Malware Analysis Report

2025-01-02 14:04

Sample ID 240911-lacaessfmp
Target da0a59474c6e5ea11965c20a57651037_JaffaCakes118
SHA256 a9c2ceb933f283ace77d83eb3d8cfd497675dea59e11069ebe89c3f9035c878b
Tags
remote cybergate discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9c2ceb933f283ace77d83eb3d8cfd497675dea59e11069ebe89c3f9035c878b

Threat Level: Known bad

The file da0a59474c6e5ea11965c20a57651037_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remote cybergate discovery persistence stealer trojan upx

Cybergate family

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 09:19

Signatures

Cybergate family

cybergate

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 09:19

Reported

2024-09-11 09:21

Platform

win7-20240903-en

Max time kernel

148s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I}\StubPath = "C:\\Windows\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I} C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I}\StubPath = "C:\\Windows\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I} C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1236-3-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/632-2-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1112-247-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/1112-248-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1112-526-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 e2efeb981f61bcbf7a9b1f13d1fd3b78
SHA1 a469b425adf2bfeac3cc97bb46f9ecfa3a437303
SHA256 e0375b92bcbe76fbb55d9a22553dddfbfbd359b24708180891e2e88e8cff5bf3
SHA512 3b4b75cc65d825e69cd782ab483ac01d9356a7e1cc449cf9561201a9c20c5b60bedc16b6d18e63cac5eedc996c2d453043d34ea1a2a811aaf23799785339da83

C:\Windows\install\server.exe

MD5 da0a59474c6e5ea11965c20a57651037
SHA1 2ead2fa59cc821e6d8d608ad67fe192e2232001b
SHA256 a9c2ceb933f283ace77d83eb3d8cfd497675dea59e11069ebe89c3f9035c878b
SHA512 b5b63181c5a8e879b4797c4fc684bde44bfd2f3a7e491bb2de21e3ff0f6b73bf2f788ab21ebc5e99fd4c1113648f0a139f03306afa271703b4e440f37a446b36

memory/956-857-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1112-879-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/956-883-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 82b83b770b303dd5831bad4095389d41
SHA1 be8922857e6accec6dafb9d1b3e717b0d6aeb3f1
SHA256 4e2c3eb3983367f9ce9b1d8b270cff543c0bee4c7b273d2bbf71f27121cf2964
SHA512 72f8c86c2818837c3ed8934875b949133fa805789071345b66d60d58dbbbfdce46a0ff8aa11ca3cb158c08060b5aba2e2fab2ce1930bac5d23f4c6f2254e41f5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d44dd2533e8453dccffd167efb002e35
SHA1 ee4d37380d398bfa680e1ad7313643e3832a1d52
SHA256 5f172e6d6bbd35664da9997762939fefcc4a22f142b3ae698d03ab3ed14b43df
SHA512 5d29dbe0d845ee79d4d392c9fe058e4ca0d4f05a57b713f1434d0b31bfc4230227aa341e7d998dcb9e20f905e5485978a2e381dcdf5b9b36fe21143b06df95b2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 20ef875ff0b5999adb961708c224becd
SHA1 c73ae0ef66949e0d77968632d297d96a88204ec4
SHA256 1a7c734d2f08eb32864273e0064b365a5f6903b11c2366c6b8d30ebcf20d8040
SHA512 6841139324c26bc9160ed4a13b149e63c8f6cec174ac95093eea74982a6edc66d23ace5f4a4492d7297933cb9cd783e55c918052f08229cf1278d2a531492c21

