Malware Analysis Report

2025-01-02 14:02

Sample ID 240911-w9n4dawcqp
Target dafbe16877593a77e13dae546e1077f8_JaffaCakes118
SHA256 6ff0377f8c1085594b929d56db4aa7889286cadfa6e47e23cd36f8f71007094d
Tags
cybergate remote discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ff0377f8c1085594b929d56db4aa7889286cadfa6e47e23cd36f8f71007094d

Threat Level: Known bad

The file dafbe16877593a77e13dae546e1077f8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate remote discovery persistence stealer trojan upx

Cybergate family

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

UPX packed file

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 18:37

Signatures

Cybergate family

cybergate

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 18:37

Reported

2024-09-11 18:40

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\sysid\\syslog.exe" C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\sysid\\syslog.exe" C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\sysid\syslog.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\sysid\\syslog.exe" C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\sysid\syslog.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\sysid\syslog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe"

C:\sysid\syslog.exe

"C:\sysid\syslog.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2224 -ip 2224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/4972-3-0x0000000024010000-0x0000000024070000-memory.dmp

memory/4948-7-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/4948-8-0x0000000000970000-0x0000000000971000-memory.dmp

memory/4972-63-0x0000000024070000-0x00000000240D0000-memory.dmp

memory/4948-66-0x00000000038A0000-0x00000000038A1000-memory.dmp

memory/4948-67-0x0000000024070000-0x00000000240D0000-memory.dmp

memory/4948-68-0x0000000024070000-0x00000000240D0000-memory.dmp

C:\sysid\syslog.exe

MD5 dafbe16877593a77e13dae546e1077f8
SHA1 6ef2a4057cb625f723a417b2aef336679bf3cc0c
SHA256 6ff0377f8c1085594b929d56db4aa7889286cadfa6e47e23cd36f8f71007094d
SHA512 348e98471c17bb89c57bb6e03e711558342241ccf933c4f3971e0c7a0a915472dd1c2d0218dc8529c0d6fccff4b34c07625edf3f69b54844ea821936d5f40683

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 356667bed43289e6475d53df0df593d9
SHA1 8609e2e106e7682c66e9bff57d17dcc1f91f2a54
SHA256 b98d1a9717546517b8bcb6fa67617bbc1fa94c14729eaa2a90888314549d9925
SHA512 1f1757c66f666c02d52751e488a63abd3782bd34a64f9860bd88a404e88e046551536186bca62ceb5b3c2c00a8aa163f5a2ee47a5587ee3d7d6d54b8cb5ccf5a

memory/3376-138-0x0000000024130000-0x0000000024190000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/4948-158-0x0000000024070000-0x00000000240D0000-memory.dmp

memory/3376-160-0x0000000024130000-0x0000000024190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 01430555472f086a6633fad6bfc18d98
SHA1 dc7ceef23ec38101a6bf4166ea45e3208d1aec60
SHA256 59c863ac82d6c8cc610f78661b53a701286a8324309c529ad4d41136ded85570
SHA512 b1d9bb9871f4b76bbb2900a2a385029931fb4804b3456b78a3bd9f3db8797fe03f6ed606a87636515bb9de51e914a5634bb11ba93ed2f88c56339e02163d57bc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3d0443119b3b807d495d3680946762d9
SHA1 72299b8fd47ab1cd9cf4090b2726f154f984a66a
SHA256 de06afcddf7ab4e16ccc10b808b0722823d6fd9c6620bd8808b81ba98e534513
SHA512 69567912d38656f5e6f43c7410bdb83f778e49ae7daf69dca83926eb7683549410f6af6fd91cd66e83312b18da44df5c3697f21a5990dbf67d66a667ddf78b3e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fc85581de813af10bf5720edaa5f8e2e
SHA1 65f7447722c1023b9882c2f0ceeb67bf58d68546
SHA256 7dc0c838a4184fa9bbc6f2f495e257ba23092bb3fde735a8d94746f1c0d2f9ad
SHA512 9540c1747b4a51144d5de1db002231af394aac9e0b7d7f20212f9ed866c5283bd5a82403aaaf2075f8fbca5bdc3746dbd63539f442edb8ac2bc23e865bdf89a4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 16e8406fb91ff5606551ec266be48934
SHA1 408f565124bde61107ce997854d0b2f433b6a7f3
SHA256 416ce214f036e798ee07bc80a0c564692d8a797f5896c3684a57c143df848f1c
SHA512 df32df1449bd34887571d1244b35a110a68fc3dd4e10a00f8deac78688554d93a931f38c998c3d9a19dbadcdf7f64c78f1432e942f5c2a20bb248b06695aa063

