cybergate | 1d5739e35b6d6288c45d75515e0801a9d3ed26c6638901710a376de3c194981c

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Size

360KB
MD5

d717ef3c8a43d58e7ff0e9ff6e1ea1aa
SHA1

68ae7b6d968af90efbb6eab35d830d4e80f26450
SHA256

1d5739e35b6d6288c45d75515e0801a9d3ed26c6638901710a376de3c194981c
SHA512

b119e137c6e66c5c5892f4f02d7a7208ee9bea1962344d1eb881e6916921c33ddf3ef8b7fec37cd53d57cf9e841651f3000d70b27a74baeb41b5e9f32e7cfbe2
SSDEEP

6144:BTPZ+jTqMnPBHxYr7acWX2LjvotqUWsIZ/thCqT3sn:ZPZ+jTf8FnLLo0AIhjC+sn

Score

10^/10

cybergate fwd discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

fwd

silverfuelz.sytes.net:5401

silverfuelz.no-ip.info:5402

Mutex

422PILR2485N2E

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Windows Update
install_file
Graphic.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
bhavi
regkey_hkcu
Ethernet Driver
regkey_hklm
Graphic Driver

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Windows Update\\Graphic.exe"	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Windows Update\\Graphic.exe"	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN04Y8S7-4DNO-M73A-6BQO-C85Y67T8SPV2}	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN04Y8S7-4DNO-M73A-6BQO-C85Y67T8SPV2}\StubPath = "C:\\Program Files (x86)\\Windows Update\\Graphic.exe Restart"	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN04Y8S7-4DNO-M73A-6BQO-C85Y67T8SPV2}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN04Y8S7-4DNO-M73A-6BQO-C85Y67T8SPV2}\StubPath = "C:\\Program Files (x86)\\Windows Update\\Graphic.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4852	Graphic.exe
4344	Graphic.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3140-2-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3140-4-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3140-5-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3140-6-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3140-9-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral2/memory/3140-13-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/3140-28-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1540-76-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/3140-147-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2728-148-0x0000000010560000-0x00000000105C1000-memory.dmp	upx
behavioral2/memory/1540-173-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/4344-176-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2728-177-0x0000000010560000-0x00000000105C1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Graphic Driver = "C:\\Program Files (x86)\\Windows Update\\Graphic.exe"	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ethernet Driver = "C:\\Program Files (x86)\\Windows Update\\Graphic.exe"	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Graphic.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Graphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1000 set thread context of 3140	1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	86
PID 4852 set thread context of 4344	4852	Graphic.exe	96

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Update\Graphic.exe	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Update\Graphic.exe	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Update\Graphic.exe	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Update\	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Graphic.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
4852	Graphic.exe
4852	Graphic.exe
4344	Graphic.exe
4344	Graphic.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2728	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
Token: SeDebugPrivilege	2728	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
4852	Graphic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 3140	1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	86
PID 1000 wrote to memory of 3140	1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	86
PID 1000 wrote to memory of 3140	1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	86
PID 1000 wrote to memory of 3140	1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	86
PID 1000 wrote to memory of 3140	1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	86
PID 1000 wrote to memory of 3140	1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	86
PID 1000 wrote to memory of 3140	1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	86
PID 1000 wrote to memory of 3140	1000	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	86
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56
PID 3140 wrote to memory of 3568	3140	d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:1540
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d717ef3c8a43d58e7ff0e9ff6e1ea1aa_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2728
    - - C:\Program Files (x86)\Windows Update\Graphic.exe
        
        "C:\Program Files (x86)\Windows Update\Graphic.exe"
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4852
      - C:\Program Files (x86)\Windows Update\Graphic.exe
        
        "C:\Program Files (x86)\Windows Update\Graphic.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Update\Graphic.exe

Filesize
360KB

MD5
d717ef3c8a43d58e7ff0e9ff6e1ea1aa

SHA1
68ae7b6d968af90efbb6eab35d830d4e80f26450

SHA256
1d5739e35b6d6288c45d75515e0801a9d3ed26c6638901710a376de3c194981c

SHA512
b119e137c6e66c5c5892f4f02d7a7208ee9bea1962344d1eb881e6916921c33ddf3ef8b7fec37cd53d57cf9e841651f3000d70b27a74baeb41b5e9f32e7cfbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
11f5f313319d85f49ea8f5a053b564a8

SHA1
18a1b871f93003f218f354a0ccbcfff243b1dccb

SHA256
884a32244661126615efb07d701d60ef5a909279715df47c20f3692c5f04b5fe

SHA512
de8f43c809ca302901299664dd03f10ac0bd406668144ca1e1e16969990243e1d17ad707645dfbb82a94d24396dde1932fc790fdeb3c5b1f409671fdc7680811