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 846ba634d163366ae36697c356215c9c
SHA1 d3b084ccdbee294438af533ca7705322cd5e9f93
SHA256 c8066c686b3b0f302e39c5cf59756716e0ac72aad8b9c0f80fa2c2773c806d86
SHA512 1a2595fde95f8397087e2d107c20b9e97904f6b4837714cfee1157d86595ff0e522f68de23c3ea6b5717e6a8e0a538fbfdc8bb32c61853303509e3491fdfe7a1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7599025639f3194f4b9ebb9898addb74
SHA1 7645e49b0f94e014d38a5af65e0f43d9d1fc497e
SHA256 b9d09565e7b7e766d443622a20fad8bde5bb314a98e05c158b6352e299534f92
SHA512 290b59a25b77e58580992f56db02c75d414b2f4af0e61c8286edc37e05ca5168452143756b3c2ccd66fa7e918ec512e6b0e206dca906ca08c9b3123c7df62e8f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6e4ee40c485fd6b80d49429ccfd5bd8c
SHA1 b731c2c7652606a02cd5c15a2fa17af69b42922b
SHA256 59853edbc416e1460456d90a2151ad715b100b8fcc4a1a2a88218ee97363932a
SHA512 69a90b03bd4c51199c4c150d57aae8837980be16006b6f807b774619a9239d9a3f330cfb9e5c090358b1da2012f1412f94b958151025369f24c4e486eb53fff3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 161851dc0b0fb3a1d4668a98b0001cc9
SHA1 78238d27adaa2710b48d3d703c6ab9f9f8407ed0
SHA256 ebee44071325d7f8e3988d7687e10007813d81676150e4351027d9c0f7cf954d
SHA512 4f49988a1560cf38fcb850d73648ed8c333d9e9e22edd78abb47fc76c54864e4aed5a8bdbe3d1bc7401475d90d8dcc0fa175a52cee3124210956bf6d763195e5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b4bd5e5129730475b6256d53cb6972e4
SHA1 0b3d8f7b8b3b4cdc2ebfc8db7597ec80d18658fb
SHA256 94de9a1ccb02864ab29c59318f84b570b4f41f1eb517815c0ffcfe107331d5e0
SHA512 fa7dd5826a5279753af15021e92a349f4d87e9118b38ea8e8133071c7b64d468c23a6e17dfca885679062ef9771dcaf0d1165f13f87d0ce53bd8ee7e751aeced

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2632dce56f367c65c5384d6d0f4cbc77
SHA1 34275891d66826ae2538091e5b2f9677efdcdb03
SHA256 b8133d4748d1f4df99a061020f31bb5010e03803214e112927313a77f4e88b84
SHA512 de94fdfaa53b868d295ac785904262898703d518629ed4fae64fb741f004cb234f6bd816890e9f6ea3fd3748f439d1de430152e00846186e1dce38acd0c7c758

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fa3ade80bf407c0e9314a657cce8ba9b
SHA1 47ca17d1589fec24d06bde3041fc9cb49af2cfa1
SHA256 6aa46992cb5f4a73c10f12c58ea67fb63d870ca1bce65b8c2f056b347fa2a350
SHA512 9b795b78a887f2e56cdc2ea782d07fe2f0632cb8a065dc6d8624b162c87d73678a79debcc149d2ab132c8932e8fbac866e70d7c26b4924a6529352e56d00cbeb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 eb84aa2f5cdc93a0726571dcf73bea11
SHA1 8352e213e481d8ca6891b32dfc3fe6113f19c4f3
SHA256 2fec5a4b8e7704bb0164e69ebc7cb65106ddc0e7a813d2e1447890dbacdeb94f
SHA512 0e7cd3712cf6e60ccbb17b5f8a01c434331f974ad227ff20ed2956b27559a63dc40fee61cda009c46353feef7ea14b2795364de36ec78fe04a0bafb0c3e4c934

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1fa8b3b2bdbba96264809a8bce379343
SHA1 76c145f0334f653098ce046fcdff756992b78ec7
SHA256 dd519089a799eb49dfcb465eb41ecca26367629c2f0997ee2ce7659a098231ec
SHA512 3d6706abaf3af2afc9f0cf297b3db581cdcf35709e9a198a27f045fb84c424276fe094dee423ef6022b8e7b62c47106d4ad417c3fa2cbb19d2e360c218e90181

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9383cf925e2773be76a54d4cdaae3c8a
SHA1 e991dc006b15cda399180bce937d5e03616cdd15
SHA256 c85e427195582008e3dbb02f97bf1b1c3a3fff31b87009af89acf3d8a4779fce
SHA512 c2d269b2b67a770b2d3bc1e95b8be9f78d27d5dfecef79f4ba42cb6143bcf12dd9832cc29e7c86577d310b0c58e2d61b468da39a12063355f93f051d5380bde2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1eb11d7edb09d09b5569046a851b645c
SHA1 a92ac13561597213bf72ee46437c1438cd87ab4e
SHA256 3a2ea623677f69edc89df30dbcd5250e9f43de82a35f7fd46bc3c1da711dc037
SHA512 ccdb3793e10163d99d7ecfd68af31ea91d691ac969a42746ba4de9dbbeaf30adcf30bfed9c48442208c5c0487fd9561212c938a76c6239214f5d4136f6ef4926

