cybergate | 0a9d3dc9afdd595d77de1d2f448c16e63dbb35fe3d355b2c3446881b8a28273b

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Size

752KB
MD5

603fa32d6d8004fdba90e4caa654bb00
SHA1

ec395f9535a514cdd8f7a22d82d9f89c2b34b463
SHA256

0a9d3dc9afdd595d77de1d2f448c16e63dbb35fe3d355b2c3446881b8a28273b
SHA512

6f7fb72860726e382f44eeaa017d34fb820f8edb1d543774abfaa21a9f561060b818471a858cab36e1dd607fc39ab12e30dbb1468690ee116e5609028d16b2e9
SSDEEP

6144:r9wEFMv6M4YCUrdmFvTl+G78hxJ0Q5U629Jq+NHS2EzjlJUP9qFvIrnHtl4T64vy:r9gIqxGQ5U629JHTEP/tFIHtlD4vDfO

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

roughneck.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart"	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

rld-nfss.exeserver.exeserver.exe

pid process

716 rld-nfss.exe
2404 server.exe
4464 server.exe

pid	process
716	rld-nfss.exe
2404	server.exe
4464	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe"	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe"	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exeserver.exe

description	ioc	process
File created	C:\Windows\SysWOW64\spynet\server.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	server.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exeserver.exe

description	pid	process	target process
PID 3900 set thread context of 3348	3900	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
PID 2404 set thread context of 4464	2404	server.exe	server.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3348-5-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3348-6-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3348-9-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3348-8-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3348-12-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3348-16-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3348-31-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3504-79-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3348-151-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3668-152-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/4464-194-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3504-195-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3668-196-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1452 4464 WerFault.exe server.exe

pid	pid_target	process	target process
1452	4464	WerFault.exe	server.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exeexplorer.exe603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exerld-nfss.exeserver.exeserver.exe603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rld-nfss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

Modifies registry class 1 IoCs

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

pid process

3348 603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
3348 603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

pid process

3668 603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

pid	process
3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

pid	process
3668	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3668	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Token: SeDebugPrivilege	3668	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

pid process

3348 603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exeserver.exe

pid process

3900 603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
2404 server.exe

pid	process
3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

pid	process
3900	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
2404	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe

description	pid	process	target process
PID 3900 wrote to memory of 3348	3900	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
PID 3900 wrote to memory of 3348	3900	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
PID 3900 wrote to memory of 3348	3900	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
PID 3900 wrote to memory of 3348	3900	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
PID 3900 wrote to memory of 3348	3900	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
PID 3900 wrote to memory of 3348	3900	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
PID 3900 wrote to memory of 3348	3900	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
PID 3900 wrote to memory of 3348	3900	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE
PID 3348 wrote to memory of 3488	3348	603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Users\Admin\AppData\Local\Temp\603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:3504
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:832
  - - C:\Users\Admin\AppData\Local\Temp\603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\603fa32d6d8004fdba90e4caa654bb00_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\rld-nfss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rld-nfss.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:716
    - - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\system32\spynet\server.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2404
      - C:\Windows\SysWOW64\spynet\server.exe
        
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 560
        7⤵
        Program crash
        
        PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 4464
1⤵
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
237KB

MD5
a9054c149d16d8a1746b230cf85448a5

SHA1
dca585b2adbba067bf242c07357c646ff8f8f772

SHA256
98642ebe3460f76500d88b7ae3bb7478792854a7422febb0774b08cd34d736f5

SHA512
8000b0fef23572cf5ed7bff29d6ea949d27253295714f54be7a725b3546f30eee8ee21e73212b697aaadcc60fd0ebf0883f53946664ab2da592bde28267d9ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d7af09536fb500272cf5f73163e7e412

SHA1
45b974f55434305c61571e59955d79cb9037aee7

SHA256
94d79bee9f2dd8ff5db78a5cf8001362ef50b61099e439b3b491f6af97d56e37

SHA512
3a63d7524323489e7a95565de324201519bd0ab1683c79cc2d38a4023d8012106320b682bd56f86e9ed132ec6fa862625f5136f27df043ba158b932d7a6ba1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
13f1a2b5922d068e90d13a5d082b7170

SHA1
b74139a24d1acafc7e13357a558683a2cbdb4c5e

SHA256
14f9612e905589efa83e1b0a8234a347684466af93835c5ead2b99d51a3055f2

SHA512
4ee7859eca2a537d23ef6cbd0b72b8ac4dbbc7ce1d829658e6fc3876647e02660850157cd60a10e3ded5e7b038149fd560225679c81977266c1d5c5c9d21045d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8217c34bfd44f6de02c889c1088bba4b

