Analysis Overview
SHA256
6ff0377f8c1085594b929d56db4aa7889286cadfa6e47e23cd36f8f71007094d
Threat Level: Known bad
The file dafbe16877593a77e13dae546e1077f8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Adds policy Run key to start application
Executes dropped EXE
Checks computer location settings
UPX packed file
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-11 18:37
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-11 18:37
Reported
2024-09-11 18:40
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\sysid\\syslog.exe" | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\sysid\\syslog.exe" | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\sysid\syslog.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\sysid\\syslog.exe" | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\sysid\syslog.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\sysid\syslog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe"
C:\sysid\syslog.exe
"C:\sysid\syslog.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2224 -ip 2224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/4972-3-0x0000000024010000-0x0000000024070000-memory.dmp
memory/4948-7-0x00000000008B0000-0x00000000008B1000-memory.dmp
memory/4948-8-0x0000000000970000-0x0000000000971000-memory.dmp
memory/4972-63-0x0000000024070000-0x00000000240D0000-memory.dmp
memory/4948-66-0x00000000038A0000-0x00000000038A1000-memory.dmp
memory/4948-67-0x0000000024070000-0x00000000240D0000-memory.dmp
memory/4948-68-0x0000000024070000-0x00000000240D0000-memory.dmp
C:\sysid\syslog.exe
| MD5 | dafbe16877593a77e13dae546e1077f8 |
| SHA1 | 6ef2a4057cb625f723a417b2aef336679bf3cc0c |
| SHA256 | 6ff0377f8c1085594b929d56db4aa7889286cadfa6e47e23cd36f8f71007094d |
| SHA512 | 348e98471c17bb89c57bb6e03e711558342241ccf933c4f3971e0c7a0a915472dd1c2d0218dc8529c0d6fccff4b34c07625edf3f69b54844ea821936d5f40683 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 356667bed43289e6475d53df0df593d9 |
| SHA1 | 8609e2e106e7682c66e9bff57d17dcc1f91f2a54 |
| SHA256 | b98d1a9717546517b8bcb6fa67617bbc1fa94c14729eaa2a90888314549d9925 |
| SHA512 | 1f1757c66f666c02d52751e488a63abd3782bd34a64f9860bd88a404e88e046551536186bca62ceb5b3c2c00a8aa163f5a2ee47a5587ee3d7d6d54b8cb5ccf5a |
memory/3376-138-0x0000000024130000-0x0000000024190000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/4948-158-0x0000000024070000-0x00000000240D0000-memory.dmp
memory/3376-160-0x0000000024130000-0x0000000024190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 01430555472f086a6633fad6bfc18d98 |
| SHA1 | dc7ceef23ec38101a6bf4166ea45e3208d1aec60 |
| SHA256 | 59c863ac82d6c8cc610f78661b53a701286a8324309c529ad4d41136ded85570 |
| SHA512 | b1d9bb9871f4b76bbb2900a2a385029931fb4804b3456b78a3bd9f3db8797fe03f6ed606a87636515bb9de51e914a5634bb11ba93ed2f88c56339e02163d57bc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3d0443119b3b807d495d3680946762d9 |
| SHA1 | 72299b8fd47ab1cd9cf4090b2726f154f984a66a |