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c7003d916e371365c44cc9ed1c3c9435
SHA1 4b562fce68e26681bf8959a60008f738fb99a651
SHA256 e1c34263043f915537f468ee53aa600bbbc1bcaa36b30a324bcd32c41ec569c9
SHA512 a24755d836722069a3eeacd515437395482df95536698ecb1f2c70f80ca10ce75253b1380e457d1fb514576f852eb5876f3c0d82b744120a2e74da2133e158c4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5af8d18efe2ea38a4b7436beff83f317
SHA1 7157b0bfefd79532867779c4400b31f18d18303d
SHA256 938084a61280b2ab6634469a7bfffddee2801b008b761ec4f9a794c3a6201dc0
SHA512 b9c908758e725ba7fd3a4638d76a10b8987739e385400cb7f1353aa3595e8a72f42c4b0cb495dd608252dc54026aba5e0d413b9b5ff1dd6b0207bb7b5671d557

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 96eeb0776a6163325351ce920c4cb785
SHA1 e491f6fa2a69f76952f1846f351fd9eafecde22f
SHA256 767610920f3c4938d6438800e4483c711012013280e6d5ce265675544ea3ee63
SHA512 a92c7b86e5b65dff79eebae204eb856f0f1bce22291660843e0f05aa2e85a1a785a807f97c29efe47014abae2d147baf84b734122f8ec64d39636407d92cb90c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b870fdedbbd27efbf968c25c27fe097
SHA1 4178865aba5ab845bc43bd8fd821c105d30a2192
SHA256 1bcbb0de59651eac331576003b81b52d16966d0939d45ec7c76ddf4e220278b2
SHA512 f7c5e3ad33d2c4172410012bada3980cdcc6473e662ef8531a7651c919cecc0b7eb88393554044915ccafb4ddd68a1f1d598ee0bbbaf808e26c4983f5d5f81a6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ced8c41671c3995f09366371dd1b28e0
SHA1 3f9efd5608e1dea701e1b868a49691421926e975
SHA256 c11c68e5a4c633aa2459099128928e6c194998073d8accff6fc261899e399be4
SHA512 3369346c83f3c82b58b3bc88614a3cc98a52f9c56e22b63e865e343e92da9b3b9e4561e2d4a5f2b67e301e759b9819d118034b97da233580c09764a3391e2242

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9ada3d0b24979954dbbbb817e2ac3ff0
SHA1 cf0c91bc174c2475f0888ada6c7beadde825686c
SHA256 c967cbe7467c201d6828dbd8a9e0e3c4e61eec0a6b86734ace96e45675832432
SHA512 84ef55a50f2bb3a10293956936a39e00711a41484f736600488896df77554e6ee2776986f9e6f8ffeff6f341ef127282201e440ca4f41b3e0f54cbb9f532dee4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c0eac95b86a1fbef6809c03036dff2e7
SHA1 0df4b5f9b827f501616958623976d97c4cb09c98
SHA256 ad7b002dbd13f53a891b14fa369ee9f9ed6de8dced631cb2733e4d67bdd0faf0
SHA512 56bc39d34f25413df30499fafa88b78644b847b54656c3050af36433d29eb77e410e58cfe71c88ee621d8ebeecd023f7723c5d2d88261fb845a15752671e5e27

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 09:19

Reported

2024-09-11 09:21

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I}\StubPath = "C:\\Windows\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I} C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I}\StubPath = "C:\\Windows\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I} C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\install\server.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\install\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3080 -ip 3080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 576

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1460-2-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2588-7-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/2588-8-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/2588-66-0x0000000003620000-0x0000000003621000-memory.dmp

memory/1460-63-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2588-68-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\install\server.exe

MD5 da0a59474c6e5ea11965c20a57651037
SHA1 2ead2fa59cc821e6d8d608ad67fe192e2232001b
SHA256 a9c2ceb933f283ace77d83eb3d8cfd497675dea59e11069ebe89c3f9035c878b
SHA512 b5b63181c5a8e879b4797c4fc684bde44bfd2f3a7e491bb2de21e3ff0f6b73bf2f788ab21ebc5e99fd4c1113648f0a139f03306afa271703b4e440f37a446b36