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c728da369995448654aef71575f5157

SHA1
e95d55461f06fbae4ddf7a2cbdddde898ea1747d

SHA256
a8eb5fc313180c758db28f50626fd4f42a6ce11d7381848cd0e9599612b4ce93

SHA512
0f9d58469a2006d95bdc672862981af2604e8ffcda26252222243ca99b72f391a3f0fa2d264c2a98f31b49046c21b7d112cdcdbf4807682b97cd1836b370160d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
47bfa349668758cb4bc599738e977ba7

SHA1
937d4e25d3dbe9ee13020d002132bebdbf23bdc0

SHA256
2f5570c3dda02f836463505b464b449375f9601fa6348d2382c995d8b6dec0c6

SHA512
56efcdb42e641257a0d7f9488ffc37b5f963dd36b06d2bd4697cae55bc31362533f68ba6e66252e24f8b4675457ae547bdc1f3800ffe3635df086af090dae088

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f468649f57903c6ef33afc41f0bf71c6

SHA1
c667d6bb7036694ee8370b0044643519fa6d9d26

SHA256
c85b1ea30a2fb271153e36815e3c60cc8a49d90b9bc346ab699a66baefb5dd73

SHA512
e6892016e90df6b29f601f7aa414bfcf21100523d2c2f481ccd77a56777e8bf8bdb6e11a3e8ae04285f9d93a0a3172266e5a4a1ebbf71775f888ea64c4df6728

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e374aade7e5078162be73bdaed92fb71

SHA1
35358316766090ad958bf3d3c58a6bd3a2063fe1

SHA256
95a1869adfb6fab90ea467478d266a7892eae6ab0912a9a75d56ae3203e1dbcf

SHA512
4989d9e3c0cf33fab7828a251600f386b4950525d72f523bbe3e80985e2cd81272c971ca5cfa8675f572ebda04788967fd3a2e37e9b8adacf75a8b5b53079096

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5a4b3433ee94773be14693d27a02d25f

SHA1
479ce06e4521a5597fa1d49960294df46a2e09ed

SHA256
e9bed34f72ffe60360c5c84c99f2dea7aa09e4f070bb161c5696da8bd5fbd352

SHA512
3265ba610ae387c117dbb43c81ed948580256d82b4d28f765e1f9c47b431a8ffe6c85d1e45cdb298d732b1818928da0ae08cae2598f550fea023836b763e953e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1a1afa5db430ca6582e49c88b9675be6

SHA1
aeec321778c591073dfaca21d45b47d138476361

SHA256
cd6f42d532555e593ee381a948c23ef5dd2c58473ae99da50b60cdc7cf19332f

SHA512
700bab1dd4945c8f3387a125e60c543e0c32c74397f0e36dc92759cfaf1acc6a735533609ddd1c4986aa63c55171e5589f878329eb25f58614a5d98be243c508

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9beaa5323d7a07c0da5665cf2d86c21b

SHA1
58862488059ef405e80eba8fb89f335aa6ba2192

SHA256
ecadfc09bd96399cef58d40028a52ebd290f10e7daf9d08e1e345db59d485ec0

SHA512
5af1e856b3048aa77214d11b7fa29d1d101c4080225613aa54be9f3cfb7c20670e893e3eb2e588c498a6718b322d546c96360df773cb17ab287ae898217e877a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a94863f61d4a6bca56d1988bc6e33e6

SHA1
128a2a59c3be5c506791c9c35195fcac6229d8eb

SHA256
af2be3d1bd870195f1d0caeaa56a4fdc723360fd059e5498326eacc8a206a6ca

SHA512
c855d1f0023cf118e6c2a12a2a2d900f74e7822fd41c201ab27b5da2d5a27175a1e2d59947249182f293b7ce7d51911ac5364a73295776af759cadf18f3188ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c0fdb332faba2f6e9c80bfba2fafaef4

SHA1
b40bef801e5d2c0b5c91bd47c86426753ed1bfd1

SHA256
a6ca46c1addae9f2c52ff65c0f3dddc15d84b7ece30ade1e9bd744dd31b9beef

SHA512
a1c0bf806675567c1a383936aafb5c0b31fb0459f8ee1906502a208e2ef66a8180b2fc7e09fdefcccf7dd8bbf2ec32c418449a7aa565573d52c08b1800561245

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6a4a71a4c4d96c488699413ef2b9639b

