Malware Analysis Report

2025-01-02 14:02

Sample ID 240914-k3gvyawhph
Target dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118
SHA256 5b7c9908c54e8a19e8195eda40abe283682558ef5dff957d9d528dcd31552373
Tags
upx cybergate remote bootkit discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b7c9908c54e8a19e8195eda40abe283682558ef5dff957d9d528dcd31552373

Threat Level: Known bad

The file dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx cybergate remote bootkit discovery persistence stealer trojan

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

UPX packed file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-14 09:07

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-14 09:07

Reported

2024-09-14 09:09

Platform

win7-20240903-en

Max time kernel

147s

Max time network

146s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\system.exe" C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\system.exe" C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66} C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66}\StubPath = "C:\\Windows\\install\\system.exe Restart" C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66}\StubPath = "C:\\Windows\\install\\system.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\system.exe N/A
N/A N/A C:\Windows\install\system.exe N/A
N/A N/A C:\Windows\install\system.exe N/A
N/A N/A C:\Windows\install\system.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\system.exe" C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\system.exe" C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\install\system.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\install\system.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\system.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\system.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\ C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\system.exe C:\Windows\install\system.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\install\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\install\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\install\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
N/A N/A C:\Windows\install\system.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2580 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2580 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2580 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2580 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2580 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2580 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2580 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2580 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2580 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1500 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\install\system.exe

"C:\Windows\install\system.exe"

C:\Windows\install\system.exe

"C:\Windows\install\system.exe"

C:\Windows\install\system.exe

"C:\Windows\install\system.exe"

C:\Windows\install\system.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2168-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2580-3-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2580-13-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2580-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2580-7-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2580-5-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2168-19-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2168-15-0x0000000001F80000-0x0000000001FD4000-memory.dmp

memory/2580-18-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1500-22-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1500-34-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2580-36-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1500-32-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1500-26-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1500-24-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2748-39-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2748-57-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2748-58-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1500-56-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1500-53-0x0000000000460000-0x00000000004B4000-memory.dmp

memory/2748-51-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2748-48-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2748-47-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2748-46-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2748-45-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2748-43-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2748-52-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2748-41-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1208-62-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/2748-61-0x0000000024010000-0x0000000024071000-memory.dmp

memory/2456-305-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2456-310-0x0000000000370000-0x0000000000371000-memory.dmp

memory/2748-368-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2456-601-0x0000000024080000-0x00000000240E1000-memory.dmp

C:\Windows\install\system.exe

MD5 dfe17b2e82792547a0e726fdd4ea3c8f
SHA1 1252a93e81858d900f2b29f050f9b525d0ab64ba
SHA256 5b7c9908c54e8a19e8195eda40abe283682558ef5dff957d9d528dcd31552373
SHA512 ecee42f2c1b23aa9b6b6a805a436f1697958d242030765fe591184a38c64cc09fe7cdde216f9e2ff07d014e02d9de09d2f2e43aa28f0d221c7b38ac1a4ae2fa8

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 192dd886acb7e9946b5e89d5321beb81
SHA1 74508d3abbe8f919e8e785926e0ca6c470aff73e
SHA256 023b8037797425a52a48f6f732c2bfae7ba69e748fbdb76a40ae220f8f7935ed
SHA512 9feeb3b49577c18217528824eeefef451d776dc28712d77302965aebac928899c8e759ed00777ea7bf53b27f6c0c664bbcb5529144332b9cab0c13973d307178

memory/2748-625-0x00000000002C0000-0x0000000000314000-memory.dmp

memory/956-626-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2748-936-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/956-961-0x00000000052F0000-0x0000000005344000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26062007(024).jpg

MD5 f7fb8f3a46e22a8dff4d77c409fdbacd
SHA1 21fba743acdaf3d87d680e4d3b3c2025ec231347
SHA256 8ec77cc261d94fc89e4b7d2080bad1d46a600ce93a3408750b41b6e6941d8457
SHA512 77ff082837334eec1a47b6271c2d81d3f2d013a3dbd4eda7b34ca82cd3f3362f7eb97052351b5261dc62686f607e3e595bdb33797d3e9e950bb0181175adec39

memory/2868-979-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2456-1017-0x0000000024080000-0x00000000240E1000-memory.dmp

memory/956-1020-0x00000000052F0000-0x0000000005344000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 017abae1fc1397a0ad1ce00392019b98
SHA1 b6aeff13e0330f318346117c092197be8e7f3ad4
SHA256 45b3c9a57ac51eb1b98215da8022c924b4fbea812e5205b63a5204c632e5844a
SHA512 c8182b94b543ff90a849632d5c6aa0a448ad17d0dd068a02e3f6a7239d68cc3340ac546491e088d6ec2695978749f8d91533d7dc1aea735a49b9e73211cfe777