| SHA256 | de06afcddf7ab4e16ccc10b808b0722823d6fd9c6620bd8808b81ba98e534513 |
| SHA512 | 69567912d38656f5e6f43c7410bdb83f778e49ae7daf69dca83926eb7683549410f6af6fd91cd66e83312b18da44df5c3697f21a5990dbf67d66a667ddf78b3e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fc85581de813af10bf5720edaa5f8e2e |
| SHA1 | 65f7447722c1023b9882c2f0ceeb67bf58d68546 |
| SHA256 | 7dc0c838a4184fa9bbc6f2f495e257ba23092bb3fde735a8d94746f1c0d2f9ad |
| SHA512 | 9540c1747b4a51144d5de1db002231af394aac9e0b7d7f20212f9ed866c5283bd5a82403aaaf2075f8fbca5bdc3746dbd63539f442edb8ac2bc23e865bdf89a4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 16e8406fb91ff5606551ec266be48934 |
| SHA1 | 408f565124bde61107ce997854d0b2f433b6a7f3 |
| SHA256 | 416ce214f036e798ee07bc80a0c564692d8a797f5896c3684a57c143df848f1c |
| SHA512 | df32df1449bd34887571d1244b35a110a68fc3dd4e10a00f8deac78688554d93a931f38c998c3d9a19dbadcdf7f64c78f1432e942f5c2a20bb248b06695aa063 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e4b51f422324d9d7547a54d6e4a3f864 |
| SHA1 | a284e79232dae843df362c392aa5dd72258dbd71 |
| SHA256 | 88861bf58cdeeca98ba917c0bb86dba0be8c30e550d36c4bfea7ce0429583f28 |
| SHA512 | 5fb5d13b5b20f49b5af7d821857c879ed285c53fcb69c14244042990d5c15e243c9f41a82058343a12f4c6e93f60e8747de740a0dbc55026861f6b32996e120b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f2942b53ddf1f5cccc4ee63bb2872b2b |
| SHA1 | 567a3b9f0d4c145004196434886762363f74c90a |
| SHA256 | 0b217ec568e20dad0d6db1a670fcd1e3907155541ed4bba3c75b73a76a2a9ddf |
| SHA512 | 652837a1f2e8f283fc178290f7cfeb4a5fc9d9bad59fb20b436fb880af1dac20b9ce01b1dd9dce93c1fd3c511cb610ea19b6770013f1b73fd6127c8bf9661b40 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 14e56ddef9ecdabc6b65e5eced8cfc99 |
| SHA1 | 3de1a663f5112c79c37d0b200cee1f23a54508f2 |
| SHA256 | 87397e10c7df23effaa676a4f73ddb2c28423b41a4c1fd08bac7570e7bd30160 |
| SHA512 | 8551f8988d923ed1c92300d06c6e25153ef0d78efa81450dbce66019918efdfde879dd27431d0e24cbbbeed95cfe284d73944b27c36025f6206877b00ca5e5ca |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bd4c64f430c1f9701c0dc509374b0cca |
| SHA1 | 523cd88ff901f2582b8e494661f3bbc2c36b30c5 |
| SHA256 | 336d0f589a167ff708fd4dc94c02d4225b56969aee6c415b9b5bc0052cc77ba6 |
| SHA512 | 4df4ad2c71ab92cedabcc576a1ea24aef7e4190a88bdaf324daa7a8c49b612f2feb2b133a3fa8d52ace511bbe18458d21c1065c6a5430e9b4791c6f3da15cd43 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fabbec83356985457d5ca9393f403b01 |
| SHA1 | 29ac9ec0da3ee381777921740b7cae04f0ec6b44 |
| SHA256 | 181fa431f20143bcf4965bc41b18834a278e6b1ec60c279c5d8e7ab0974dba99 |
| SHA512 | 7dd87ea2a119b2d973624c06f08f0f95ed4baf06ae11e19b44d4f2bdf46fda38c43b6d7ae28fb93fbe5100952516f01ddd9ff36b2a21adbbdda4ca59e42646ed |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6d0c959326051faa10a09f4b988d8d91 |
| SHA1 | d6df01fdb17f923c128138919b87633855260f28 |
| SHA256 | d7c3c91730580b9d643eef255103899ecd8861c19e367bdde42d99a21e2f76dc |