SHA1
5cbf886356a102ef858663345c6e225b17518c1a

SHA256
17d8ac7eef1abe67625f1b14ce269841a986b40a71b14e0174750951d88410b2

SHA512
d3a459db93e6a115d86f44c8ccfee95b1730ad795fe326bb0378c1bf4ec5515b01a353ef89f3ab59e57f5a9338f95932a27bdd044cc6dea81f199153a95a819a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5bc8e93295dc6c14df1c4cada6fa2d8a

SHA1
519a624c0ba1b625930780218671e430fa8e0d35

SHA256
73b4fc6aa54b4c14a9aaeabe40b440abc8252984f3b093e069f2a91690cf1ef9

SHA512
7544bdf9628dbe8abd20d628748f0921a57736ac4cd99e8a1f103d3d1004e19a703c5536c35a0754fe3ebf4f8d9fee327cc322a3294791460d9224da037513ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8d35bf2faa71174fd4bceeb8a71c7ad8

SHA1
4456f1529ca666c34a598ffb7fe8befece419d55

SHA256
cd1641462ef2619cb6b2434aa03e60ee585bfc5f84d845811843f597b584059d

SHA512
f87afee8775a67176636a3df78816d24a7e6cc399af253c760765482a258d3b7734218b18b8aca5d810927c452fc9b04ced3f82a3cb5ba482cc067b262efa7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9837e6bb430c023a1e9f74aae0d5f581

SHA1
e2abb3b7af1123b0c1acfb9a3166d0b5b19e452a

SHA256
32c09cae73a54cf21376607fa40c32eb5ebb3aa876263fc224be1ab020b065ca

SHA512
5de4cd9fe20e1e42fe12c932e1292573c77afa82323c40ec992cd090156a1c607ba5d1e92e3e6b6a06e7162beedfbde72f425e81bb8777ede1c24112e2089e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
48395e43b4b4601c81ba84cea665aba6

SHA1
c29a0744c2093849a16aa2d7aeb7cab37a5ba8b6

SHA256
a83a6cb777e352ce2db10342a7cd4b87c4514ddf7a0da6e3b6d898e49843a952

SHA512
625fbae42e7835610a50910d532f923f9b528c48f674ba30218a9830fe9fd4494374b3213de4b37a5c6199c543e4e70e7af5480eeb1351f516dbe697b60780d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fe69bc7caab5b3a9221e94ce045d1429

SHA1
b0297985e31cf7043df0646e9b7fff9f8d5a7ee0

SHA256
a42632975a35b25bd715669948d90a75d374d5a65e7810d0a6c8cb2917aa54cf

SHA512
f816bc77df9cf3f3a9f16453d3484c6575d0c44a1e65eb4f554ed50f01c171f0a583dad3fe813795a415b1ae95f247bdc3c993fed20aba812fc78e0b32022f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1cc70e3deac79050bbe80ca1ec470f91

SHA1
e599464d8b10057e703054c2b3c14086860a92ed

SHA256
a6b3ce93669cce061ae188b3e46817b363461954da2d8842a55f7cdbdc37671b

SHA512
4f974ab9fff4201443c8171e31d9d7d49f489230885169fe3098e1b5bf920a0467afe688c0b6de5e0166e769df8f69686042dda44bf9815033e34ea5e22ff2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
43294c59afadb75dd4edd3a938a70c73

SHA1
47faf5ead026ad639aee97a508a36066e6831ac5

SHA256
10873910773a8d63be954a8f007879f24502072828712615a7d6ff8b32864bc0

SHA512
e45db8df8f45d7bc6e3ae104f355d7850b9e9f26542e01776cb8ed2c0d14a10506200a5cdefd0a0a75cdc3e4f0437d356dec90b2bcade86f4e9ae7ff3f1449b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b2f61037d81b90cee7a1064b19031580

SHA1
c797fe836a5e2d85a792ed852c7639b3884eb25a

SHA256
9abe060e95779f4a8509b47cff46e5fa805b5786bed0ed3cdbba76b096288499

SHA512
c8a12002e4bab28ee58449e660962f1822c430e498e458bfd6376e2397cef3d6f18cf7ee49309a6fbab0d0e27e9954cd09db5b1a5f08f4a9432a72fb0addba51

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/1540-14-0x0000000001670000-0x0000000001671000-memory.dmp

Filesize
4KB

Download
memory/1540-173-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1540-76-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1540-15-0x0000000001730000-0x0000000001731000-memory.dmp

Filesize
4KB

Download
memory/2728-177-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/2728-148-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/3140-13-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/3140-2-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3140-147-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3140-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3140-9-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/3140-6-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3140-5-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3140-4-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4344-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download