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 e2efeb981f61bcbf7a9b1f13d1fd3b78
SHA1 a469b425adf2bfeac3cc97bb46f9ecfa3a437303
SHA256 e0375b92bcbe76fbb55d9a22553dddfbfbd359b24708180891e2e88e8cff5bf3
SHA512 3b4b75cc65d825e69cd782ab483ac01d9356a7e1cc449cf9561201a9c20c5b60bedc16b6d18e63cac5eedc996c2d453043d34ea1a2a811aaf23799785339da83

memory/1740-138-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2588-158-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/1740-160-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d44dd2533e8453dccffd167efb002e35
SHA1 ee4d37380d398bfa680e1ad7313643e3832a1d52
SHA256 5f172e6d6bbd35664da9997762939fefcc4a22f142b3ae698d03ab3ed14b43df
SHA512 5d29dbe0d845ee79d4d392c9fe058e4ca0d4f05a57b713f1434d0b31bfc4230227aa341e7d998dcb9e20f905e5485978a2e381dcdf5b9b36fe21143b06df95b2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 20ef875ff0b5999adb961708c224becd
SHA1 c73ae0ef66949e0d77968632d297d96a88204ec4
SHA256 1a7c734d2f08eb32864273e0064b365a5f6903b11c2366c6b8d30ebcf20d8040
SHA512 6841139324c26bc9160ed4a13b149e63c8f6cec174ac95093eea74982a6edc66d23ace5f4a4492d7297933cb9cd783e55c918052f08229cf1278d2a531492c21

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 846ba634d163366ae36697c356215c9c
SHA1 d3b084ccdbee294438af533ca7705322cd5e9f93
SHA256 c8066c686b3b0f302e39c5cf59756716e0ac72aad8b9c0f80fa2c2773c806d86
SHA512 1a2595fde95f8397087e2d107c20b9e97904f6b4837714cfee1157d86595ff0e522f68de23c3ea6b5717e6a8e0a538fbfdc8bb32c61853303509e3491fdfe7a1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7599025639f3194f4b9ebb9898addb74
SHA1 7645e49b0f94e014d38a5af65e0f43d9d1fc497e
SHA256 b9d09565e7b7e766d443622a20fad8bde5bb314a98e05c158b6352e299534f92
SHA512 290b59a25b77e58580992f56db02c75d414b2f4af0e61c8286edc37e05ca5168452143756b3c2ccd66fa7e918ec512e6b0e206dca906ca08c9b3123c7df62e8f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6e4ee40c485fd6b80d49429ccfd5bd8c
SHA1 b731c2c7652606a02cd5c15a2fa17af69b42922b
SHA256 59853edbc416e1460456d90a2151ad715b100b8fcc4a1a2a88218ee97363932a
SHA512 69a90b03bd4c51199c4c150d57aae8837980be16006b6f807b774619a9239d9a3f330cfb9e5c090358b1da2012f1412f94b958151025369f24c4e486eb53fff3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 161851dc0b0fb3a1d4668a98b0001cc9
SHA1 78238d27adaa2710b48d3d703c6ab9f9f8407ed0
SHA256 ebee44071325d7f8e3988d7687e10007813d81676150e4351027d9c0f7cf954d
SHA512 4f49988a1560cf38fcb850d73648ed8c333d9e9e22edd78abb47fc76c54864e4aed5a8bdbe3d1bc7401475d90d8dcc0fa175a52cee3124210956bf6d763195e5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b4bd5e5129730475b6256d53cb6972e4
SHA1 0b3d8f7b8b3b4cdc2ebfc8db7597ec80d18658fb
SHA256 94de9a1ccb02864ab29c59318f84b570b4f41f1eb517815c0ffcfe107331d5e0
SHA512 fa7dd5826a5279753af15021e92a349f4d87e9118b38ea8e8133071c7b64d468c23a6e17dfca885679062ef9771dcaf0d1165f13f87d0ce53bd8ee7e751aeced

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2632dce56f367c65c5384d6d0f4cbc77
SHA1 34275891d66826ae2538091e5b2f9677efdcdb03
SHA256 b8133d4748d1f4df99a061020f31bb5010e03803214e112927313a77f4e88b84
SHA512 de94fdfaa53b868d295ac785904262898703d518629ed4fae64fb741f004cb234f6bd816890e9f6ea3fd3748f439d1de430152e00846186e1dce38acd0c7c758

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fa3ade80bf407c0e9314a657cce8ba9b
SHA1 47ca17d1589fec24d06bde3041fc9cb49af2cfa1
SHA256 6aa46992cb5f4a73c10f12c58ea67fb63d870ca1bce65b8c2f056b347fa2a350
SHA512 9b795b78a887f2e56cdc2ea782d07fe2f0632cb8a065dc6d8624b162c87d73678a79debcc149d2ab132c8932e8fbac866e70d7c26b4924a6529352e56d00cbeb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 eb84aa2f5cdc93a0726571dcf73bea11
SHA1 8352e213e481d8ca6891b32dfc3fe6113f19c4f3
SHA256 2fec5a4b8e7704bb0164e69ebc7cb65106ddc0e7a813d2e1447890dbacdeb94f
SHA512 0e7cd3712cf6e60ccbb17b5f8a01c434331f974ad227ff20ed2956b27559a63dc40fee61cda009c46353feef7ea14b2795364de36ec78fe04a0bafb0c3e4c934

