cybergate | ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5

Analysis

max time kernel
104s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe
Size

4.1MB
MD5

5c2dd6e4760729c4e6ccba57e5c53dd0
SHA1

8b4f76990354a9fe16b4e8c4fe459dc9aa67b9d2
SHA256

ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5
SHA512

e479c858bb27281567ae79c9d3f7e505db72c7af49c5675fd2980d39696a82d59bcbc2c260a27f830992644f53384698e0e06bff149bd991d8f014157b98e05d
SSDEEP

98304:xUS+UpfIpZtN9DwAefvGsXjqD7+IG7Jyxz/xM3+A6nswaXzVJvV3m3:xAUWpPNBefvM7+/Org+FnGXzVJG

Score

10^/10

cybergate vítima discovery evasion persistence stealer themida trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

trufyhack.no-ip.biz:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}\StubPath = "c:\\dir\\install\\install\\server.exe"	explorer.exe

Executes dropped EXE 15 IoCs

pid	Process
3148	server.exe
3304	server.exe
3476	server.exe
3156	server.exe
3176	server.exe
3988	server.exe
4940	server.exe
4252	server.exe
4976	server.exe
4348	server.exe
4664	server.exe
5172	server.exe
6016	server.exe
5940	server.exe
6004	server.exe

Identifies Wine through registry keys 2 TTPs 15 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	server.exe

Loads dropped DLL 15 IoCs

pid	Process
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe

Themida packer 43 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2128-0-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-2-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-3-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-4-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-5-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-6-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-7-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-8-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-9-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-10-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-11-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-12-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-13-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-14-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-15-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-45-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-134-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-219-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-374-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-461-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-538-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-1058-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-1581-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-2038-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-2525-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-2720-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-2742-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-2743-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2128-2756-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/files/0x00080000000173f3-6056.dat	themida
behavioral1/memory/1284-6062-0x0000000009930000-0x000000000A1D9000-memory.dmp	themida
behavioral1/memory/3148-6064-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/3304-6069-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/3476-6093-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/3148-6076-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/3528-6124-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/3304-6195-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/3476-6497-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/files/0x00080000000173f3-9443.dat	themida
behavioral1/files/0x00080000000173f3-9448.dat	themida
behavioral1/files/0x00080000000173f3-9705.dat	themida
behavioral1/files/0x00080000000173f3-9717.dat	themida
behavioral1/files/0x00080000000173f3-9840.dat	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\server.exe"	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\server.exe"	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe
3148	server.exe
3304	server.exe
3476	server.exe
3156	server.exe
3988	server.exe
3176	server.exe
4940	server.exe
4976	server.exe
4348	server.exe
4348	server.exe
4664	server.exe
4664	server.exe
4664	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21
PID 2128 wrote to memory of 1208	2128	5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1284
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3148
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3448
    - - C:\dir\install\install\server.exe
        
        "C:\dir\install\install\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:4252
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3304
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3588
    - - C:\dir\install\install\server.exe
        
        "C:\dir\install\install\server.exe"
        5⤵
        
        PID:6576
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3476
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4232
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3156
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5012
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3176
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4472
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3988
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4404
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4940
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5160
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4976
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5212
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4348
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6116
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4664
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6980
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:5172
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6764
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:6016
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6648
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:5940
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7720
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:6004
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:5276
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:6124
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:6348
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:7080
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:6936
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:6712
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:6596
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:6780
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:7368
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3116
- - C:\Users\Admin\AppData\Local\Temp\5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5c2dd6e4760729c4e6ccba57e5c53dd0_JaffaCakes118.exe"
    3⤵
    PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
4b5aa817027e7a4251e4ed5486b44e94

SHA1
6a68661a8398160c5a278983beca1018bb64167b

SHA256
fd2a69b5006242f1d4b8cf9dd3c03efc6103b3757b9a700c91e04e7aa880bc3e

SHA512
a70a7f594c7f3e0fc4f0547babac862e56c3cdf0a0ab68eb82f682af237778df1709cc86b7bc30f7d5a670837ba4bd4d24a05e0511875dbbfb81e0e7f5e432ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
7babfd6a39337edc25e0c88694f9fdd2

SHA1
8b341add4cbd722cf793a4d877ef271d0f0cd1af

SHA256
b2f74185ce0229f892d69297303bcfd3f0e653e257724c277edd0c2e3f13bb7a

SHA512
a61c8475b9c99b038d8edbc6deeb31102a8af401a1a51114f075dd9fb692298c8f4a549ccd6718a7286efd119ebcb4fb1e45c5e0566bd2a15775594d9c55f4cb