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e4b51f422324d9d7547a54d6e4a3f864
SHA1 a284e79232dae843df362c392aa5dd72258dbd71
SHA256 88861bf58cdeeca98ba917c0bb86dba0be8c30e550d36c4bfea7ce0429583f28
SHA512 5fb5d13b5b20f49b5af7d821857c879ed285c53fcb69c14244042990d5c15e243c9f41a82058343a12f4c6e93f60e8747de740a0dbc55026861f6b32996e120b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f2942b53ddf1f5cccc4ee63bb2872b2b
SHA1 567a3b9f0d4c145004196434886762363f74c90a
SHA256 0b217ec568e20dad0d6db1a670fcd1e3907155541ed4bba3c75b73a76a2a9ddf
SHA512 652837a1f2e8f283fc178290f7cfeb4a5fc9d9bad59fb20b436fb880af1dac20b9ce01b1dd9dce93c1fd3c511cb610ea19b6770013f1b73fd6127c8bf9661b40

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 14e56ddef9ecdabc6b65e5eced8cfc99
SHA1 3de1a663f5112c79c37d0b200cee1f23a54508f2
SHA256 87397e10c7df23effaa676a4f73ddb2c28423b41a4c1fd08bac7570e7bd30160
SHA512 8551f8988d923ed1c92300d06c6e25153ef0d78efa81450dbce66019918efdfde879dd27431d0e24cbbbeed95cfe284d73944b27c36025f6206877b00ca5e5ca

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bd4c64f430c1f9701c0dc509374b0cca
SHA1 523cd88ff901f2582b8e494661f3bbc2c36b30c5
SHA256 336d0f589a167ff708fd4dc94c02d4225b56969aee6c415b9b5bc0052cc77ba6
SHA512 4df4ad2c71ab92cedabcc576a1ea24aef7e4190a88bdaf324daa7a8c49b612f2feb2b133a3fa8d52ace511bbe18458d21c1065c6a5430e9b4791c6f3da15cd43

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fabbec83356985457d5ca9393f403b01
SHA1 29ac9ec0da3ee381777921740b7cae04f0ec6b44
SHA256 181fa431f20143bcf4965bc41b18834a278e6b1ec60c279c5d8e7ab0974dba99
SHA512 7dd87ea2a119b2d973624c06f08f0f95ed4baf06ae11e19b44d4f2bdf46fda38c43b6d7ae28fb93fbe5100952516f01ddd9ff36b2a21adbbdda4ca59e42646ed

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6d0c959326051faa10a09f4b988d8d91
SHA1 d6df01fdb17f923c128138919b87633855260f28
SHA256 d7c3c91730580b9d643eef255103899ecd8861c19e367bdde42d99a21e2f76dc
SHA512 065ed2f66dca4e81501afafcdf10d10034a7bf6984e0f97be9c5d7207cf914c482e794c47bf006e911adac97ae2b5b2296527ecdf5d7ed2ff7de26572443aecd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7102d0a5ae07a3acea7c107a469d6eb1
SHA1 cb25d55a020254c3f32ee40d47b61d4125fdd7a0
SHA256 20bd1dee32b8cee81eb64800e75558fd10e0ff837c01324da6944ecc96dcef6a
SHA512 81a0c4ce0390088586bbb380735d7ad4c0cccaceec3554f394c1b52cbe101bd763bb319cf1503fba92ce69176d507c19fd44c7a1d348bf564a43373007ed73e8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 281ca167a8319c7815fbdd44be7af9fa
SHA1 5f92b69c964b56fac7f192b4778eab68c27f95d2
SHA256 eb7925b8fd3a21c751e12b99596d98e5a9f7e7ab96a9cd32f8b767cdca835f40
SHA512 caebb8bf0503a7b3befea473237afc9e77ff57c0d8b39925db5f682dcaf5b5f44b2fd8b492f26f114768ca1c7b795e0764e9ed288b5047c248e6d7e5e4fdd39a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 76d691bb35dd8064c1cc582d806415f9
SHA1 4505fc0e3b884c4fde6740737a77ec7eb108ae5f
SHA256 b1710c37cf6b4022aa4e68ee8e89fa5f1c849b7e3168d157c7c56c4ef3becbb2
SHA512 9989dc235ca840195013e6f5300679d945ab2df3a3f8ea908ab9711059c037e9d23c5ef4899b08c77b911c7dc21e777ca072008adbf4aa5fef54e9d860303f26