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1a6f048dfcd3c19cb6a9836a70f10ae3
SHA1 958ae779ee422e5bf2a30fb89c98761af9e8387d
SHA256 bbfa5314158a28a1d3ede14ad12e105a99b3623c09a9d0f41915ff844c8faf86
SHA512 851bc99ca2704d48bc1c41309e2babbcb835460073348b1831ade89d44566cfd6cad07aa812d8757ce907a9dd063d9e7829b3207578c3568ed35f0968096541b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9789c664a7e1d384b7c326fdb7d5b961
SHA1 9f4fa42e845bf9445874b306419737fde6d4d610
SHA256 3c6c04cb08bffe108208a2e589d982a83d953626093977ae84a8d3569a4b0492
SHA512 1938075017f9bd8bfe6a1f666ecb6f23f6fb4a2449deae4a0f6cdb5558457ef53a278272083bebd4918dea30bff2cc3395509da6ccbfee0febdcae62707f3417

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c7317791124a2067da6a9e6111cf0a57
SHA1 5f0e753ea4847e698a6a594b220dbaadd2adda85
SHA256 4b4057f5f2afba2b72c1b0a94d9bee5cbf7d33fb683c23431691b2f49ae44aa6
SHA512 4f4377b573c9193f21a7cd9d4fd2af0fe2ec7dec9cdde1592c7cbf44d4cf1e09493583895ea17fdb3e150d3a4e30dec8012855db5bb710ce73d37b752b18427c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4c7a9c84ea4116a28c7b34b50332a512
SHA1 5e1e6ec34bd0b92d4cd78d57f1481b99d8a01be2
SHA256 6d32d0d6c0d261021926b4c029cf86bfaf94f9226426fd3d126a96419e9c3070
SHA512 560a075f8e546051b0edd914e0988e93ecd9c80e0563e8ac5c767d782ce70296366d9299939552db9028f75330b647c03bbf26ab4684b16067fd0d0909968e0e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1a3ddbd6264db0402a2d823fe9e159d1
SHA1 afc48e97bcb4b089f5eb8b6b961d8e9463f99f39
SHA256 4ff6609ecd7485ba9319feb5d01cde99275b25a17b9b5e92fd93266c3b7429da
SHA512 82ac2493b3e693e704b51589e7898b6539ec86909fa09d0fb294489f45ac392b341d9f18c357e0b3eba536ae1cf6e3e9e4798a5972ac72904ddb5baf69c3eda8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e86c17818e095f9cea0a3b3b4fb96a76
SHA1 386f1970227ceba40d232a1b46f12eb42b62b1e2
SHA256 facd72f6806843152cc04cf46d197a3efc9c777f8eb44d6698337b3b875e394e
SHA512 a40b7b2e86fa42a87d64456f89f6508f63c0a1e829f77bd9dfc54384004be857f09c92453069c8b155b847ef5215c5541f649571deded999ec2def773c86b876

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d617fa11ceae3c0fefdf875a1cce6c6d
SHA1 e03265f137648a27d7ad3ee898805a0738572aaa
SHA256 7c92c47d289d466fe2197b4ec2650c51b8b769f77f62d7b2bf3b396ab4f5a1be
SHA512 34b53f7c5b42191928b13bb97448a2ca50c0236d0945beb327d8c58164d004a446733fdf24215ef235a58690d77badd78fe4bcc4683e51344cb53ca88d6530fe

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e535e963b051abb06a90a727fa094586
SHA1 e29c92c5d831a8e22a623dc2720419bc89b0fc84
SHA256 4844b9457038e9573f02cbe14c21be3a3e24de788230d3ec7ecaa3b7a50c9507
SHA512 f8fa332c4d0a35c206c67fdfa011410822d90ce0225edc4e8d073a3f2c08d0adf24365ef3c9f8c1e80fb43cfa671894cc31aa468122ba80786182dab9e049603

