cybergate | 9ab58ba189997223a9eebf59bb5dbc6bc24f10b5f7c9baa7c5772462fc182d23

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
Size

420KB
MD5

15067abeb8555ea7acb5153709700345
SHA1

050c6d101fdcc80d482a85c15a0614b43648c075
SHA256

9ab58ba189997223a9eebf59bb5dbc6bc24f10b5f7c9baa7c5772462fc182d23
SHA512

48cea5e986d7fc465d4737570218bda1fb34a9deeac54c05a6a45bdde6f14bd39cf5b46d297407d09d69dc76a13d9c8a41a51b2c83fbf47d12132cb23b9043b8
SSDEEP

6144:FeV5EEC5UGuSXPknmyNWtubss6ECdFUDMRuBQv+:FNECXcuZsi/UAC

Score

10^/10

cybergate server discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

127.0.0.1:81

bifrost-jojo.no-ip.org:81

Mutex

***hack***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
iexplorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
{15GA20UD-5A68-8Q84-6HOK-Y88HFQCR272C}
regkey_hklm
{15GA20UD-5A68-8Q84-6HOK-Y88HFQCR272C}

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\iexplorer.exe"	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\iexplorer.exe"	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15GA20UD-5A68-8Q84-6HOK-Y88HFQCR272C}\StubPath = "C:\\Windows\\system32\\spynet\\iexplorer.exe Restart"	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{15GA20UD-5A68-8Q84-6HOK-Y88HFQCR272C}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15GA20UD-5A68-8Q84-6HOK-Y88HFQCR272C}\StubPath = "C:\\Windows\\system32\\spynet\\iexplorer.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{15GA20UD-5A68-8Q84-6HOK-Y88HFQCR272C}	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

iexplorer.exeiexplorer.exeiexplorer.exe

pid process

2876 iexplorer.exe
3740 iexplorer.exe
4016 iexplorer.exe

pid	process
2876	iexplorer.exe
3740	iexplorer.exe
4016	iexplorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{15GA20UD-5A68-8Q84-6HOK-Y88HFQCR272C} = "C:\\Windows\\system32\\spynet\\iexplorer.exe"	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{15GA20UD-5A68-8Q84-6HOK-Y88HFQCR272C} = "C:\\Windows\\system32\\spynet\\iexplorer.exe"	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe15067abeb8555ea7acb5153709700345_JaffaCakes118.exeiexplorer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\spynet\iexplorer.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\iexplorer.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\iexplorer.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\iexplorer.exe	iexplorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe15067abeb8555ea7acb5153709700345_JaffaCakes118.exeiexplorer.exeiexplorer.exe

description	pid	process	target process
PID 2572 set thread context of 1248	2572	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 1248 set thread context of 2604	1248	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 2876 set thread context of 3740	2876	iexplorer.exe	iexplorer.exe
PID 3740 set thread context of 4016	3740	iexplorer.exe	iexplorer.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1248-3-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1248-5-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1248-7-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1248-14-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2604-13-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2604-16-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2604-17-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2604-18-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2604-21-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/2604-25-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2604-41-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4352-88-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2604-159-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1536-160-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/3740-194-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4016-197-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4352-198-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1536-200-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4312 4016 WerFault.exe iexplorer.exe

pid	pid_target	process	target process
4312	4016	WerFault.exe	iexplorer.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exeexplorer.exe15067abeb8555ea7acb5153709700345_JaffaCakes118.exeiexplorer.exeiexplorer.exe15067abeb8555ea7acb5153709700345_JaffaCakes118.exe15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

Modifies registry class 1 IoCs

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

pid process

2604 15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
2604 15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

pid process

1536 15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

pid	process
2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

pid	process
1536	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1536	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
Token: SeDebugPrivilege	1536	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

pid process

2604 15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

pid	process
2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe15067abeb8555ea7acb5153709700345_JaffaCakes118.exeiexplorer.exeiexplorer.exe

pid	process
2572	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
1248	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
2876	iexplorer.exe
3740	iexplorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