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9e76990e8505e42d8ff882fbf5745063
SHA1 9b0cc3691ba6452e5e7fdea3cab054e1910e6e59
SHA256 34368047dc0f762f550951669d6171727ddcc3e43bfdf3e14bd8e37c726d12b4
SHA512 584a09e8a1f9fa0f127b206d837da14b842ea61e01e26188ead334b44e820e8d485565df08ee7f7006071279365d99ab7d2b9247f7e5c850cb4bac8b5915395d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bd9b563068337c76d362a085d1d5a610
SHA1 6ca7d35004c6ca1be45588e22a057382f0852901
SHA256 f039103da2f154a1750b9ac7a367e92ff53712424331ee5bf36b090e81053ca3
SHA512 74ce8d9f40fa65c3f8ba4b0624fc81eef9b420290e4972cf8904fcb50af7c590cdc90d70d9f72596fd31c0d7c8b9b04e855aa00f3fd27f2c04141c6131452de4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2947c53c31b1c34ed12434e7212bf2f3
SHA1 cf88882cee09a3b561e0b319d32384071062b122
SHA256 a77c7e02ce89169fff977e4d81603174ea477ea0b6e5d160137882dc6fb3a26c
SHA512 8a16c72b6766ba330304c1f6cfe9ea35b138db00f7eb7a9ed12b56b10ce003b3320328e07a8b225529dee443fb01faef7651f1250ca92c4d4417c8e122348e52

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2241255a702c7aa8519bde0c0a1f36e4
SHA1 469fc1b083dfcf92a91f5ab31df9b173656d56b3
SHA256 29f992412213f73d7411b47c3c2f00e6164d1219748bf455620e846380bfef47
SHA512 668bd338fac119a7aa80c903909d5a601459fd63455b3fa25b63e57ab2b6a302f7e318b3af83f810c242a7509c356e8d19d696afc760bfc65a14497df4abf5b8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f0c6f3031eab0c6301bceca64355402c
SHA1 81762019181a86fed6c041c00a92e94097ba9e43
SHA256 2246ef38cb6d0c3819fdacdd2f8769bf7ae0c8db60d43084e8009e2680ff8b3a
SHA512 939b389848eba09d7c3a3661aa51851488dfff99c9626e0562810eda5e7ddfdee43f26c61526ac19bc90681ea9ad857d895432be81d36fef4c0a8ff9d4891045

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 50a9ff825a770e0b339008d7b13f85aa
SHA1 661e370a8e8ad8ed463f846e7fb8db43f8003cc8
SHA256 f0804744bc2a03a0c48bccab37a55892572440da1f4b3b854fac618db7b4e70e
SHA512 a3c0330d5347da75b31d144262ddf6d5ee8fc1a3d5606b104f91a8db62302f9215efd28a247a54aa472a4d5861f6600821556c9a86b82350b22cbd8913c35c4b

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 18:37

Reported

2024-09-11 18:40

Platform

win7-20240903-en

Max time kernel

147s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\sysid\\syslog.exe" C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\sysid\\syslog.exe" C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\sysid\syslog.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\sysid\\syslog.exe" C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe"

C:\sysid\syslog.exe

"C:\sysid\syslog.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1160-3-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/2756-2-0x0000000024010000-0x0000000024070000-memory.dmp

memory/688-246-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/688-248-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/688-531-0x0000000024070000-0x00000000240D0000-memory.dmp

C:\sysid\syslog.exe

MD5 dafbe16877593a77e13dae546e1077f8
SHA1 6ef2a4057cb625f723a417b2aef336679bf3cc0c
SHA256 6ff0377f8c1085594b929d56db4aa7889286cadfa6e47e23cd36f8f71007094d
SHA512 348e98471c17bb89c57bb6e03e711558342241ccf933c4f3971e0c7a0a915472dd1c2d0218dc8529c0d6fccff4b34c07625edf3f69b54844ea821936d5f40683

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 356667bed43289e6475d53df0df593d9
SHA1 8609e2e106e7682c66e9bff57d17dcc1f91f2a54
SHA256 b98d1a9717546517b8bcb6fa67617bbc1fa94c14729eaa2a90888314549d9925
SHA512 1f1757c66f666c02d52751e488a63abd3782bd34a64f9860bd88a404e88e046551536186bca62ceb5b3c2c00a8aa163f5a2ee47a5587ee3d7d6d54b8cb5ccf5a