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5c51417780d2fdb285c5663201d2442f
SHA1 2a637d4a029273a5fd46a5ab7963d2c85e4d9759
SHA256 92642f7c643594f2155fddae7e8a032131165622484249d740ac1bd8a7bb0422
SHA512 3cf722aca7b8376521d0c799324065128456b46b31073dbeb3d0a3f059ef08e8a04fde1891423c8b3ce2d06185278f5622f9c1ca6e9e48be640f35eac1b88c4f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8bead7fb547784ffb9c148073795fe16
SHA1 bc06ef92212d378a2e9403a1e04d8d2f6045b88c
SHA256 9726a89ba7b839ed1d5118364b942384b9403d0f274077e9c3700cac4f8d3993
SHA512 5378af5ecaaed1dd4de85662ffacacd43465aade1a3e8b814e2284f142befa21860360080138133e1831b6014c5c3155c77a996efc69a8799babf19e4e63ff83

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a142c2eba20ca25cf5418fa8c369848f
SHA1 622f6af8e9e47d9598b2c08cf72b2809097d7790
SHA256 d2cd3dc7ec67981a5dd42e91bd8919c4ff08551d894979c678fd8f749a2d1003
SHA512 ce2329304552a3502fae9dbfc573e03ba5c61b5fed6f6b76028d60a335df03cf39137ce81bf154ec9aac461ab6f4cce3db98d11751ee4fbdaf3cea3ca0225f2d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 584bb25a58bfd4e66b7786ae388aa3fd
SHA1 0a9ed38be61abc5be23bf318bee936517b8408fa
SHA256 95f21670f1fbbd589be716a1b39dfe418ddcbb5fc383fcabbcaa9c1d533bc23a
SHA512 974f8612f62c83603cc6a1040f8b280e826ec2f2877df9ade9fd762afade63e493c3dcbbf25d4f639489dfecf123d924f7c5f966637f6c104b54b60c1a07ea16

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5e715325efb1151249a2905ae8b6dc71
SHA1 887defe4ac3fe26de070fc0fc0bf5e38bed69c84
SHA256 8bde1b2e4cbebcf872db2f197ddc8953726f03ea01bf86da5c28b0fd7b95720b
SHA512 78283dbc317680d794bcd9c8325a351397c37ef813928eadfaeb8ddfb5ca21c8a8e656e99a97b740e526b7b851e8c8aa3bc78924209dcc3e8a2bedf257d24794

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 92dd9f90e5225696ec4235b464bb8be8
SHA1 17c95f1de60e223aa29d1b043f809a8eedc228aa
SHA256 1136ac7ff9f0c2afeaba1981e79c502e01a1adf11836644f895d83207dca35d9
SHA512 d3a85962f53c9e6cc84474aef2fa1d7eda8eb9c7ce56883b4e29ede4753180a76ab7a77dcc3292c20da7c9f628763e60fcd3cf8645cd73492d7e4395aa230f0b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 47e57913821ec9be3a680a2473ad67fa
SHA1 d0ffe52f8870bbb3f63df7c47af3193337520fe0
SHA256 f2f802c9448e35530fb28d6a1822bb8f2989ef5642f02a4f0021f99f774ca478
SHA512 df218304f894a31de6ab4550f764b2a2b4558cc9958eb114208f6ad7cb4bbe3ec0c2773da9b27e0eed5b60ee2ea512d58598c83838b4d5c5adad8bde91354038

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6ef8af8dfad3b0f49f5d728d1e488ffb
SHA1 1b09e35afe751a8279f53272f6a927c68d037414
SHA256 e54e40c25bb9933cc0d4a5a0dc23fcb9c80cac0edd846f5f87aa78461a1c0ce3
SHA512 7347695c67f55c5b165b58dca53568492b5b51d6b6fd183515582f7658447afbb73cbeb270c6a6f8e4ed8efb233f1595e815c95775c3bdb2cc4e32e4b80273be

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1fe43b37f26413fa6b52ecfe5540ddc9
SHA1 bbe20c8e5f450112ef43ce27fd3d25409fe50408
SHA256 dfbb8317e0faadf6fc4770a06b5d6b417ca95b1df3be038425e5c50c060ee582
SHA512 78ab609a08e0d53311d26a5fbb9dd1b47dbd378968d498b0ca6ccd5641e61fa3b2917c2794e36eadbd6b0c894f33e5a62d27a79e97702a3e8b1f4059261dcb44

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bc54d6b568359785cae6368be1a0d29b
SHA1 7c9aa4653b5cea0953841f5def1ed3fc55967589
SHA256 0db7a9eb8c437b83ff4d40ae9fb7dd8490bf3adfc0ecbb8993c7011f6a9ab789
SHA512 5aa6b0b572d0c88eae1c2e67a3d26894fe5df25f8fb91048372a490637cf72d3c4cd32f9c956ba656addfd7fdbe91e301ef3451da5eb32f38aa778f635d88719