SHA1
9b29142da249e1c9ec1c010227a941a7e115f469

SHA256
1652e1aa3a9f86ae25268d725738d8d25f0ddd77635315087d7ac6275dc69b75

SHA512
504d0058e3780526ef9cf74fb5876e67d17a36f89c5c771e005335649225320593264255adba56ef4dd021aa23a0c7b4792a05f3a2cec6f47121a9a5a97c0663

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5906d57cfa90a9146fb7df641053f3ac

SHA1
3f7f3a474ba7de744d60b8573fde38612a5d5fb3

SHA256
74fd002cb37cb5143332a3c2279e674ddad2dfce48d767282f21559f61380ec0

SHA512
671b0922492848794a6bd208d370892f189c5db12d3b2ff2d7ecee4c21208f0349e71ba2613c340bff3eb54e6fa33d506f577e0c5421ea23b98bc9946f434b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
502ee9e516f1d1c026ba8ab66d9365d3

SHA1
ce5eac995596fb68b403b9f5fe49c199c81d3ad3

SHA256
5e2b5afc00e116caba8e3e0c3dd7fa84acfc212af2798a6dd19e67ce14df13f4

SHA512
45c36703b6a1909d06859a5fcb9b1d0d28dd770ff227c11049c0d10663d979f75b057b884b7c562927225974ec457ce2e7e314a9260a56b4785df8c3e9109952

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8f0be5dc46ad6ffa90f485ecf69f349a

SHA1
2de705f1ec8c4a6a3df1d2d7992618b0665465e0

SHA256
898aa764fa53c6c5637168222aa8b115de94f5f83f0f55b9de6addf7e0153518

SHA512
9f00f4f5dafb3080c69ad2cbd56df5958c2e0653aec5be51daa895a6020e4fd7e79ba5bbed74852ff10892756a006164db0cb03c3b4c7cb7d90c0cd67930cf07

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
21112aab10a238fb91a6820789598088

SHA1
7e176a1b80ad72e5bda8b400f4f7bb15ee453d5f

SHA256
ed0d69765eb20171e663f60855430d4c4e1f8094d30feac9c951c7a250caaa11

SHA512
380fb39736336ec4b1a18af9fa388845b6d2f6af65718a9b2ce4dde6bab6228e261e8c11a0f51cf3dd3fa121f3a1cedc92f06163cc6bf97815fd4645010405e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ed13c130ecad3083b55c1527493d2771

SHA1
67296974ba7f36407b383f5af95da9cd432c75eb

SHA256
1fc53f5d73aeccac7396f1ae5244912665699c9ca4c411bd3699c48ef3e14773

SHA512
10bce986d758d14cb69571df50091a14de1d1a641d440d2fdcd14850c012d6a43efa723f92fd1da1527cf512dd96362bd5b69b4c45a3788f4a6ddbfa15d4913d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
007cde42db59c543679c3a2010b236f9

SHA1
149268cb00d792abba7ec1878acd924d77707a19

SHA256
7b252ed656e708505d79f952fb11fa21fe4a32399d82f0291532f70b692cf91a

SHA512
223cd9294c04370edfb40a9b0c4fd7f360be777db4bea75592d9a60dc4e27659fb408e50a0705afb735605983b846e3c439a30ebbb0b5b79232793426366a9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2e81d0a01db39496512505d88c74e948

SHA1
1a86351f57ef32e04b760a0509704a4afc961e9e

SHA256
24eb7afe9c203a2975a17871db825e8d7d7a4d683b99166e6c227a0256e2c2c1

SHA512
c8ba0de7abc07b3a45de2c14b91c5f737260d36d0e1869eacfec781610a1634d3ddddb6514287e6797a23ff5cc7d1a67bd69bb879ba8bc12f01370cc78ce2839

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
81bc12f0c2da9d332f476f391f6f52a0

SHA1
0336d72f391523740d993ea9a44354ecce1fb932

SHA256
d55bf1e3abf8c53fe4c1d402dcef34b057ffeb43070f801a2be287495f44df32

SHA512
ed264bb122e4e088240cd2a25b11fcadd894c33a8a0d49fe86068ad306f40faafa186f9718255e72dee748dd4b982c3998300e1ddb44326065b3c6792a1811f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3243302eba83618dc68c726c12b519c2