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/688-884-0x0000000024070000-0x00000000240D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d5b71b97173a3959a775c37ea83c2899
SHA1 c8f9808eb4a65db81d118496cb766c5bfac7b337
SHA256 cd3cefa9dd2114ef52920932b9edb4e2a38ffd5b6bdce52fba56b4eabd6191ef
SHA512 801744c68305e1a6ce35aa8f879c6a7f1d5d1d3160b28f9623f3420f83dc48466e828d7ef6e9040c532b3dc647c39f16cd636ff841e3e153c8c340fe12819163

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 01430555472f086a6633fad6bfc18d98
SHA1 dc7ceef23ec38101a6bf4166ea45e3208d1aec60
SHA256 59c863ac82d6c8cc610f78661b53a701286a8324309c529ad4d41136ded85570
SHA512 b1d9bb9871f4b76bbb2900a2a385029931fb4804b3456b78a3bd9f3db8797fe03f6ed606a87636515bb9de51e914a5634bb11ba93ed2f88c56339e02163d57bc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3d0443119b3b807d495d3680946762d9
SHA1 72299b8fd47ab1cd9cf4090b2726f154f984a66a
SHA256 de06afcddf7ab4e16ccc10b808b0722823d6fd9c6620bd8808b81ba98e534513
SHA512 69567912d38656f5e6f43c7410bdb83f778e49ae7daf69dca83926eb7683549410f6af6fd91cd66e83312b18da44df5c3697f21a5990dbf67d66a667ddf78b3e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fc85581de813af10bf5720edaa5f8e2e
SHA1 65f7447722c1023b9882c2f0ceeb67bf58d68546
SHA256 7dc0c838a4184fa9bbc6f2f495e257ba23092bb3fde735a8d94746f1c0d2f9ad
SHA512 9540c1747b4a51144d5de1db002231af394aac9e0b7d7f20212f9ed866c5283bd5a82403aaaf2075f8fbca5bdc3746dbd63539f442edb8ac2bc23e865bdf89a4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 16e8406fb91ff5606551ec266be48934
SHA1 408f565124bde61107ce997854d0b2f433b6a7f3
SHA256 416ce214f036e798ee07bc80a0c564692d8a797f5896c3684a57c143df848f1c
SHA512 df32df1449bd34887571d1244b35a110a68fc3dd4e10a00f8deac78688554d93a931f38c998c3d9a19dbadcdf7f64c78f1432e942f5c2a20bb248b06695aa063

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e4b51f422324d9d7547a54d6e4a3f864
SHA1 a284e79232dae843df362c392aa5dd72258dbd71
SHA256 88861bf58cdeeca98ba917c0bb86dba0be8c30e550d36c4bfea7ce0429583f28
SHA512 5fb5d13b5b20f49b5af7d821857c879ed285c53fcb69c14244042990d5c15e243c9f41a82058343a12f4c6e93f60e8747de740a0dbc55026861f6b32996e120b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f2942b53ddf1f5cccc4ee63bb2872b2b
SHA1 567a3b9f0d4c145004196434886762363f74c90a
SHA256 0b217ec568e20dad0d6db1a670fcd1e3907155541ed4bba3c75b73a76a2a9ddf
SHA512 652837a1f2e8f283fc178290f7cfeb4a5fc9d9bad59fb20b436fb880af1dac20b9ce01b1dd9dce93c1fd3c511cb610ea19b6770013f1b73fd6127c8bf9661b40

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 14e56ddef9ecdabc6b65e5eced8cfc99
SHA1 3de1a663f5112c79c37d0b200cee1f23a54508f2
SHA256 87397e10c7df23effaa676a4f73ddb2c28423b41a4c1fd08bac7570e7bd30160
SHA512 8551f8988d923ed1c92300d06c6e25153ef0d78efa81450dbce66019918efdfde879dd27431d0e24cbbbeed95cfe284d73944b27c36025f6206877b00ca5e5ca

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bd4c64f430c1f9701c0dc509374b0cca
SHA1 523cd88ff901f2582b8e494661f3bbc2c36b30c5
SHA256 336d0f589a167ff708fd4dc94c02d4225b56969aee6c415b9b5bc0052cc77ba6
SHA512 4df4ad2c71ab92cedabcc576a1ea24aef7e4190a88bdaf324daa7a8c49b612f2feb2b133a3fa8d52ace511bbe18458d21c1065c6a5430e9b4791c6f3da15cd43

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fabbec83356985457d5ca9393f403b01
SHA1 29ac9ec0da3ee381777921740b7cae04f0ec6b44
SHA256 181fa431f20143bcf4965bc41b18834a278e6b1ec60c279c5d8e7ab0974dba99
SHA512 7dd87ea2a119b2d973624c06f08f0f95ed4baf06ae11e19b44d4f2bdf46fda38c43b6d7ae28fb93fbe5100952516f01ddd9ff36b2a21adbbdda4ca59e42646ed

