Malware Analysis Report

2025-01-02 12:26

Sample ID 241125-hhpnyazmdr
Target 99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118
SHA256 0dd183e40195e0b11462fbed00f627076277d0e0ec8ca7fb26db50f509ac3d6e
Tags
cybergate cyber discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dd183e40195e0b11462fbed00f627076277d0e0ec8ca7fb26db50f509ac3d6e

Threat Level: Known bad

The file 99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber discovery persistence stealer trojan upx

Cybergate family

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 06:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 06:44

Reported

2024-11-25 06:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Cybergate family

cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\PIC\\PIC.exe" C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\PIC\\PIC.exe" C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3J511274-8X31-6421-6N86-M2DJKDJRP5G1} C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3J511274-8X31-6421-6N86-M2DJKDJRP5G1}\StubPath = "C:\\Windows\\system32\\PIC\\PIC.exe Restart" C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3J511274-8X31-6421-6N86-M2DJKDJRP5G1} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3J511274-8X31-6421-6N86-M2DJKDJRP5G1}\StubPath = "C:\\Windows\\system32\\PIC\\PIC.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\PIC\\PIC.exe" C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\PIC\\PIC.exe" C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\PIC\PIC.exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
File opened for modification C:\Windows\SysWOW64\PIC\PIC.exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
File opened for modification C:\Windows\SysWOW64\PIC\PIC.exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
File opened for modification C:\Windows\SysWOW64\PIC\ C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\PIC\PIC.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\localhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PIC\PIC.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe
PID 1648 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe
PID 1648 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\localhost.exe
PID 1648 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\localhost.exe
PID 1648 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\localhost.exe
PID 2932 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe
PID 2932 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe
PID 2932 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 1612 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe

"C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe"

C:\Users\Admin\AppData\Local\Temp\localhost.exe

"C:\Users\Admin\AppData\Local\Temp\localhost.exe"

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"

C:\Windows\SysWOW64\PIC\PIC.exe

"C:\Windows\system32\PIC\PIC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 104.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe

MD5 99015dec9d9edc8a9869b565c4d2cc48
SHA1 2991d0aeb91d062e9637651a99f09035f45accf1
SHA256 af8ca5db504855a72c81b95e15d5c7128cc7d56ee68ba8ce537524ae0464f9f0
SHA512 79ba1f08e39c0d50968528195be341623f7b73bbb5a40652775d26ec8323ec4ff190a2667c38621543a92496f2427944dc1d7181b4e795eba474ce1ddb3653da

C:\Users\Admin\AppData\Local\Temp\localhost.exe

MD5 6e6165f2a71731527a6bd575b6a9bfcb
SHA1 3aa2ee4c6ac27ecf17fb0fa00be4787c62204f25
SHA256 82c03eed7fdff77b936e0f0c8d38aec9f419d95c44c8a473fe658ae8e5f3e9b3
SHA512 592d951ffb7a23845ecc816ff84965f83ce7d0898ddddbcc8a07254a526ec8f4648edb56ddd13f9dd4fee1a815ae980e7452bd8f2fb18fa0de8930c10d05eb26

memory/2904-22-0x0000000000400000-0x0000000000E95000-memory.dmp

memory/2932-24-0x00007FF987FF5000-0x00007FF987FF6000-memory.dmp

memory/2932-23-0x00000000016D0000-0x00000000016E0000-memory.dmp

memory/2932-25-0x000000001BD30000-0x000000001BDD6000-memory.dmp

memory/2932-27-0x00007FF987D40000-0x00007FF9886E1000-memory.dmp

memory/2932-26-0x000000001C2B0000-0x000000001C77E000-memory.dmp

memory/2932-28-0x000000001C880000-0x000000001C91C000-memory.dmp

memory/2932-29-0x0000000001830000-0x0000000001838000-memory.dmp

memory/2932-30-0x000000001C9E0000-0x000000001CA2C000-memory.dmp

memory/2932-31-0x00007FF987D40000-0x00007FF9886E1000-memory.dmp

memory/2932-32-0x00007FF987D40000-0x00007FF9886E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

MD5 bf0577c17a68234736f67d5db295b130
SHA1 5e25e119d884ddb8585187c82a9c6550bc85f3f5
SHA256 4d62b9e65bca737e052b6610be21cef8c65016ff7f7b74f799c8dac98daa1c1a
SHA512 cf806bf21d0e084040f6ee9ad9fa18cdb58e8970fb7f4eb32815d254b770d238034d5f28ee440449293163d89cd2ac448be545e5479fbb1c9cdc3ec8eeb29321

memory/1612-41-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2932-43-0x00007FF987D40000-0x00007FF9886E1000-memory.dmp

memory/1612-46-0x0000000010410000-0x0000000010471000-memory.dmp

memory/1584-52-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/1584-51-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/1612-50-0x0000000010480000-0x00000000104E1000-memory.dmp

