Analysis Overview
SHA256
cb7ca3bdfc9ab600d548564d80aed0f3731e4a5e1f6cf1f554d923872c11a77d
Threat Level: Known bad
The file d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
UPX packed file
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-09 18:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-09 18:33
Reported
2024-09-09 18:36
Platform
win7-20240903-en
Max time kernel
18s
Max time network
23s
Command Line
Signatures
CyberGate, Rebhip
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2316 set thread context of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | asade.no-ip.org | udp |
| RU | 178.207.79.167:25565 | asade.no-ip.org | tcp |
Files
memory/2316-0-0x0000000074851000-0x0000000074852000-memory.dmp
memory/2316-1-0x0000000074850000-0x0000000074DFB000-memory.dmp
memory/2316-2-0x0000000074850000-0x0000000074DFB000-memory.dmp
memory/2272-8-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2272-10-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2272-18-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2272-17-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2272-16-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2272-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2272-12-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2272-11-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2272-6-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2272-5-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2272-3-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2316-19-0x0000000074850000-0x0000000074DFB000-memory.dmp
memory/2272-21-0x0000000010410000-0x0000000010480000-memory.dmp
memory/2212-22-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2212-32-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2212-33-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2212-322-0x0000000010410000-0x0000000010480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | b122eb3037217aeee8d5683218cfdb14 |
| SHA1 | 3136251e64ca1e1f642e9ab3a92a0d923b989c50 |
| SHA256 | b9dc5c7a5c5b09a833ec538cd896ea83bdf1d920cdae1e711f467fefe057ae45 |
| SHA512 | 55ffb337f0ba7c4a4fc37758cc1921df6ada8e3bf96a7be2eca14b7b1471a46feef17b36f5c52a7aca7ee04cb9f4ba7481fbb8c72e2efaa806b449c361e02d13 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 69dafb3c4d67c35fe7e923a08b70bdb2 |
| SHA1 | 0965f299279570abd9f1d62a4d61e90db252ef45 |
| SHA256 | 266d70b311afe67df407a62b0a55d0309555817b51fde2284daa5857801b2210 |
| SHA512 | 3e3599d58263768e90d67803e933444f904147932b24ead60d4b32ff65829a5a7266aa992792b44c83cf426e3a3e3b0d6eb753d96cbb66c89d8683c982802034 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ef09051dd02b870549cdbd0a88e234b3 |
| SHA1 | ebd4ff2c22500e9f6847e8395bf6b88b39688c09 |
| SHA256 | 6060cb22ae162f0fe3d3f02b6c8d7110666dde2cf704baaade3034b861d1fec1 |
| SHA512 | 717f48b0c6b4aa740c6688953c5553e83342fb971a94e707252336971c5f7f775676d131d99a423e0f30205a42690f0edd1cfed94238f88f42c182f068bc982d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 237306a15af32ecafaf5e2505a319f82 |
| SHA1 | cd52efda25ef3ed3f809bcb2d4f28cc38fb4e964 |
| SHA256 | 75104a0ceaaebf4b20c91c87427552e7fc6481681ef5dec9351302dbb3924350 |