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9ed52770cf5125c0f01de5c4b8fa3d74
SHA1 44c4bd4a06b4a5a6533b575d680d9240e9bb4ae8
SHA256 3c75cf625a9ad9087fda18bc25a6a081c304889d0f42daccc223e4aef29a3cbf
SHA512 52507ae5168e63ebc61a6b9fc2cce488f5366edf41f56e33d96880ee1f87e1f1310a9de59156dd1e9ae6a7943383cc96424368d20527849118c2773a60c74351

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 98fde43a1599ac65f71cf08f0909fba7
SHA1 9f452a034ea26a611364ea6d95826e4f2b38b34a
SHA256 fb66e8727ccdc881ea635b287854f05e7295e4a269499bbb7a68f2900547e618
SHA512 035995cc1fbf9bef7bcfe53818d54a2b2a4ca4b0ff92463605bcb6e363ab6c85c795c3c39583ffbd2fad45a2844afdd32d432a2c7c26350bd84c506ec17553a0

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-14 09:07

Reported

2024-09-14 09:09

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\system.exe" C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\system.exe" C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66} C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66}\StubPath = "C:\\Windows\\install\\system.exe Restart" C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66}\StubPath = "C:\\Windows\\install\\system.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\system.exe N/A
N/A N/A C:\Windows\install\system.exe N/A
N/A N/A C:\Windows\install\system.exe N/A
N/A N/A C:\Windows\install\system.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\system.exe" C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\system.exe" C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\install\system.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\install\system.exe C:\Windows\install\system.exe N/A
File created C:\Windows\install\system.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\system.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\system.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\ C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\install\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\install\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\install\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 820 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 820 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 820 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 820 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 820 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 820 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 820 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 820 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"

C:\Windows\install\system.exe

"C:\Windows\install\system.exe"

C:\Windows\install\system.exe

"C:\Windows\install\system.exe"

C:\Windows\install\system.exe

"C:\Windows\install\system.exe"

C:\Windows\install\system.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1000-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-3-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1000-7-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-6-0x0000000000400000-0x000000000041C000-memory.dmp

memory/744-10-0x0000000000400000-0x0000000000410000-memory.dmp

memory/744-12-0x0000000000400000-0x0000000000410000-memory.dmp

memory/820-14-0x0000000000420000-0x00000000004E9000-memory.dmp

memory/820-17-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1120-18-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1120-19-0x0000000000400000-0x000000000048A000-memory.dmp

memory/744-23-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1120-20-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1120-24-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1120-27-0x0000000024010000-0x0000000024071000-memory.dmp

memory/4032-33-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/4032-32-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/1120-31-0x0000000024080000-0x00000000240E1000-memory.dmp

memory/1120-48-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4032-94-0x0000000024080000-0x00000000240E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 192dd886acb7e9946b5e89d5321beb81
SHA1 74508d3abbe8f919e8e785926e0ca6c470aff73e
SHA256 023b8037797425a52a48f6f732c2bfae7ba69e748fbdb76a40ae220f8f7935ed
SHA512 9feeb3b49577c18217528824eeefef451d776dc28712d77302965aebac928899c8e759ed00777ea7bf53b27f6c0c664bbcb5529144332b9cab0c13973d307178

C:\Windows\install\system.exe

MD5 dfe17b2e82792547a0e726fdd4ea3c8f
SHA1 1252a93e81858d900f2b29f050f9b525d0ab64ba
SHA256 5b7c9908c54e8a19e8195eda40abe283682558ef5dff957d9d528dcd31552373
SHA512 ecee42f2c1b23aa9b6b6a805a436f1697958d242030765fe591184a38c64cc09fe7cdde216f9e2ff07d014e02d9de09d2f2e43aa28f0d221c7b38ac1a4ae2fa8

memory/1120-165-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2476-193-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4032-208-0x0000000024080000-0x00000000240E1000-memory.dmp

memory/4388-209-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1a6f048dfcd3c19cb6a9836a70f10ae3
SHA1 958ae779ee422e5bf2a30fb89c98761af9e8387d
SHA256 bbfa5314158a28a1d3ede14ad12e105a99b3623c09a9d0f41915ff844c8faf86
SHA512 851bc99ca2704d48bc1c41309e2babbcb835460073348b1831ade89d44566cfd6cad07aa812d8757ce907a9dd063d9e7829b3207578c3568ed35f0968096541b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9789c664a7e1d384b7c326fdb7d5b961
SHA1 9f4fa42e845bf9445874b306419737fde6d4d610
SHA256 3c6c04cb08bffe108208a2e589d982a83d953626093977ae84a8d3569a4b0492
SHA512 1938075017f9bd8bfe6a1f666ecb6f23f6fb4a2449deae4a0f6cdb5558457ef53a278272083bebd4918dea30bff2cc3395509da6ccbfee0febdcae62707f3417