| SHA512 | 065ed2f66dca4e81501afafcdf10d10034a7bf6984e0f97be9c5d7207cf914c482e794c47bf006e911adac97ae2b5b2296527ecdf5d7ed2ff7de26572443aecd |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7102d0a5ae07a3acea7c107a469d6eb1 |
| SHA1 | cb25d55a020254c3f32ee40d47b61d4125fdd7a0 |
| SHA256 | 20bd1dee32b8cee81eb64800e75558fd10e0ff837c01324da6944ecc96dcef6a |
| SHA512 | 81a0c4ce0390088586bbb380735d7ad4c0cccaceec3554f394c1b52cbe101bd763bb319cf1503fba92ce69176d507c19fd44c7a1d348bf564a43373007ed73e8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 281ca167a8319c7815fbdd44be7af9fa |
| SHA1 | 5f92b69c964b56fac7f192b4778eab68c27f95d2 |
| SHA256 | eb7925b8fd3a21c751e12b99596d98e5a9f7e7ab96a9cd32f8b767cdca835f40 |
| SHA512 | caebb8bf0503a7b3befea473237afc9e77ff57c0d8b39925db5f682dcaf5b5f44b2fd8b492f26f114768ca1c7b795e0764e9ed288b5047c248e6d7e5e4fdd39a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 76d691bb35dd8064c1cc582d806415f9 |
| SHA1 | 4505fc0e3b884c4fde6740737a77ec7eb108ae5f |
| SHA256 | b1710c37cf6b4022aa4e68ee8e89fa5f1c849b7e3168d157c7c56c4ef3becbb2 |
| SHA512 | 9989dc235ca840195013e6f5300679d945ab2df3a3f8ea908ab9711059c037e9d23c5ef4899b08c77b911c7dc21e777ca072008adbf4aa5fef54e9d860303f26 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9e76990e8505e42d8ff882fbf5745063 |
| SHA1 | 9b0cc3691ba6452e5e7fdea3cab054e1910e6e59 |
| SHA256 | 34368047dc0f762f550951669d6171727ddcc3e43bfdf3e14bd8e37c726d12b4 |
| SHA512 | 584a09e8a1f9fa0f127b206d837da14b842ea61e01e26188ead334b44e820e8d485565df08ee7f7006071279365d99ab7d2b9247f7e5c850cb4bac8b5915395d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bd9b563068337c76d362a085d1d5a610 |
| SHA1 | 6ca7d35004c6ca1be45588e22a057382f0852901 |
| SHA256 | f039103da2f154a1750b9ac7a367e92ff53712424331ee5bf36b090e81053ca3 |
| SHA512 | 74ce8d9f40fa65c3f8ba4b0624fc81eef9b420290e4972cf8904fcb50af7c590cdc90d70d9f72596fd31c0d7c8b9b04e855aa00f3fd27f2c04141c6131452de4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2947c53c31b1c34ed12434e7212bf2f3 |
| SHA1 | cf88882cee09a3b561e0b319d32384071062b122 |
| SHA256 | a77c7e02ce89169fff977e4d81603174ea477ea0b6e5d160137882dc6fb3a26c |
| SHA512 | 8a16c72b6766ba330304c1f6cfe9ea35b138db00f7eb7a9ed12b56b10ce003b3320328e07a8b225529dee443fb01faef7651f1250ca92c4d4417c8e122348e52 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2241255a702c7aa8519bde0c0a1f36e4 |
| SHA1 | 469fc1b083dfcf92a91f5ab31df9b173656d56b3 |
| SHA256 | 29f992412213f73d7411b47c3c2f00e6164d1219748bf455620e846380bfef47 |
| SHA512 | 668bd338fac119a7aa80c903909d5a601459fd63455b3fa25b63e57ab2b6a302f7e318b3af83f810c242a7509c356e8d19d696afc760bfc65a14497df4abf5b8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f0c6f3031eab0c6301bceca64355402c |
| SHA1 | 81762019181a86fed6c041c00a92e94097ba9e43 |
| SHA256 | 2246ef38cb6d0c3819fdacdd2f8769bf7ae0c8db60d43084e8009e2680ff8b3a |