| SHA512 | fac56f7120fb5dad235b367f54c93f4063256b2e074f9aa002b128a3ee91f24203cb9280b261fb713916b422283853f2dfe526e473d1976d9147a4a908497b0a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 24de5fa3fc45f93bb26dac0ff0cb626e |
| SHA1 | f21c1f1c065b2214a60ee1710196d65abc1d8555 |
| SHA256 | 7dcb87368ebe7db570b16abc8afe2aa5cb617ea704a6ea31eb2b396fe094c679 |
| SHA512 | 4f413e4215f3587fdd6474a47f95f8b5efdb16fcc184e92151811a766a780bba104ced333480105fbf4a0ef69f8c92563222fde0044be169620ee359a2118db1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 602b49254dcb8571ac5772a4dd0af07f |
| SHA1 | 7335311cc55955d884a6d4100359b9063c946f23 |
| SHA256 | b0365f8d6a40f09a66fa85c4c5a89c89f5016202e4990af5c093b1a5e5714790 |
| SHA512 | 8876eb35a5306f05fcecd29042e101a4f8a1fbec98e5652af087c548f0d3f0f316918f0f44c56f76402f7b73d20300b98bb403ddcfb1492445c0fab494a17bad |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 79019afb63d567832f91f2c1c79cecbd |
| SHA1 | ae492cc5b599865fe1258acbe6abc53b8fae684a |
| SHA256 | 2e9f98d97a01814907f8177dfbd5739b590d5582948b0d03092b227c635713b2 |
| SHA512 | 4da50a1c559a0ef0c7ce657d4ca43b1e7af1208ba24818b644800c49080d04161b053db9ecfdafb1035dbf868d819da3d7586e796a48418f92a1b90b486bc756 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8774c5d6c00da8b976f930f8cf24b985 |
| SHA1 | d1790c954ca74928f0eb2b5614540977f475d40a |
| SHA256 | 6a0b437ef0db70ae38237f8cb63079f476873901e83da647d25bcfa18e98da84 |
| SHA512 | c0dc33e1d6c2e941ea75caf2c515c46c6467b13fb8fe803aa3d4bb8927cf8faf9ac88a8eeabce3f2835d8d892bafef03e9ba7c17a4474047f892f14317e8498c |
memory/2212-1201-0x0000000010410000-0x0000000010480000-memory.dmp
memory/2212-1222-0x0000000003670000-0x00000000036B2000-memory.dmp
memory/2212-1224-0x0000000010410000-0x0000000010480000-memory.dmp
memory/2212-1225-0x0000000003670000-0x00000000036B2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-09 18:33
Reported
2024-09-09 18:37
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4464 set thread context of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6e16504b793c7a63897e0d398a4f8ea_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2900 -ip 2900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2900 -ip 2900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1340
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | asade.no-ip.org | udp |
| RU | 178.207.79.167:25565 | asade.no-ip.org | tcp |
| US | 8.8.8.8:53 | 167.79.207.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/4464-0-0x00000000748F2000-0x00000000748F3000-memory.dmp
memory/4464-1-0x00000000748F0000-0x0000000074EA1000-memory.dmp
memory/4464-2-0x00000000748F0000-0x0000000074EA1000-memory.dmp
memory/4140-3-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4140-4-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4140-5-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4140-7-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4464-8-0x00000000748F0000-0x0000000074EA1000-memory.dmp
memory/2900-11-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2900-12-0x0000000000850000-0x0000000000851000-memory.dmp
memory/4140-10-0x0000000010410000-0x0000000010480000-memory.dmp
memory/4140-30-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4140-68-0x0000000010410000-0x0000000010480000-memory.dmp
memory/2900-73-0x0000000010410000-0x0000000010480000-memory.dmp