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c7317791124a2067da6a9e6111cf0a57
SHA1 5f0e753ea4847e698a6a594b220dbaadd2adda85
SHA256 4b4057f5f2afba2b72c1b0a94d9bee5cbf7d33fb683c23431691b2f49ae44aa6
SHA512 4f4377b573c9193f21a7cd9d4fd2af0fe2ec7dec9cdde1592c7cbf44d4cf1e09493583895ea17fdb3e150d3a4e30dec8012855db5bb710ce73d37b752b18427c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4c7a9c84ea4116a28c7b34b50332a512
SHA1 5e1e6ec34bd0b92d4cd78d57f1481b99d8a01be2
SHA256 6d32d0d6c0d261021926b4c029cf86bfaf94f9226426fd3d126a96419e9c3070
SHA512 560a075f8e546051b0edd914e0988e93ecd9c80e0563e8ac5c767d782ce70296366d9299939552db9028f75330b647c03bbf26ab4684b16067fd0d0909968e0e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1a3ddbd6264db0402a2d823fe9e159d1
SHA1 afc48e97bcb4b089f5eb8b6b961d8e9463f99f39
SHA256 4ff6609ecd7485ba9319feb5d01cde99275b25a17b9b5e92fd93266c3b7429da
SHA512 82ac2493b3e693e704b51589e7898b6539ec86909fa09d0fb294489f45ac392b341d9f18c357e0b3eba536ae1cf6e3e9e4798a5972ac72904ddb5baf69c3eda8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e86c17818e095f9cea0a3b3b4fb96a76
SHA1 386f1970227ceba40d232a1b46f12eb42b62b1e2
SHA256 facd72f6806843152cc04cf46d197a3efc9c777f8eb44d6698337b3b875e394e
SHA512 a40b7b2e86fa42a87d64456f89f6508f63c0a1e829f77bd9dfc54384004be857f09c92453069c8b155b847ef5215c5541f649571deded999ec2def773c86b876

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d617fa11ceae3c0fefdf875a1cce6c6d
SHA1 e03265f137648a27d7ad3ee898805a0738572aaa
SHA256 7c92c47d289d466fe2197b4ec2650c51b8b769f77f62d7b2bf3b396ab4f5a1be
SHA512 34b53f7c5b42191928b13bb97448a2ca50c0236d0945beb327d8c58164d004a446733fdf24215ef235a58690d77badd78fe4bcc4683e51344cb53ca88d6530fe

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e535e963b051abb06a90a727fa094586
SHA1 e29c92c5d831a8e22a623dc2720419bc89b0fc84
SHA256 4844b9457038e9573f02cbe14c21be3a3e24de788230d3ec7ecaa3b7a50c9507
SHA512 f8fa332c4d0a35c206c67fdfa011410822d90ce0225edc4e8d073a3f2c08d0adf24365ef3c9f8c1e80fb43cfa671894cc31aa468122ba80786182dab9e049603

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5c51417780d2fdb285c5663201d2442f
SHA1 2a637d4a029273a5fd46a5ab7963d2c85e4d9759
SHA256 92642f7c643594f2155fddae7e8a032131165622484249d740ac1bd8a7bb0422
SHA512 3cf722aca7b8376521d0c799324065128456b46b31073dbeb3d0a3f059ef08e8a04fde1891423c8b3ce2d06185278f5622f9c1ca6e9e48be640f35eac1b88c4f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8bead7fb547784ffb9c148073795fe16
SHA1 bc06ef92212d378a2e9403a1e04d8d2f6045b88c
SHA256 9726a89ba7b839ed1d5118364b942384b9403d0f274077e9c3700cac4f8d3993
SHA512 5378af5ecaaed1dd4de85662ffacacd43465aade1a3e8b814e2284f142befa21860360080138133e1831b6014c5c3155c77a996efc69a8799babf19e4e63ff83