15067abeb8555ea7acb5153709700345_JaffaCakes118.exe15067abeb8555ea7acb5153709700345_JaffaCakes118.exe15067abeb8555ea7acb5153709700345_JaffaCakes118.exe

description	pid	process	target process
PID 2572 wrote to memory of 1248	2572	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 2572 wrote to memory of 1248	2572	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 2572 wrote to memory of 1248	2572	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 2572 wrote to memory of 1248	2572	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 2572 wrote to memory of 1248	2572	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 2572 wrote to memory of 1248	2572	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 2572 wrote to memory of 1248	2572	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 2572 wrote to memory of 1248	2572	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 1248 wrote to memory of 2604	1248	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 1248 wrote to memory of 2604	1248	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 1248 wrote to memory of 2604	1248	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 1248 wrote to memory of 2604	1248	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 1248 wrote to memory of 2604	1248	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 1248 wrote to memory of 2604	1248	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 1248 wrote to memory of 2604	1248	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 1248 wrote to memory of 2604	1248	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE
PID 2604 wrote to memory of 3524	2604	15067abeb8555ea7acb5153709700345_JaffaCakes118.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\15067abeb8555ea7acb5153709700345_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4352
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:388
    - - C:\Users\Admin\AppData\Local\Temp\15067abeb8555ea7acb5153709700345_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\15067abeb8555ea7acb5153709700345_JaffaCakes118.exe"
        5⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
      - C:\Windows\SysWOW64\spynet\iexplorer.exe
        
        "C:\Windows\system32\spynet\iexplorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\spynet\iexplorer.exe
        
        C:\Windows\SysWOW64\spynet\iexplorer.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3740
        
        C:\Windows\SysWOW64\spynet\iexplorer.exe
        
        8⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 532
        9⤵
        Program crash
        
        PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4016 -ip 4016
1⤵
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
230KB

MD5
27064e44ab5aa59c14d198d46fa5a1bd

SHA1
018aacbaf7d6a849240bb177662561d787c7c1a5

SHA256
3fe2e874da7b36a755e6f9a942318c055b87a10593b574ad0b4bf295166216c8

SHA512
501188cd5278687f7c74f06a417b63e8059b0bdad5888fdfe3a1c797bc354923f5e564bb1864f431437bf2ae5a7387b69fd6dd05081c4faca18cf42e076763d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b48a392705361e7ce597710ae9a6ac0b

SHA1
fe2eb1364f4c53ecdfab8014b37c7a5d23d8b2a1

SHA256
1687afc0e68745f5be706eafe2974e85b8a8fbb59a45f3c18ca428bf98b0d43b

SHA512
38918307c5647814126f094ff18be5fb6b09eccca8bae1796dffe719e015504cf00dfa9ac7d22535d8a74f16637b0df95b261eb9897a766d7a6c3dc1acdef4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d8e4cbfc09beb58d243002704be84a88

SHA1
73257fcaf5cfada84c6d83cf9945131e5bdf9556

SHA256
ed61a6bb9aee99f46ea0c58302dfba8b088a7079be211a13229ca48420d5f727

SHA512
96c58c2529c2d71e4e928c6c49d7ffa0189c26360a5d73f4fb63c12e0eea8e1a021e2a93000047aa5c4e39e94580ee0b7f7a18e4101ad89ad697a1127259f7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e605030b7ca419a8907b7d17aa72c755

SHA1
90159424a9755e790b415834a7ab1486ad42d83e

SHA256
d6a32075b423192a1a56096fb79c2071fbec7582de5403ac751adc262a70ed07

SHA512
5da77bf4c59bea735e04d1d1fb9ae856beac126ee51daf143901aded8e668727a722c4ba7be2e5c5fbc87191c70067b7ed5ded1eb3bd21a7e9d6575f73eb71cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9209f3e48a23091e3790921b2162d945

