memory/2200-34-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2200-92-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/1320-99-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2200-98-0x0000000000400000-0x0000000000503000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 b87bf5a04d6f0aa4ead70d655c0af299
SHA1 52160184112c0bec6c539d939d71d6dcef6a07a3
SHA256 9052750374fc200907798ff1b08216b54f0ffc0eaeb56c1f4b609264b9eb6668
SHA512 415fee417e51c8ed741a10130f809e4e83e4c12d70deaa7291418bedc562ed14da800ce66952d9616e76ecbcc7bc2ef3357d231372e47325700c6accafcd5d59

memory/440-120-0x0000000000400000-0x0000000000503000-memory.dmp

memory/3532-121-0x000000007350E000-0x000000007350F000-memory.dmp

memory/440-123-0x0000000000400000-0x0000000000503000-memory.dmp

memory/3532-124-0x0000000073500000-0x0000000073CB0000-memory.dmp

memory/1320-126-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2658981cc6602f71d38ede7bb07191d8
SHA1 2dbbb6af18b5251615c89987414c0e6d1880ea52
SHA256 310562049dae8ff1dca21bd26aa12b8a85381e650a67d2e75f021b0796ff56b6
SHA512 8005872ac63a39d255bfb834687255596298db6d11a1a0ef177303b862cc0ecd2f13225280f3120749769ed9de2fe7e3f11dc32d77b4c602e345203be640f016

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d34b4148e2fb20a80368bece7bab98b4
SHA1 2b3cb144374b9d0a44bf35024799d1610cbcf06b
SHA256 30d0174e2faeca7e71e7541e42a6c365e7508d6c2db933c3f93cfa98f701ad36
SHA512 1dfdc56601be3d3dfcc3c6fdfb00ebe0115bb6f1da3385f8c0d6c690e7148cf7755858a1b662cc7355ecff78f061708620cb659dff0405feafd1d9ac56665df9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 09de5771fcee1055b5fe8952d91edb17
SHA1 26c32b0668b53cdd395e1e2c480d81c0a5f8063f
SHA256 f6c4b3931e71cc0cf7b7372942213eaa5aaf2fa796f611e30a6f74f8ee614ece
SHA512 fbf224bb78964448a3e718971830d3a82ffd5aa59facc6023281fb4bf222921b37d0d7be36b9b9dcd7bc0dad537d9ec8340598ec0e0d9c87b99de68ab9785fb0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 561fa0b9e5bb5922528e07658fe60f1e
SHA1 84a4c9e10d9648643891512e46b1305ca57c195a
SHA256 bc6454b5b0d2baea39920e94c1a101e76507598f711ba2d9b1d5efe41707591b
SHA512 41d73da2475048a332882da6033252f7d5818746fdb92c59149809405a8d2ab3ee5e7805df37d9b6e9c3d2436cbb13b275103d117d672d841a29614ea69a1684

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4af95d72603353c9829f9ba923c3146b
SHA1 8b3a131426eb5e2613289f1af15da4faffc29461
SHA256 a6605acddb59e73c60caac8ce9659a0c7a8abf93a20f21e425e4d1e0ba21e3b4
SHA512 b7150d23ae31b9dea12e8c9539d322a95b65e86a8761313cf4b923dee90599064bce7522c77e7339ea294b10485e5b17064b81fb17196045ea03ac67591597e6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 793ef1e19303097630275211f5972b4b
SHA1 f890ef92a92b8869b32f576909ed226f556f0560
SHA256 4c14d2c0d81684f19a4539315a0b7b0f63f994d33186152b7c47a6baae1233fd
SHA512 810f691cffecd152099b60e05891b92116413d954d12544d5aa38fb070f7200130ac80f0b2469e351c06394cb302e55a267a6c6416930e7af29d08a709762061