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1fa8b3b2bdbba96264809a8bce379343
SHA1 76c145f0334f653098ce046fcdff756992b78ec7
SHA256 dd519089a799eb49dfcb465eb41ecca26367629c2f0997ee2ce7659a098231ec
SHA512 3d6706abaf3af2afc9f0cf297b3db581cdcf35709e9a198a27f045fb84c424276fe094dee423ef6022b8e7b62c47106d4ad417c3fa2cbb19d2e360c218e90181

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9383cf925e2773be76a54d4cdaae3c8a
SHA1 e991dc006b15cda399180bce937d5e03616cdd15
SHA256 c85e427195582008e3dbb02f97bf1b1c3a3fff31b87009af89acf3d8a4779fce
SHA512 c2d269b2b67a770b2d3bc1e95b8be9f78d27d5dfecef79f4ba42cb6143bcf12dd9832cc29e7c86577d310b0c58e2d61b468da39a12063355f93f051d5380bde2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1eb11d7edb09d09b5569046a851b645c
SHA1 a92ac13561597213bf72ee46437c1438cd87ab4e
SHA256 3a2ea623677f69edc89df30dbcd5250e9f43de82a35f7fd46bc3c1da711dc037
SHA512 ccdb3793e10163d99d7ecfd68af31ea91d691ac969a42746ba4de9dbbeaf30adcf30bfed9c48442208c5c0487fd9561212c938a76c6239214f5d4136f6ef4926

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c7003d916e371365c44cc9ed1c3c9435
SHA1 4b562fce68e26681bf8959a60008f738fb99a651
SHA256 e1c34263043f915537f468ee53aa600bbbc1bcaa36b30a324bcd32c41ec569c9
SHA512 a24755d836722069a3eeacd515437395482df95536698ecb1f2c70f80ca10ce75253b1380e457d1fb514576f852eb5876f3c0d82b744120a2e74da2133e158c4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5af8d18efe2ea38a4b7436beff83f317
SHA1 7157b0bfefd79532867779c4400b31f18d18303d
SHA256 938084a61280b2ab6634469a7bfffddee2801b008b761ec4f9a794c3a6201dc0
SHA512 b9c908758e725ba7fd3a4638d76a10b8987739e385400cb7f1353aa3595e8a72f42c4b0cb495dd608252dc54026aba5e0d413b9b5ff1dd6b0207bb7b5671d557

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 96eeb0776a6163325351ce920c4cb785
SHA1 e491f6fa2a69f76952f1846f351fd9eafecde22f
SHA256 767610920f3c4938d6438800e4483c711012013280e6d5ce265675544ea3ee63
SHA512 a92c7b86e5b65dff79eebae204eb856f0f1bce22291660843e0f05aa2e85a1a785a807f97c29efe47014abae2d147baf84b734122f8ec64d39636407d92cb90c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b870fdedbbd27efbf968c25c27fe097
SHA1 4178865aba5ab845bc43bd8fd821c105d30a2192
SHA256 1bcbb0de59651eac331576003b81b52d16966d0939d45ec7c76ddf4e220278b2
SHA512 f7c5e3ad33d2c4172410012bada3980cdcc6473e662ef8531a7651c919cecc0b7eb88393554044915ccafb4ddd68a1f1d598ee0bbbaf808e26c4983f5d5f81a6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ced8c41671c3995f09366371dd1b28e0
SHA1 3f9efd5608e1dea701e1b868a49691421926e975
SHA256 c11c68e5a4c633aa2459099128928e6c194998073d8accff6fc261899e399be4
SHA512 3369346c83f3c82b58b3bc88614a3cc98a52f9c56e22b63e865e343e92da9b3b9e4561e2d4a5f2b67e301e759b9819d118034b97da233580c09764a3391e2242

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9ada3d0b24979954dbbbb817e2ac3ff0
SHA1 cf0c91bc174c2475f0888ada6c7beadde825686c
SHA256 c967cbe7467c201d6828dbd8a9e0e3c4e61eec0a6b86734ace96e45675832432
SHA512 84ef55a50f2bb3a10293956936a39e00711a41484f736600488896df77554e6ee2776986f9e6f8ffeff6f341ef127282201e440ca4f41b3e0f54cbb9f532dee4