SHA1
cefe7a30456d512be520bb92035cbbc38b85acc3

SHA256
d91f9b78de69e83b2f90e2f5e22181831300f8e0259b1271453f48d20fa81389

SHA512
37cb21d348f25123e60446ac7f034ac05853085fc260b77c33ebed03d146f202210dd02f58ba3563278749c04be4fd4df8030c385c353f2a70262ccc591b4fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4238c707a8349f9a0c2df2ba8e01945c

SHA1
ea1ade6c83083df4cd470a716771dd3e4d4892b7

SHA256
2e8da0b61450e0ea7f4aac70755a37ab71971a7b54dae5605190322e5c285c2d

SHA512
da615e9a7d18ea9901e395f7851a2e617679df6ae221ea4b530de172e8e3845650d445bcf76c8899cb3291b82afdc1476a3296f410a5435b7af2b587a9f2bba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ec38f31311e8249b1e672ba50b7980ba

SHA1
971a7b28dd87868a094a828992b7e2014bca7771

SHA256
c703c75072c93b7aff9d79f4c74fdb28923cb7da6cf9babc3115e2f23f38b64f

SHA512
100067993d88d726e9ce122e97651c2448cc90e6952dd232d0b7b0ac51f66a96644b801140af78f8c975f3bdaf9f3596c0f6a15f6ace0f193bcb4ea1a52ea799

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dcda502c15a3daa70e36f647c89ac0c9

SHA1
c4118b125afea5948c0ed01edb087b401560bf9c

SHA256
4135f8d0f2327b897e842fd113319760de7c8b283064665c409fcc729a095eb3

SHA512
4c562c5c26345710da85f909e778df56b8ba171fb12cd0f72c1e12ffeb4e001902e1ce8664fd959add6d7d73448fb92aa1982165cb84928cee487674ba044cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
254ca78f6b9bec419a9c5b8d241f3c37

SHA1
7a4de1b918d1271e57254481ae5b5c9bfbe278f8

SHA256
36a5b2019dc2e4e1e9d7a089e3527f4bb81098c3ea3436bed758df0ea02c7ccf

SHA512
7acb6789fe5039f845c8960dd2c4c2be0d17b3092b3ac95a1eb546f06e121ce6be25b535db2bbfaa4751212455773c1d149576393d729fc1d267a41de33ac62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8f134ab98f8a134f5fc7e87ca26f3d77

SHA1
f55343ebf0e34edf6843b67f9ce0f704692061e0

SHA256
4ea45538665c87eaaf63999315262036e1e549e54ae690f7fcd25fd1cd1d9265

SHA512
24820621da4f560a96b923f5fc54f969e864c2c2940655696c83a043377a4ca2ee3c9832733211c1904c77261563fb5da74b6ece8601355edf9b8eacc94a8079

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
352b28e21354ef0920bcd43540afb752

SHA1
ab24cb9917efa54e21d8c21df7e56ecc29c31ef5

SHA256
080ddb8a19c92342fe0de8cce8e29ea9a709044ffde5ec3c8a9aa9faf3bd3c6d

SHA512
c4b938075825b6b155e6b9728e91888ed92e59a87f76b8aa6ad2e97011251177186d4bfbf7a07abd742e4c0b12ba07fcf32cc1939d3c61563886f64390b36ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7ee11258fefab4f56cb9a1c1561fff2a

SHA1
0d77ac90a4c458c9137c7346e0b58425b96a42b3

SHA256
4c0d8f216b2fb4d377ec0f621f166f7af3714bdeb2d3bffcdefbe98e3a799b37

SHA512
da3f964a075c9adb2af22e5694a16fc94c93a5e8cf40e6639ff962bebfb3e7c792dd96ee816ccfd0fe1c219ae354a8876488d4534edc7e95f573b0c8b5671101

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0a28bdb3fb6ca6e96d5051ccb4fe5b27

SHA1
4f53e6f4eb29acac8f61dfadf208a94e4dcdbde6

SHA256
7618e4ed76794768882640f679be680fc0325f6d18003100bb7e77f572f06b3a

SHA512
2c07d2edaa994a30d6dd83c89c97275bc22cfd6e6099f7a4d496680710612b600fe43634468a328e3f332dd30e77c5c8523e5ec7e8d613c3b0d3a835e01f23e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
02263a44cc4b0e1f630049c653d0449c