SHA1
8c5f44c475271af3dcb5cf2371102387c3854ccc

SHA256
238336f017ac7e947495ca402ecf849007567d1882f20cde2bd0467c59e21df9

SHA512
1e0add36792d7e2b0db026d6c57367a21d13a2b5d7a4f9a5e3c45f003f3fb90908c24b79ed66972e8969614ef6570df60f47b375291aec168ddd657ce7edfc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fb4bf3c4bb5d307083b337b340fe9344

SHA1
ac8e978e34d18ec9005a2d47ee5c88108c816c3e

SHA256
f97c2c954a5c2f8c3971e2a8ffc3b5a537deafe272dc385a594a47dc32aaa59a

SHA512
013b29c7c1b22e53d15c5c221c70f4e1be06eacfe0f8344543839e2a1c1fcb905b14b58502445edfec03bd141c0f6ba765847a78f7ea8a8465b39d12f7cbd307

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
375e38d97fd890499a87b0b3b18f6d69

SHA1
fa96ccae3640b421958dc21174bd068bc689a832

SHA256
8aa503fb1f46ce9ce96deaa9d3c26b7cac6593e1b77b260e490e0005f47ca2ea

SHA512
29e43f9ecdd25c9c401abc56cf7c72a85aefce10957e2b7dc3187f8df378f4f8ac63991674d979da01ec7afcf12df390121c12591a8f0a3973be7527a7ecb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ba55078afed6594d16427898e4cb9a3a

SHA1
b5e911735cfdec265602df06d674e5e9d7e630f6

SHA256
0aa383b01268ee95301e430d72b97fb5053d4fecf44e45a6ee755aa1a1821e96

SHA512
cee8bee926410f1b14e5303da1a5eb91d01aad2e9efd295b5024637090c1081834b19996ab0d6269b2e729b1330af5eac6dad4605d755cb4bb38ee56d7d86867

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
515fa254919f1700315d3dac12352587

SHA1
f5f33f2b2b5e620b5e06da43a3e5b2bc5d4a56e1

SHA256
89596dcdf39925b86d88657ed2021b7246fa196142334d4de35a78bfdeb35a6e

SHA512
fa9d1261255f72e0d2e418e2eab4da8f63194e78fbda87eedec301d2892ff917f1164a31ad5460626804a9c0124b3a7705a6fe0edc040374dd0d6a77465e42c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
95ba8df04c3a6e8a54d7b634f223ee7e

SHA1
3bf716e2e7882aa6bcf7c83bea7de952176665cb

SHA256
51af757853186edbeba0b0be9a90fcc4154b6dd5fbf64d3d19d5f172a3872e10

SHA512
09d5787a1f4453be832f05b6a8e24f4c03fc8049e9b2df60e725d22208e937876be898e17fce8c4ab2edbc7cfbbda9049ca56009fb529996f9f6c0836e0faeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1d1911e56cc17f99f13ffbe5a62db207

SHA1
d9178f62689b2038b59d2c2b8fe09ba920afed30

SHA256
3625aafbc40215565fd2a507280b042a02b26e8c08f744145001afadf4e8b27b

SHA512
b949b5c4afd6fd9bd92bab185678bc6a398af00ea287a0eb30513e00816db273aecc7ca07ef70970eb50d2604d3b009537c932ace059822a5f1bafe96a04297b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rld-nfss.exe

Filesize
8KB

MD5
1835ca2538b43ceac957f34fd43812bd

SHA1
530b08dd79e4f9989eeb4d8918ff3a1a76253cdd

SHA256
bf77a5fba87bcef8b3c2e41f953f64b7ed0d6805fe597ff766d9cf2d31d9caf0

SHA512
c3b63b861b41c1be590bca4f05d4fd66867fc9deee70831e8dd988157920bf3fe33b159852dd53f3990762a91608856c381dec8523684e1b1122e03c705e2a5d

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
752KB

MD5
603fa32d6d8004fdba90e4caa654bb00

SHA1
ec395f9535a514cdd8f7a22d82d9f89c2b34b463

SHA256
0a9d3dc9afdd595d77de1d2f448c16e63dbb35fe3d355b2c3446881b8a28273b

SHA512
6f7fb72860726e382f44eeaa017d34fb820f8edb1d543774abfaa21a9f561060b818471a858cab36e1dd607fc39ab12e30dbb1468690ee116e5609028d16b2e9

Download Submit
memory/2404-191-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2404-184-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3348-31-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3348-5-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3348-6-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3348-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3348-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3348-151-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3348-12-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3348-16-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3504-18-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3504-79-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3504-17-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3504-195-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3668-196-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3668-89-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3668-152-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3668-1913-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3900-0-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3900-7-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4464-194-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download