memory/2900-71-0x0000000003F10000-0x0000000003F11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | b122eb3037217aeee8d5683218cfdb14 |
| SHA1 | 3136251e64ca1e1f642e9ab3a92a0d923b989c50 |
| SHA256 | b9dc5c7a5c5b09a833ec538cd896ea83bdf1d920cdae1e711f467fefe057ae45 |
| SHA512 | 55ffb337f0ba7c4a4fc37758cc1921df6ada8e3bf96a7be2eca14b7b1471a46feef17b36f5c52a7aca7ee04cb9f4ba7481fbb8c72e2efaa806b449c361e02d13 |
C:\Users\Admin\AppData\Local\Temp\Admin8
| MD5 | dc86e31a409dc40ceb6e7f5a10311335 |
| SHA1 | fe3f3b8ffc0fc15c25ad2a8045a18180e5805424 |
| SHA256 | 73521f59423ca2783536aa73575facc7d1d072d17b6680962f7e08b35aa2b4b5 |
| SHA512 | afb33480ee040af5ca01108a9ee98d2e588e41e51719ae427415aae7b83d4ee7f233755aa42c78e2bdd6d2c1a97bb872f0993ebb3203de4ead80e2a409e6087d |
memory/4140-261-0x0000000000400000-0x000000000044B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e5a4ef8f5f6af8882bf921d44e084b8c |
| SHA1 | e3fef561c4e923cbf1de03a47fca6bd4f3550e78 |
| SHA256 | 14e3c078d550138f68e502c84bce353b143637eab0c66cef3fd28564df008b7b |
| SHA512 | 66ec65f7bd1500d49f9189c8bddba2051cf41b62c1c41ec1eba5befb750646c4ab34499962ddd95897308db5f6a350e052d9b54bd766943e0586c18c7cd23195 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b27316f109c20e65b8e441c2b7e97044 |
| SHA1 | a7c7ad69f71e157ed83d0b8c0ed6b3be21892a2b |
| SHA256 | 39aeb397c8cf8532ecda2d78bbd2aca0f02f931ae097f5c76bc50117cf415e97 |
| SHA512 | 4efbf46dbe566dd9b5c5ac6e3a545aa0a8891c458e954340a3e4dbfc64680b5f7764843df5d5d5259b9959f97d298cf9fbdda32ea11c6bdc44245db442730927 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 83bb461bbc73fcf6a941884961317f29 |
| SHA1 | dd3c98c79f0e1f706d7e9a10776e4399f16791a8 |
| SHA256 | 2786edcb16ad206588db5cf3e84b8c8075577bd4c52ea41d986bfd6ed1c1680d |
| SHA512 | c71425e8ce65c42525d4c9ae80ead2eedf59f2cff657a366f8f9dc9bb583247cc9f438a5e918bf43208a2714a78cf08a260b12ab0c6b8ae7297b2bcd446f891a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | aab42f37cdb0c20ff509184c2e44dbd9 |
| SHA1 | 44f333597beb092c402924cbf4b6582b00ed9d01 |
| SHA256 | f103242183c9d551570d22a666fa010a831f42cb09dec5b208aae1e18fced2ee |
| SHA512 | deba055bc7445192c4f99cd52433083c2f6282f7cb24ad76017858d300e82180e8366ac61e56e46d7a43505c335e6047469e541ca2789e0c495193eb5299e16f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 50e1a36ad5827293b7e43e21e92c086e |
| SHA1 | 72202bfc7d93bfc554f10d55ca862738daf43b80 |
| SHA256 | 58ae8228de1ac1d0be92b3cd492d19dfb8b9a00fb59d98503aaa2edf03ff43c0 |
| SHA512 | 4741ffded1a4c08d37133e630f2dfa8b1fdb1ae43eabe4d82ceba1a003b3cc2aaa5b89e826953647596b2bc66419fc1855e5be84a5023dbcd47d51addcef8fc6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fd35e252a34f2a6c9f667c5214d599ee |
| SHA1 | 8f60ea082e6880d3e2dd9805773540f16c5bb344 |
| SHA256 | fa6885e7430a4f9a3ed2d73e5f2875d7aa64bd7075c2b7e01144ffe7cd99d13b |
| SHA512 | 27814efc7f6eb6cfc7575b5e917c84e2aca0bde5d80535b54a62827268f9efeb1c1c6af5aed5d66b03243bf3b04e815f4ef6d09205b856c00755e9c591af2fb5 |
memory/2900-1290-0x0000000010410000-0x0000000010480000-memory.dmp
memory/2900-1292-0x0000000004A60000-0x0000000004AA2000-memory.dmp
memory/2900-1313-0x0000000010410000-0x0000000010480000-memory.dmp
memory/2900-1314-0x0000000004A60000-0x0000000004AA2000-memory.dmp