| SHA512 | 939b389848eba09d7c3a3661aa51851488dfff99c9626e0562810eda5e7ddfdee43f26c61526ac19bc90681ea9ad857d895432be81d36fef4c0a8ff9d4891045 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 50a9ff825a770e0b339008d7b13f85aa |
| SHA1 | 661e370a8e8ad8ed463f846e7fb8db43f8003cc8 |
| SHA256 | f0804744bc2a03a0c48bccab37a55892572440da1f4b3b854fac618db7b4e70e |
| SHA512 | a3c0330d5347da75b31d144262ddf6d5ee8fc1a3d5606b104f91a8db62302f9215efd28a247a54aa472a4d5861f6600821556c9a86b82350b22cbd8913c35c4b |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-11 18:37
Reported
2024-09-11 18:40
Platform
win7-20240903-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\sysid\\syslog.exe" | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\sysid\\syslog.exe" | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\sysid\syslog.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\sysid\\syslog.exe" | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe"
C:\sysid\syslog.exe
"C:\sysid\syslog.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1160-3-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/2756-2-0x0000000024010000-0x0000000024070000-memory.dmp
memory/688-246-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/688-248-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/688-531-0x0000000024070000-0x00000000240D0000-memory.dmp
C:\sysid\syslog.exe
| MD5 | dafbe16877593a77e13dae546e1077f8 |
| SHA1 | 6ef2a4057cb625f723a417b2aef336679bf3cc0c |
| SHA256 | 6ff0377f8c1085594b929d56db4aa7889286cadfa6e47e23cd36f8f71007094d |
| SHA512 | 348e98471c17bb89c57bb6e03e711558342241ccf933c4f3971e0c7a0a915472dd1c2d0218dc8529c0d6fccff4b34c07625edf3f69b54844ea821936d5f40683 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 356667bed43289e6475d53df0df593d9 |
| SHA1 | 8609e2e106e7682c66e9bff57d17dcc1f91f2a54 |
| SHA256 | b98d1a9717546517b8bcb6fa67617bbc1fa94c14729eaa2a90888314549d9925 |
| SHA512 | 1f1757c66f666c02d52751e488a63abd3782bd34a64f9860bd88a404e88e046551536186bca62ceb5b3c2c00a8aa163f5a2ee47a5587ee3d7d6d54b8cb5ccf5a |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/688-884-0x0000000024070000-0x00000000240D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d5b71b97173a3959a775c37ea83c2899 |
| SHA1 | c8f9808eb4a65db81d118496cb766c5bfac7b337 |
| SHA256 | cd3cefa9dd2114ef52920932b9edb4e2a38ffd5b6bdce52fba56b4eabd6191ef |
| SHA512 | 801744c68305e1a6ce35aa8f879c6a7f1d5d1d3160b28f9623f3420f83dc48466e828d7ef6e9040c532b3dc647c39f16cd636ff841e3e153c8c340fe12819163 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 01430555472f086a6633fad6bfc18d98 |
| SHA1 | dc7ceef23ec38101a6bf4166ea45e3208d1aec60 |
| SHA256 | 59c863ac82d6c8cc610f78661b53a701286a8324309c529ad4d41136ded85570 |
| SHA512 | b1d9bb9871f4b76bbb2900a2a385029931fb4804b3456b78a3bd9f3db8797fe03f6ed606a87636515bb9de51e914a5634bb11ba93ed2f88c56339e02163d57bc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3d0443119b3b807d495d3680946762d9 |
| SHA1 | 72299b8fd47ab1cd9cf4090b2726f154f984a66a |
| SHA256 | de06afcddf7ab4e16ccc10b808b0722823d6fd9c6620bd8808b81ba98e534513 |
