cybergate | 5aeca94bc26733d48b4d8373bb8148f622b7fb7d3983ab7cab84288aeca0d41b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Size

366KB
MD5

3da2de776282613661f16dd31862eb4b
SHA1

74e14e81159a88f40997326d338bf6f0c3410176
SHA256

5aeca94bc26733d48b4d8373bb8148f622b7fb7d3983ab7cab84288aeca0d41b
SHA512

737b895fe91fe9ecd2a3c66eadb4e824f2118c8a50cb0b3ef5abeffb9fe802abc80ff6ea49dad731c9f2dca71184832cfbab10b32b6df1a2c02c47c894e145b2
SSDEEP

6144:hqHPCyJr9mZD3kpbVJ3k/SceUsgToMIqUsJfKVjhcl5V7:+v1ED3kpbMbeOFUI0W9

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

cronprorat.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Files
install_file
start.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Erro Inesperado !
message_box_title
Erro
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe3da2de776282613661f16dd31862eb4b_JaffaCakes118.exestart.exestart.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\win32 = "C:\\Windows\\system32\\Files\\start.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\win32 = "C:\\Windows\\system32\\Files\\start.exe"	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	start.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	start.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\win32 = "C:\\Users\\Admin\\AppData\\Roaming\\Files\\start.exe"	start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\win32 = "C:\\Windows\\system32\\Files\\start.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\win32 = "C:\\Users\\Admin\\AppData\\Roaming\\Files\\start.exe"	start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\win32 = "C:\\Users\\Admin\\AppData\\Roaming\\Files\\start.exe"	start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\win32 = "C:\\Windows\\system32\\Files\\start.exe"	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\win32 = "C:\\Users\\Admin\\AppData\\Roaming\\Files\\start.exe"	start.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	start.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

start.exestart.exe3da2de776282613661f16dd31862eb4b_JaffaCakes118.exeexplorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4766UC57-C8O7-628U-APE8-XETG6MDG02YP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Files\\start.exe Restart"	start.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4766UC57-C8O7-628U-APE8-XETG6MDG02YP}	start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4766UC57-C8O7-628U-APE8-XETG6MDG02YP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Files\\start.exe Restart"	start.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4766UC57-C8O7-628U-APE8-XETG6MDG02YP}	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4766UC57-C8O7-628U-APE8-XETG6MDG02YP}\StubPath = "C:\\Windows\\system32\\Files\\start.exe Restart"	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4766UC57-C8O7-628U-APE8-XETG6MDG02YP}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4766UC57-C8O7-628U-APE8-XETG6MDG02YP}\StubPath = "C:\\Windows\\system32\\Files\\start.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4766UC57-C8O7-628U-APE8-XETG6MDG02YP}	start.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

start.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	start.exe

Executes dropped EXE 7 IoCs

Processes:

start.exestart.exestart.exestart.exestart.exestart.exestart.exe

pid	Process
752	start.exe
4360	start.exe
60	start.exe
4944	start.exe
4300	start.exe
856	start.exe
428	start.exe

Loads dropped DLL 1 IoCs

Processes:

start.exe

pid	Process
2004	start.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exestart.exe3da2de776282613661f16dd31862eb4b_JaffaCakes118.exestart.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Files\\start.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Files\\start.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Files\\start.exe"	start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Files\\start.exe"	start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Files\\start.exe"	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Files\\start.exe"	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Files\\start.exe"	start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Files\\start.exe"	start.exe

Drops file in System32 directory 8 IoCs

Processes:

start.exe3da2de776282613661f16dd31862eb4b_JaffaCakes118.exestart.exestart.exestart.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Files\start.exe	start.exe
File created	C:\Windows\SysWOW64\Files\start.exe	start.exe
File created	C:\Windows\SysWOW64\Files\start.exe	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Files\start.exe	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Files\start.exe	start.exe
File opened for modification	C:\Windows\SysWOW64\Files\start.exe	start.exe
File created	C:\Windows\SysWOW64\Files\start.exe	start.exe
File opened for modification	C:\Windows\SysWOW64\Files\start.exe	start.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

3da2de776282613661f16dd31862eb4b_JaffaCakes118.exestart.exestart.exestart.exe

description	pid	Process	procid_target
PID 1120 set thread context of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 752 set thread context of 4360	752	start.exe	94
PID 4944 set thread context of 4300	4944	start.exe	100
PID 856 set thread context of 428	856	start.exe	104