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a142c2eba20ca25cf5418fa8c369848f
SHA1 622f6af8e9e47d9598b2c08cf72b2809097d7790
SHA256 d2cd3dc7ec67981a5dd42e91bd8919c4ff08551d894979c678fd8f749a2d1003
SHA512 ce2329304552a3502fae9dbfc573e03ba5c61b5fed6f6b76028d60a335df03cf39137ce81bf154ec9aac461ab6f4cce3db98d11751ee4fbdaf3cea3ca0225f2d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 584bb25a58bfd4e66b7786ae388aa3fd
SHA1 0a9ed38be61abc5be23bf318bee936517b8408fa
SHA256 95f21670f1fbbd589be716a1b39dfe418ddcbb5fc383fcabbcaa9c1d533bc23a
SHA512 974f8612f62c83603cc6a1040f8b280e826ec2f2877df9ade9fd762afade63e493c3dcbbf25d4f639489dfecf123d924f7c5f966637f6c104b54b60c1a07ea16

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5e715325efb1151249a2905ae8b6dc71
SHA1 887defe4ac3fe26de070fc0fc0bf5e38bed69c84
SHA256 8bde1b2e4cbebcf872db2f197ddc8953726f03ea01bf86da5c28b0fd7b95720b
SHA512 78283dbc317680d794bcd9c8325a351397c37ef813928eadfaeb8ddfb5ca21c8a8e656e99a97b740e526b7b851e8c8aa3bc78924209dcc3e8a2bedf257d24794

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 92dd9f90e5225696ec4235b464bb8be8
SHA1 17c95f1de60e223aa29d1b043f809a8eedc228aa
SHA256 1136ac7ff9f0c2afeaba1981e79c502e01a1adf11836644f895d83207dca35d9
SHA512 d3a85962f53c9e6cc84474aef2fa1d7eda8eb9c7ce56883b4e29ede4753180a76ab7a77dcc3292c20da7c9f628763e60fcd3cf8645cd73492d7e4395aa230f0b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 47e57913821ec9be3a680a2473ad67fa
SHA1 d0ffe52f8870bbb3f63df7c47af3193337520fe0
SHA256 f2f802c9448e35530fb28d6a1822bb8f2989ef5642f02a4f0021f99f774ca478
SHA512 df218304f894a31de6ab4550f764b2a2b4558cc9958eb114208f6ad7cb4bbe3ec0c2773da9b27e0eed5b60ee2ea512d58598c83838b4d5c5adad8bde91354038

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6ef8af8dfad3b0f49f5d728d1e488ffb
SHA1 1b09e35afe751a8279f53272f6a927c68d037414
SHA256 e54e40c25bb9933cc0d4a5a0dc23fcb9c80cac0edd846f5f87aa78461a1c0ce3
SHA512 7347695c67f55c5b165b58dca53568492b5b51d6b6fd183515582f7658447afbb73cbeb270c6a6f8e4ed8efb233f1595e815c95775c3bdb2cc4e32e4b80273be

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1fe43b37f26413fa6b52ecfe5540ddc9
SHA1 bbe20c8e5f450112ef43ce27fd3d25409fe50408
SHA256 dfbb8317e0faadf6fc4770a06b5d6b417ca95b1df3be038425e5c50c060ee582
SHA512 78ab609a08e0d53311d26a5fbb9dd1b47dbd378968d498b0ca6ccd5641e61fa3b2917c2794e36eadbd6b0c894f33e5a62d27a79e97702a3e8b1f4059261dcb44

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bc54d6b568359785cae6368be1a0d29b
SHA1 7c9aa4653b5cea0953841f5def1ed3fc55967589
SHA256 0db7a9eb8c437b83ff4d40ae9fb7dd8490bf3adfc0ecbb8993c7011f6a9ab789
SHA512 5aa6b0b572d0c88eae1c2e67a3d26894fe5df25f8fb91048372a490637cf72d3c4cd32f9c956ba656addfd7fdbe91e301ef3451da5eb32f38aa778f635d88719

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9ed52770cf5125c0f01de5c4b8fa3d74
SHA1 44c4bd4a06b4a5a6533b575d680d9240e9bb4ae8
SHA256 3c75cf625a9ad9087fda18bc25a6a081c304889d0f42daccc223e4aef29a3cbf
SHA512 52507ae5168e63ebc61a6b9fc2cce488f5366edf41f56e33d96880ee1f87e1f1310a9de59156dd1e9ae6a7943383cc96424368d20527849118c2773a60c74351