| SHA512 | 69567912d38656f5e6f43c7410bdb83f778e49ae7daf69dca83926eb7683549410f6af6fd91cd66e83312b18da44df5c3697f21a5990dbf67d66a667ddf78b3e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fc85581de813af10bf5720edaa5f8e2e |
| SHA1 | 65f7447722c1023b9882c2f0ceeb67bf58d68546 |
| SHA256 | 7dc0c838a4184fa9bbc6f2f495e257ba23092bb3fde735a8d94746f1c0d2f9ad |
| SHA512 | 9540c1747b4a51144d5de1db002231af394aac9e0b7d7f20212f9ed866c5283bd5a82403aaaf2075f8fbca5bdc3746dbd63539f442edb8ac2bc23e865bdf89a4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 16e8406fb91ff5606551ec266be48934 |
| SHA1 | 408f565124bde61107ce997854d0b2f433b6a7f3 |
| SHA256 | 416ce214f036e798ee07bc80a0c564692d8a797f5896c3684a57c143df848f1c |
| SHA512 | df32df1449bd34887571d1244b35a110a68fc3dd4e10a00f8deac78688554d93a931f38c998c3d9a19dbadcdf7f64c78f1432e942f5c2a20bb248b06695aa063 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e4b51f422324d9d7547a54d6e4a3f864 |
| SHA1 | a284e79232dae843df362c392aa5dd72258dbd71 |
| SHA256 | 88861bf58cdeeca98ba917c0bb86dba0be8c30e550d36c4bfea7ce0429583f28 |
| SHA512 | 5fb5d13b5b20f49b5af7d821857c879ed285c53fcb69c14244042990d5c15e243c9f41a82058343a12f4c6e93f60e8747de740a0dbc55026861f6b32996e120b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f2942b53ddf1f5cccc4ee63bb2872b2b |
| SHA1 | 567a3b9f0d4c145004196434886762363f74c90a |
| SHA256 | 0b217ec568e20dad0d6db1a670fcd1e3907155541ed4bba3c75b73a76a2a9ddf |
| SHA512 | 652837a1f2e8f283fc178290f7cfeb4a5fc9d9bad59fb20b436fb880af1dac20b9ce01b1dd9dce93c1fd3c511cb610ea19b6770013f1b73fd6127c8bf9661b40 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 14e56ddef9ecdabc6b65e5eced8cfc99 |
| SHA1 | 3de1a663f5112c79c37d0b200cee1f23a54508f2 |
| SHA256 | 87397e10c7df23effaa676a4f73ddb2c28423b41a4c1fd08bac7570e7bd30160 |
| SHA512 | 8551f8988d923ed1c92300d06c6e25153ef0d78efa81450dbce66019918efdfde879dd27431d0e24cbbbeed95cfe284d73944b27c36025f6206877b00ca5e5ca |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bd4c64f430c1f9701c0dc509374b0cca |
| SHA1 | 523cd88ff901f2582b8e494661f3bbc2c36b30c5 |
| SHA256 | 336d0f589a167ff708fd4dc94c02d4225b56969aee6c415b9b5bc0052cc77ba6 |
| SHA512 | 4df4ad2c71ab92cedabcc576a1ea24aef7e4190a88bdaf324daa7a8c49b612f2feb2b133a3fa8d52ace511bbe18458d21c1065c6a5430e9b4791c6f3da15cd43 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fabbec83356985457d5ca9393f403b01 |
| SHA1 | 29ac9ec0da3ee381777921740b7cae04f0ec6b44 |
| SHA256 | 181fa431f20143bcf4965bc41b18834a278e6b1ec60c279c5d8e7ab0974dba99 |
| SHA512 | 7dd87ea2a119b2d973624c06f08f0f95ed4baf06ae11e19b44d4f2bdf46fda38c43b6d7ae28fb93fbe5100952516f01ddd9ff36b2a21adbbdda4ca59e42646ed |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6d0c959326051faa10a09f4b988d8d91 |
| SHA1 | d6df01fdb17f923c128138919b87633855260f28 |
| SHA256 | d7c3c91730580b9d643eef255103899ecd8861c19e367bdde42d99a21e2f76dc |