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3272-10-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3272-11-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3272-72-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3212	3056	WerFault.exe	89
3528	60	WerFault.exe	96
388	428	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

start.exestart.exestart.exe3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe3da2de776282613661f16dd31862eb4b_JaffaCakes118.exestart.exestart.exestart.exe3da2de776282613661f16dd31862eb4b_JaffaCakes118.exeexplorer.exestart.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe

Modifies registry class 1 IoCs

Processes:

start.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	start.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3da2de776282613661f16dd31862eb4b_JaffaCakes118.exestart.exestart.exe

pid	Process
3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
4360	start.exe
4360	start.exe
4300	start.exe
4300	start.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

start.exe

pid	Process
2004	start.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

start.exe

description	pid	Process
Token: SeDebugPrivilege	2004	start.exe
Token: SeDebugPrivilege	2004	start.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe

pid	Process
3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe3da2de776282613661f16dd31862eb4b_JaffaCakes118.exestart.exestart.exestart.exestart.exestart.exe

pid	Process
1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
3056	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
752	start.exe
752	start.exe
60	start.exe
4944	start.exe
4944	start.exe
2004	start.exe
856	start.exe
856	start.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 1120 wrote to memory of 3272	1120	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	85
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56
PID 3272 wrote to memory of 3420	3272	3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2640
    - - C:\Windows\SysWOW64\Files\start.exe
        
        "C:\Windows\system32\Files\start.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:752
      - C:\Windows\SysWOW64\Files\start.exe
        
        6⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Files\start.exe
        
        "C:\Windows\SysWOW64\Files\start.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:60
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 740
        8⤵
        Program crash
        
        PID:3528
    - - C:\Windows\SysWOW64\Files\start.exe
        
        "C:\Windows\system32\Files\start.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4944
      - C:\Windows\SysWOW64\Files\start.exe
        
        6⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Files\start.exe
        
        "C:\Windows\SysWOW64\Files\start.exe"
        7⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Files\start.exe
        
        "C:\Users\Admin\AppData\Roaming\Files\start.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\Files\start.exe
        
        9⤵
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 536
        10⤵
        Program crash
        
        PID:388
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3da2de776282613661f16dd31862eb4b_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 760
        5⤵
        Program crash
        
        PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3056 -ip 3056
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 60 -ip 60
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 428 -ip 428
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
781fd00db26e87af23d00744fd780989

SHA1
55cb04a700b63e83fae7d49e842385367318becc

SHA256
bfa6808248ad6aeb01fa83620ff85e260e9e0511454dbde683b92894e435c09e

SHA512
c723e6342ffa5db84eea4bc1898d3b43efc526d3c37455007ba371e4a4b669148879d463f30efa74c6f6195440ffe9e1969072262f68d65d54cb8c1b04489b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
cc31db822098fde3e69fdb59e167b936

SHA1
4617fe07ce1d891cb973d9c0fe4dea6dea4ebfa5

SHA256
5887e49c4095174ec79a0f028cfe7966430560b9d74e166005b7aac8619091c6

SHA512
5acc2689915e09a69c92f376f24d409041ef91aca871555ddcdb84e43ff2eaf271f5a54cf50670455722f1baf82198df47a579bb8f584a6fce9528ee29091311

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f7a7ad5a930fe45c3b0ee4e2218b6380

SHA1
6b38d5b579860ac801146d42f12a9776213cec4c

SHA256
5c103ac095c0cd97f342e3e0cf87464f85a791a2a2f277d717892d65c5af2114

SHA512
be94edc9a2c95bfc55c42cf5b7aa95f1c237ec99a445c8b796645edb3de869fcb93e7ac253e839681b561f7c2305195d35cdb908b164f0a39d8f16eb901d2e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7f2644e7b32b85d253143026660f52bc

SHA1
96a640219d94371ecf2cc2fa7ab3b1d9a7b7de66

SHA256
fa00ad48bdbb5aa0caa0360293c29abdf00915899ec78bed32f7eb70f79a5f28

SHA512
2af53ea23b90d7ffb04888192cc60545a733a034b414b46afb9d3515ab764d143baa08c65ab403f023028b236c6ad1d395b66d898b8d59fe0619f00ae15d0b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e506d89f1b7cb804bbda0daaa21d4a4d