Download Submit
C:\dir\install\install\server.exe

Filesize
2.6MB

MD5
a6deb4c43d66bbfc66d04f154d4437bc

SHA1
a85b06cb765df19fa88588470097bc527e123a22

SHA256
669c96e04c3787dab44538ed01d4a53505494725d46ad81e32241849b1bab0e4

SHA512
f899113d241302db61237112906c779ab4b846023c209f9e8473ba20430a3db15a9057b2c7b908771a6cdf37781862bb9dc194df12c6c699fd78736699d0e6c6

Download Submit
C:\dir\install\install\server.exe

Filesize
1024KB

MD5
1cd0914afb4f353b399c169d57f7f4ca

SHA1
247d53e8cf58c349057abadc46c24f464100e3f4

SHA256
6719061df8cfe022874fd6f5ea1054b65b0531174e7391b5a908e916de9fa321

SHA512
57b7e765cc8b5c7b959b29576aa3a05316d0e9e61b4352c2bc75850b6124baf5f8079452d0f23902048cad23bb6f1bd87c2e0df3e28095a608056aa83d9845f6

Download Submit
\??\c:\dir\install\install\server.exe

Filesize
4.1MB

MD5
5c2dd6e4760729c4e6ccba57e5c53dd0

SHA1
8b4f76990354a9fe16b4e8c4fe459dc9aa67b9d2

SHA256
ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5

SHA512
e479c858bb27281567ae79c9d3f7e505db72c7af49c5675fd2980d39696a82d59bcbc2c260a27f830992644f53384698e0e06bff149bd991d8f014157b98e05d

Download Submit
\dir\install\install\server.exe

Filesize
2.8MB

MD5
20adc7a1ab6a66ff825f7d599342dd22

SHA1
c25f92e470fd28a4da699a46840884c4219e276f

SHA256
fbcbd0f5417166f2e8670d2d15650fd0156fda7a5695d88730898e172c5fd2a5

SHA512
374cfd0e16cfce1e96e49761a73ed911f6dc38075257a807fb8f197e242030882eb4a0f6277809ead638cb2955cb33fba66432530709f1be5c77370a8c918212

Download Submit
\dir\install\install\server.exe

Filesize
1.1MB

MD5
b5fd9228e9628043339cc4e064bd9956

SHA1
aad0d7279fae0589880dd254f659a38d5b47361f

SHA256
5b06bd4012c23924d08784d3a3e40c92b46e79261b24242e58ad39a137f679cf

SHA512
53fe83c795006acd3a382a674969a870ade29b2fad62c6c7c7a7e4f1455a9b50d1c83168d38650919a30385dc6b58c6b1facd76f49370211f87c8af3cd6d6ed5

Download Submit
\dir\install\install\server.exe

Filesize
1.5MB

MD5
354ac639d8c0c87589fdedd361e83784

SHA1
19e5ddd4dffe3eb3de8ece4934f9204575a58182

SHA256
afe79303b5513428cc71327005cf7b343a4185b23846d667cf3ac3d050bdbd7f

SHA512
157a11a3ef66e23829aad4db9df892ac6421f2c91d398b91afea8b1a4831f258e0ea26c3665bd6641ad2d42b0a54430000606dd08a18b57ddc71f55c900d9648

Download Submit
memory/1208-19-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/1284-6071-0x0000000009930000-0x000000000A1D9000-memory.dmp

Filesize
8.7MB

Download
memory/1284-2722-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1284-6424-0x0000000009930000-0x000000000A1D9000-memory.dmp

Filesize
8.7MB

Download
memory/1284-6361-0x0000000009930000-0x000000000A1D9000-memory.dmp

Filesize
8.7MB

Download
memory/1284-6078-0x0000000009930000-0x000000000A1D9000-memory.dmp

Filesize
8.7MB

Download
memory/1284-6068-0x0000000009930000-0x000000000A1D9000-memory.dmp

Filesize
8.7MB

Download
memory/1284-6065-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1284-6063-0x0000000009930000-0x000000000A1D9000-memory.dmp

Filesize
8.7MB

Download
memory/1284-6062-0x0000000009930000-0x000000000A1D9000-memory.dmp

Filesize
8.7MB

Download
memory/1284-6054-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1284-2721-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2128-461-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-8-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-10-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-538-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-1058-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-1581-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-2038-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-2525-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-219-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-134-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-2720-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-2742-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-2743-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-2756-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-45-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-11-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-7-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-18-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/2128-9-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-374-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-15-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-14-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-1-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download
memory/2128-0-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-13-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-2-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-3-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-6114-0x0000000004DA0000-0x0000000005649000-memory.dmp

Filesize
8.7MB

Download
memory/2128-4-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-5-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-6-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2128-12-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3148-6064-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3148-6076-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3304-6195-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3304-6069-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3476-6497-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3476-6093-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3528-6124-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download