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 778880950cf1fcc510735918503f70b6
SHA1 43871cf027a03bbadf499258dbe9bcaf48b83c35
SHA256 f75a35db4a95f9fbc0f9d7e27a9feb3f6f9d3f08db4d5c4ca80a574dc05f80f8
SHA512 135f65409372108ca7aafdcf1511251e3ab15b93eb2c311689e8b661e752978fb07fe949e0383b067e8f2464c20a378cdfaac888a5710c8b45c75363bc817b9e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 396bedf26c40485516bb5b676b3197fd
SHA1 162c5d4a1a28a81966a097bb9470f573bfc51091
SHA256 1b2b7517d053a2f10bcfedaf6589e68144c2d4a2585b292551f53699c51f0520
SHA512 0fd6262ff8648caf087f53902b9138a8d2d907cefc1d53ef35820cd8c65de556c6abc35b75051df4001c9c05b1dfbdfc2d35fa878f7b3a775d9673609341254d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4e5ce4ff62e3f0246d787bb818b32326
SHA1 7d2e061def799121e6241a95a2dfea307a987942
SHA256 e7a21ad4f923ce07a1c578aa06c98bf64e2357b1ac0b5bf8b6618032d1dfeae7
SHA512 add1088cc673b667c24d24416613a839f4f058fa3af8f5c8d774174f357fa1954a4a6ea5e082290aad27c7a8f1c494ec99c5abdfddc4e9f8ba023bc0ff68cee6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 808c6653dbae28bbefd2c7489c9e90d3
SHA1 7dde2de14e5bf1946a07f8e7efd32f3ea88e23fa
SHA256 31692b79d2e635c1b767834d42691c1c4b6d22f44b2c2833744794312bca98b8
SHA512 0d67f10e33805ce680bbfa655f84472ea26823da03d467100ff116e3ae22474e8cf695cc172b467d7384d73c076757b55770ec123ba5b5972c1e1b10a632eecb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 66f2f713cf9623b4c3cbba8585868339
SHA1 a923df2d4b1bbe9a5c72f4c644db732698b97b39
SHA256 82b9a0955e9f437be8205cdf81e8558fef7e4af66799dec961ed709bb229ef77
SHA512 6bf9e779a0cc54dc2dd1897a3dd98d52dd011b9c6de4fd03c00fb8c821c09569d47bcd023cf385da014fd46c0e166237ccd2620c5a45a34dfd50f63904b1aced

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4abd85b51806563bee7240e0deab1462
SHA1 6ad1059cdd392a65ea76df8462e34e97942c7f0d
SHA256 9e818ba99ddca41a9ed730d06aecb5e99867f4608d9d5f9bdae8ccbdc10382d6
SHA512 4b9b97779565b1af06b7b5f60de852793e0e4a556124cdde99c47a65e9acaf36b4e9e25033b7535e601a8585e8dc24f1da87e36d6dfd3d915a793598e417ca28

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 58a1dfa78019a0d10e41ba0cb294d259
SHA1 5664c22c886c10c191918e67c81f54be4a738afa
SHA256 a2196f6b3da68ed9ae9cba9c2d6f1228835129f230ced1efaad41e77b140a7fd
SHA512 2ae8b120c22592da12354836a9735cbfe1b9336958fa336d89f5ca1c351f579f065c797c9d3f5c040745119ca198be597f5a9af1e84b78d2d687d1cea1b67448

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cafaa838ee0cfb27d30771a1498f9706
SHA1 9569081a758700e347cb5355f97786f0f2184283
SHA256 92a69c2f36d749fa2559d3bcf9d9a63486b14035b5234f3f255a4b7d45e582f9
SHA512 c1b872d1e2e1f09eb14442c89bd1857fb5e0268dc578ea1b3874ded5d8fa42bf527f76baf6418233153808a37b8b14397783e059bbf7c21e0b2647d811e64871

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e5f0f3371f125917c47943a772bfd378
SHA1 3db7a0ba17d03f01d3d45703b01e992ffed8e0eb
SHA256 777ea10f13afd9bbcc5ea8fff82a81cda15cd5b256f36346701a287067a90ebc
SHA512 e01faa0569c9dc0a32e697262225ecf0ae32fa05a47487b67085163f8355792cd722c8d102c712c23d8e6d891b6cf99febb17bf7721eb1704ee84401c87b40ef

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f6df5c725e7114d73ee02db0493bac2a
SHA1 10fdda14aeb54c0ee279292c8c253c14aa22ddca
SHA256 4097ba88d2c50b81962ff51e794f223086bb9265e865106e5c5a168f1d8e0f9a
SHA512 3b19f6cbce138cd41eaa332268c3229ae30199667b6f8d199f0d4561732639b97607ea38367e062c75654076d4f7aab3cd845243c6182156ccde160bdfd7832a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d659f80a0ce340109ebb6d3db7a6f394
SHA1 6a51b0408072c5f7f066ee941312a9ca4027ff3f
SHA256 bd6dfd86de2c61cf6af57dfac24e1b6e096c1141f755fc9805a2302a16e37426
SHA512 dd0f2e8df9c9aed3d14b36b68672e33fc10fb1ceedc65fb2a678735048f83ff167b007365a638b59282d30f053e2f4da842e8ea58b566272d7ab6394aef51cca

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1d4785acdb999a8af36e7f63f373b371
SHA1 98e34f6caccdd9947c87c9a61f6dcc4aab52d8cc
SHA256 1cc0b9244596ff9ccb312e56b6a9832ea14c53ed186c7e898334ca3439231e67
SHA512 9d2a2b8fd3e8b6094b021ba15d0e135876223b477dd6bff4828e9495298e1d2c8a7878e7cef5c3849f5fa9644812a1fd016c9ddd0a7efb8fdc6cc3bfdecfbbd7