SHA1
c7314b1a7dc3f94f5b025aa3d984b87fe0d918e9

SHA256
baed6ebf7f797f855070c176af4143903148743b6d0c50e4f5327af91746e6ed

SHA512
7638935708c8244e1833141538b044247e69fb84f74c8e60f703bcbac1cb7910c41f4648dd7d9818032d02d673cd9adc13c694b8242901eb7aabb09040daba62

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
87c014f7c03874fabe47792679a64044

SHA1
4e3319ef3238084e1f953b300c9ac9284872ff86

SHA256
e1267056ed446f9a1bf6e69a0a52c54f9a64162d45dfdab2fe71f85b4038f3b8

SHA512
505223fc295609dcdf22247acd1e50b26afc069237dd72ba1c9fdf0718e5e6ca97bdc952b11f68b60c7d8ce95d2809938950708a1f629ec29a006dde5c108904

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c02a65a176677b3e08bfa19cf6a8fb80

SHA1
060a1ea942f5fd7b78649eb2e1f903934b3ccf42

SHA256
90fa4eb045aa4ce3174c481e62fd571fbd486177d3828c983eb9a4ad0b3618ae

SHA512
bfb23e80be9d35d133c36af364a6bd51a0cd5723ba40b2cf6acea60025f01a1854b24f2a383561cf756893e6e7bc25987eb39cd638be8fe42dc14294333b9208

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
876e2821201cad0decd82fea3e116e4d

SHA1
4becf0625ab229fd4537c71036b35c1b5851b0cd

SHA256
c2169b78f33f480e9036a9f94b25402ce6634ae9989fe8fae471f83c1bdbc962

SHA512
ceab2cc3889adf46c3afb8660feef7c5c0ee96f51542bd5d76a4d3dc93ed4cef4539d6200162314140be6da7001da1eacf9edcb32e66337b00909764f79b1837

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1753d9604d2b59be7da03c6a658be5bb

SHA1
02c40a3ab1a6d4c4547c4eec7998a0b18a07461d

SHA256
50332b7d4f84a79c1f87bcc76dde67e1034123a3aa36b0bf88ff1d1c0912f065

SHA512
2ef9c322e3d1f0965e73ef6b04f430a7fdf0c1e03a079c5798c4d481074098a5acbebe4b9e6ec7054a0893ff01732d290b3bb76479ac92a960f68b6aad99343d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d15b2525f1de3693c2bc91001b04bb8e

SHA1
adcd1eeaf925af9d52eed1fcb1ed301645e1fd9f

SHA256
f8e0b096ab72b67090486e364b70c97e607b2d59df4995767fb5863a49f8c680

SHA512
2e8e8a67b9fbea57751b0405cfd6b549ee667f1514a861677bc6d9857158108493db5215fc2083e5d4b7fd54e0912c5834c03e1d61c33e611faa344210c904eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1c9bd6989db2800353568defbcdd41e0

SHA1
9891c6a11ba91d006ea61eb685b7541a37241d19

SHA256
6e1403474d4182a97773dcfab28e4973fd0340430ff8c8f09235c4d55bae17a8

SHA512
6d76d1f537e48a150fc881d17123944dcb2848f9ed21868b73010fd8b9fcdc7ccf1ee8f099021ce4e858dae9472f31fa128006e0c4bb03b226afad951834c4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
089d4d2bcbf6e72982afe736b7bdb3b9

SHA1
e1f8c2383b3f3cad0dce55ac6275843b1d83b718

SHA256
60c8ae0b9f738b6bf2d191a506425878c1bae65ba2613624fee241c885bb26d4

SHA512
4d0d7cef13c2ee62995c8e7ff5dc366bc622fd32620145348e381712330639bd46b0d1bae9d9f88c56f0b453be3fb881fbefb30f2e501553e6bf180605a5894c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a520ec30dd44e09d7272bc934560fee4

SHA1
12d1b99cce391385090a45967fb060f1cabc909e

SHA256
6a89b5fcfa10be3358c68fa0b848f86c20af3ac95bf5798a4e536f1b344d49f7

SHA512
884357dd20b73176d3a9b535fd4d2c0426420b4189641dda62353af45129b2b930eb6e15f8aa47cedadf17233925c0719168a3c7d6872f8b6f8b4eee283292c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ee15e08aeb8f2580a40e24fc2a471b6