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6d0c959326051faa10a09f4b988d8d91
SHA1 d6df01fdb17f923c128138919b87633855260f28
SHA256 d7c3c91730580b9d643eef255103899ecd8861c19e367bdde42d99a21e2f76dc
SHA512 065ed2f66dca4e81501afafcdf10d10034a7bf6984e0f97be9c5d7207cf914c482e794c47bf006e911adac97ae2b5b2296527ecdf5d7ed2ff7de26572443aecd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7102d0a5ae07a3acea7c107a469d6eb1
SHA1 cb25d55a020254c3f32ee40d47b61d4125fdd7a0
SHA256 20bd1dee32b8cee81eb64800e75558fd10e0ff837c01324da6944ecc96dcef6a
SHA512 81a0c4ce0390088586bbb380735d7ad4c0cccaceec3554f394c1b52cbe101bd763bb319cf1503fba92ce69176d507c19fd44c7a1d348bf564a43373007ed73e8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 281ca167a8319c7815fbdd44be7af9fa
SHA1 5f92b69c964b56fac7f192b4778eab68c27f95d2
SHA256 eb7925b8fd3a21c751e12b99596d98e5a9f7e7ab96a9cd32f8b767cdca835f40
SHA512 caebb8bf0503a7b3befea473237afc9e77ff57c0d8b39925db5f682dcaf5b5f44b2fd8b492f26f114768ca1c7b795e0764e9ed288b5047c248e6d7e5e4fdd39a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 76d691bb35dd8064c1cc582d806415f9
SHA1 4505fc0e3b884c4fde6740737a77ec7eb108ae5f
SHA256 b1710c37cf6b4022aa4e68ee8e89fa5f1c849b7e3168d157c7c56c4ef3becbb2
SHA512 9989dc235ca840195013e6f5300679d945ab2df3a3f8ea908ab9711059c037e9d23c5ef4899b08c77b911c7dc21e777ca072008adbf4aa5fef54e9d860303f26

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9e76990e8505e42d8ff882fbf5745063
SHA1 9b0cc3691ba6452e5e7fdea3cab054e1910e6e59
SHA256 34368047dc0f762f550951669d6171727ddcc3e43bfdf3e14bd8e37c726d12b4
SHA512 584a09e8a1f9fa0f127b206d837da14b842ea61e01e26188ead334b44e820e8d485565df08ee7f7006071279365d99ab7d2b9247f7e5c850cb4bac8b5915395d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bd9b563068337c76d362a085d1d5a610
SHA1 6ca7d35004c6ca1be45588e22a057382f0852901
SHA256 f039103da2f154a1750b9ac7a367e92ff53712424331ee5bf36b090e81053ca3
SHA512 74ce8d9f40fa65c3f8ba4b0624fc81eef9b420290e4972cf8904fcb50af7c590cdc90d70d9f72596fd31c0d7c8b9b04e855aa00f3fd27f2c04141c6131452de4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2947c53c31b1c34ed12434e7212bf2f3
SHA1 cf88882cee09a3b561e0b319d32384071062b122
SHA256 a77c7e02ce89169fff977e4d81603174ea477ea0b6e5d160137882dc6fb3a26c
SHA512 8a16c72b6766ba330304c1f6cfe9ea35b138db00f7eb7a9ed12b56b10ce003b3320328e07a8b225529dee443fb01faef7651f1250ca92c4d4417c8e122348e52

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2241255a702c7aa8519bde0c0a1f36e4
SHA1 469fc1b083dfcf92a91f5ab31df9b173656d56b3
SHA256 29f992412213f73d7411b47c3c2f00e6164d1219748bf455620e846380bfef47
SHA512 668bd338fac119a7aa80c903909d5a601459fd63455b3fa25b63e57ab2b6a302f7e318b3af83f810c242a7509c356e8d19d696afc760bfc65a14497df4abf5b8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f0c6f3031eab0c6301bceca64355402c
SHA1 81762019181a86fed6c041c00a92e94097ba9e43
SHA256 2246ef38cb6d0c3819fdacdd2f8769bf7ae0c8db60d43084e8009e2680ff8b3a
SHA512 939b389848eba09d7c3a3661aa51851488dfff99c9626e0562810eda5e7ddfdee43f26c61526ac19bc90681ea9ad857d895432be81d36fef4c0a8ff9d4891045