| SHA512 | 065ed2f66dca4e81501afafcdf10d10034a7bf6984e0f97be9c5d7207cf914c482e794c47bf006e911adac97ae2b5b2296527ecdf5d7ed2ff7de26572443aecd |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7102d0a5ae07a3acea7c107a469d6eb1 |
| SHA1 | cb25d55a020254c3f32ee40d47b61d4125fdd7a0 |
| SHA256 | 20bd1dee32b8cee81eb64800e75558fd10e0ff837c01324da6944ecc96dcef6a |
| SHA512 | 81a0c4ce0390088586bbb380735d7ad4c0cccaceec3554f394c1b52cbe101bd763bb319cf1503fba92ce69176d507c19fd44c7a1d348bf564a43373007ed73e8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 281ca167a8319c7815fbdd44be7af9fa |
| SHA1 | 5f92b69c964b56fac7f192b4778eab68c27f95d2 |
| SHA256 | eb7925b8fd3a21c751e12b99596d98e5a9f7e7ab96a9cd32f8b767cdca835f40 |
| SHA512 | caebb8bf0503a7b3befea473237afc9e77ff57c0d8b39925db5f682dcaf5b5f44b2fd8b492f26f114768ca1c7b795e0764e9ed288b5047c248e6d7e5e4fdd39a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 76d691bb35dd8064c1cc582d806415f9 |
| SHA1 | 4505fc0e3b884c4fde6740737a77ec7eb108ae5f |
| SHA256 | b1710c37cf6b4022aa4e68ee8e89fa5f1c849b7e3168d157c7c56c4ef3becbb2 |
| SHA512 | 9989dc235ca840195013e6f5300679d945ab2df3a3f8ea908ab9711059c037e9d23c5ef4899b08c77b911c7dc21e777ca072008adbf4aa5fef54e9d860303f26 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9e76990e8505e42d8ff882fbf5745063 |
| SHA1 | 9b0cc3691ba6452e5e7fdea3cab054e1910e6e59 |
| SHA256 | 34368047dc0f762f550951669d6171727ddcc3e43bfdf3e14bd8e37c726d12b4 |
| SHA512 | 584a09e8a1f9fa0f127b206d837da14b842ea61e01e26188ead334b44e820e8d485565df08ee7f7006071279365d99ab7d2b9247f7e5c850cb4bac8b5915395d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bd9b563068337c76d362a085d1d5a610 |
| SHA1 | 6ca7d35004c6ca1be45588e22a057382f0852901 |
| SHA256 | f039103da2f154a1750b9ac7a367e92ff53712424331ee5bf36b090e81053ca3 |
| SHA512 | 74ce8d9f40fa65c3f8ba4b0624fc81eef9b420290e4972cf8904fcb50af7c590cdc90d70d9f72596fd31c0d7c8b9b04e855aa00f3fd27f2c04141c6131452de4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2947c53c31b1c34ed12434e7212bf2f3 |
| SHA1 | cf88882cee09a3b561e0b319d32384071062b122 |
| SHA256 | a77c7e02ce89169fff977e4d81603174ea477ea0b6e5d160137882dc6fb3a26c |
| SHA512 | 8a16c72b6766ba330304c1f6cfe9ea35b138db00f7eb7a9ed12b56b10ce003b3320328e07a8b225529dee443fb01faef7651f1250ca92c4d4417c8e122348e52 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2241255a702c7aa8519bde0c0a1f36e4 |
| SHA1 | 469fc1b083dfcf92a91f5ab31df9b173656d56b3 |
| SHA256 | 29f992412213f73d7411b47c3c2f00e6164d1219748bf455620e846380bfef47 |
| SHA512 | 668bd338fac119a7aa80c903909d5a601459fd63455b3fa25b63e57ab2b6a302f7e318b3af83f810c242a7509c356e8d19d696afc760bfc65a14497df4abf5b8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f0c6f3031eab0c6301bceca64355402c |
| SHA1 | 81762019181a86fed6c041c00a92e94097ba9e43 |
| SHA256 | 2246ef38cb6d0c3819fdacdd2f8769bf7ae0c8db60d43084e8009e2680ff8b3a |
| SHA512 | 939b389848eba09d7c3a3661aa51851488dfff99c9626e0562810eda5e7ddfdee43f26c61526ac19bc90681ea9ad857d895432be81d36fef4c0a8ff9d4891045 |