SHA1
8a35282cc6e9d462ca9541b5407df86a99ddeda9

SHA256
562a4adbd6142e9e4bb73fbf8973bae4869ae63290951ea96b7851aaf5bc66e6

SHA512
70402545b407a34e37e8a334192e8051ef4f9922efa6c6bd60a49d352dde1eb131c66458947db367e3361c94b6c276c327f8f8b50bed59d8b55f8f27dd484552

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3d1de41dd5f850e1a3552b69843a4197

SHA1
f511e071c33e7a85a46afb65d96744ae536904f5

SHA256
52577cb97b4b7c3173a6207d9d78dab180351c97be18e8bfc3b7b8183dc55d1b

SHA512
6611cae5c4ed7084a76a3e422df55d3d075b3cd4a5f8ce77ade74e03148fc04b9b46a22588004eb45e126b6212f498bbc9a440edc2b807943161dcbe3f1ba42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d6de258b21d11ec5f7ebc50844798255

SHA1
bad95e4ababf7611510917533f549e5515a26267

SHA256
ac2e454ca4aad76ed543a93c4a2ccf2022456cddf7a6b61c70da17232bfbc100

SHA512
4265a00965b2092a1af3706fa15b5cd908633a0b98efc0df02d380004440cbc7f9f640dd47be47615f80d5e07d65fbc67dc84f9f8da9cb024a314f48e6a5c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2b2880baedd08a47d42f8abd9a792f50

SHA1
c3b773022af183a5f0c7e0a7c617174ddfb0c37b

SHA256
f32eb37ebac154d541068b9e0769defbfdda2de56c31048ab16f286f71d71ba8

SHA512
dd515c5809dcc430cb7eb1bbd2a39687066bd8084a2345a72af97201ca6bc95f12ae4d2cd14340636962fe8bdcce8125c45869e78fbc7e209b0d619a9a97e537

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
67f8ee73706131f7c0ff829d26c8eb01

SHA1
4f9388a7de5ce55b86fde6b183b0368b25cc723b

SHA256
ff6d378448f7eb7668e0db8871e9b828a02dfc21da6ce0aa45317bc84288d255

SHA512
c8ffb88c47a249f8841c4c1745feabf1a73e38ceb357dc66a21ce620f3405aacd71e19533d093dafcc2c711223c32155891bab17da9fdbc653c1fb25954b224e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5f17de87ed9d24b9ab298e9486a086fa

SHA1
0ec466177c6e552c149d2fd12012ad07d18c3fb9

SHA256
02b6c200c8cd5cffa0455fafac22b2f8c2a25e1d4f681ba59e0a55e283748c57

SHA512
ce2d7b7f9d79c9668cb376066dbfb860b8debcfe5b64b672996e77669b288cb08e43fe83f94d52738ab404e81b4c3648163603e59bd06be06d0de7b5eb65b27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
71d0adec588587b0163ac220ff546f64

SHA1
5bc64791113d3ba9bd5746b01244b842253da4f7

SHA256
8093c461798df00c717fc718142f5469979cc512764e8867a81eecbe97fcfbbe

SHA512
2d81fa6b236af8e678c00d0fae0329c1827071650cdca016173b79248d2824e7a077cfc9e0fcb7e3ad1ee6b1d86c3c50dbda2ccbdf85fb534cf3673c537b53b2

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\Files\start.exe

Filesize
366KB

MD5
3da2de776282613661f16dd31862eb4b

SHA1
74e14e81159a88f40997326d338bf6f0c3410176

SHA256
5aeca94bc26733d48b4d8373bb8148f622b7fb7d3983ab7cab84288aeca0d41b

SHA512
737b895fe91fe9ecd2a3c66eadb4e824f2118c8a50cb0b3ef5abeffb9fe802abc80ff6ea49dad731c9f2dca71184832cfbab10b32b6df1a2c02c47c894e145b2

Download Submit
memory/752-126-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/752-120-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/856-269-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1120-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1120-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2640-16-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/2640-15-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2640-41-0x0000000000130000-0x0000000000563000-memory.dmp

Filesize
4.2MB

Download
memory/3056-86-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3272-72-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3272-118-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3272-11-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3272-10-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3272-6-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3272-5-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3272-4-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3272-3-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4944-166-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download