SHA1
1d13463a2ccc56ce12dc1a898a5480bf9a1cb8b3

SHA256
aa717865d93ac8bef9c6cb7368ae70fc7f5cb5fd8f7a95ab83c9ea6c3a6e7534

SHA512
856d5a998b013aea7064ba428dcf10180224e47e2fc99652fdbda0041c883ef5adb501237649fe0ff407f0b87cbaf32a4f88bc33e516679b3e22e75459ad7183

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f71ed9ac256ac1f219f4404fc5f36928

SHA1
3c81d072b1a6ee9f87c896dba58667e0d69d404f

SHA256
2a7225e0b424022765101706ba121d96d74796681e995214d751ac03a379a9ad

SHA512
e78cc18ce227d513c02edebce5ab42e6df2bd79b6d8266aac8f8da00abb17764340bde48a4b7823a04252e0bfd57705ea7cb1746c72480c197251e3d18eb581f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
07dc8a6d746572225f35e91d69dd20d7

SHA1
abcfce509d87e6e168af759a3762f48d6b06f053

SHA256
899cc081276f976fc70f4d0e1bc8ec1df7f67c8534353f1aea5a0ee42c12b1ed

SHA512
d183bbc259073140659cb28ca1fea3e85f3bc24c6597d8e2cf83e7dd9dfea6b486cfe4e06739bb91a94ca22b4f73cddc2e46ad3570a540505b2f3ed73305bfd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7e910b43c2a7a55ce137c1e1c0b5a585

SHA1
019d6b0cfed850d37f9cd841da3691e3c7d482db

SHA256
0e51096b6937c8f6ca1d493bc1abad38fbc131428d0f54001b32fe48edac9b41

SHA512
bbee41e861b90a2cbb230d0bc2033cadfef84de42ad30c95ac02ca7228a5991bf47495de18ba09a237743d537dd464501804f82666bf0d83c54249e1d7feef24

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8f1cb71ba300504b893fd5a53641f06e

SHA1
1bee74440a51e0b1cc85f5dfdb91b32690cd4adc

SHA256
b442ac2d8ab71cfe07058f6ca03ee717b9fc4f69b606af5b1883a9f12d4bdc3a

SHA512
9eb45896e6ce68fe8e08fe0f7f9dbcd7ae39e0a24796620b2bff59827880871ffccc3a7da836e58d37ae17cf549c95cdf59d19de93d82eec84c0f518edd8a3e5

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\spynet\iexplorer.exe

Filesize
420KB

MD5
15067abeb8555ea7acb5153709700345

SHA1
050c6d101fdcc80d482a85c15a0614b43648c075

SHA256
9ab58ba189997223a9eebf59bb5dbc6bc24f10b5f7c9baa7c5772462fc182d23

SHA512
48cea5e986d7fc465d4737570218bda1fb34a9deeac54c05a6a45bdde6f14bd39cf5b46d297407d09d69dc76a13d9c8a41a51b2c83fbf47d12132cb23b9043b8

Download Submit
memory/1248-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1248-14-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1248-3-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1248-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1536-160-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1536-199-0x0000000000400000-0x0000000000425001-memory.dmp

Filesize
148KB

Download
memory/1536-200-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2572-10-0x0000000000400000-0x0000000000425001-memory.dmp

Filesize
148KB

Download
memory/2572-0-0x0000000000400000-0x0000000000425001-memory.dmp

Filesize
148KB

Download
memory/2604-18-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2604-159-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2604-41-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2604-25-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2604-21-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2604-17-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2604-16-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2604-13-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2876-186-0x0000000000400000-0x0000000000425001-memory.dmp

Filesize
148KB

Download
memory/3740-194-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4016-197-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4352-198-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4352-88-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4352-26-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4352-27-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download