memory/1612-107-0x0000000010480000-0x00000000104E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 31b0de3f40858bb30215436ea035ae19
SHA1 0a125c6c988468bf685e14aac3cd5246c934fd6c
SHA256 8e85ea076c3ce5f31ff11a40be4327899e9b90c944f90d4c67e8f2b06bc83024
SHA512 7cc58edb51a0c8c2434d3c9c13c00e292de9e5b7d5c2349a5a2bd98b5ee2de41793a7811944456e697421bf589df5cfe8c48ac6e10ba3e21239e05382c466a45

memory/3856-145-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1612-183-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1276-202-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1276-204-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 442985aab1436bff4930b1053bbfda2c
SHA1 bb20b49b90f5329a532dd29c24e8d46470643746
SHA256 f496d5048b02300ff1abe9dbc4b1354bf2f7c9591807c2b8c42e57f7bf9d2ae8
SHA512 cf5705a4b15955e0e11905f71f7e653218fd621422582a9b05301497c4b36a8e9585dd408f517f8899fb56c5f7b4de2f39e33b6136af090ec59288c3f647cd06

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 deca2c2eafff708ce181f4dec8d0cf2f
SHA1 0a3e94c6d83ec6ee8693c5cf8d454475817e5cd5
SHA256 46f0cd9a7318328e4b49ef1e247f39352aedc8a2158140cc9bfe2eb8c9b52aed
SHA512 2dd77890ac676a7589702b2d74f23222e6b556d65d14454ab10c42bb834089cd8ffd4bfd71ad5b02db1c66d02a1d8d5bda505391675aff18a8bc4aeeebb84b82

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9d77e64c1e0b11d055a63140104856ca
SHA1 7cfb3cb18f07d4923a3d1856a43bb874117db6e4
SHA256 599b5605e8fa563e45802c6be0209ca8357605b3a7eb3d051ac070941fd43dc2
SHA512 9e0e3c4f9d4ef13b395c1bb07573a0bccd30a299cd90264f3607c500248fcb83f1ff9906edd9c85f957831fa58aa0206fe8dc6aaaab09ac056bf9ebeb4d069fc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ba7caaf51812b6f1b6e4ab07a2bfddef
SHA1 aefa8a5aa9a026b2d7c3624991d0a72055aa0c89
SHA256 9fb42ff19a3d93d84654d84e76e690f7d89dd4170659c09d66729b8902d2b251
SHA512 cf93c9a457fd138fb7799d4679d482696fbf2e8573ed0cbccc8c42c60c676c0568d2d1feb1855c3e88adc43f3a8fce1a059d304406342c7072a6ef4f95b52322

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7da7e5009ae61d9f4ff1bb5eed051abb
SHA1 c23700470adab32d2600f1764726f64be490aed6
SHA256 500414418e9f23647c81cfc92908392f4f7de4fc9d85b33e8f6f2b01b4c7fddc
SHA512 83a9cb138dc53cbfd4c518c4001bff325b1db152b2f57fea4dea2b06627da30b9176dc763f87d9c8669acc1a3f47e10b91c5dcdf71c8267e50e8488c8170c800

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8c0f364ab85d65048156b1106bc86e56
SHA1 2dc95e0cb143ca0f9defa11e50674b3052af03ff
SHA256 fe91ff6225a3b888fec3c7393b267d44e6a22cc52b99cd4c70657090cb557ecb
SHA512 187701ed12f24c680cf5c2c2f5277a8bd89ced2a4fde455b7141caac869373e17c64e6f1050dcd297b98c53b10a8a3e2437b8673f45e6f194dd7761944f21020

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dc0a7f38b3698a5d76c2c0497e45e630
SHA1 54958110cbb88b67ee5106ad767e7ee35bff4e7d
SHA256 d5c251742714807a6843df7711baa977e14c1062221234b8fbeb377111ca198e
SHA512 b79bd2f7592284f353fe56359055a2d8012ee15943a6b85ad5680d277514f55b72f5a073a36601e62a24811f08f9e53ca3e915e751cf298295226c14b3f639fa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 53e1b40551be7343a9455213524d46fd
SHA1 a5c57306db25fd0823205310ba9c32c15ef94014
SHA256 05cd09a56ea5612618ce305e6c090a109558dc0c319b45fb07e05c60d85f6807
SHA512 c65af46568e852c0915dce48a686235d793635c3603b4d2bdce663569611d47b5a6f8e6a2e87601f436564ff2d20aa05e59ff3734924409b774584b152280308

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 af33f2ac4b574cc2c6adf570d4274396
SHA1 2885586fd6b4f17249451cb59b20313ae7b481b5
SHA256 2c9a782dc83b6a323ef9349851bb5fcdff07baa438e62dc9f4f94aaa70c72e9c
SHA512 3e29eabfb872306f946981bd827ea226c7fded5ab704c09a9491a27f57deb4bb65dde5ffbbc8a84cc942e9b8bb7bd5ea942f7c616d4b1778cd0e4dae0e16acf0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ffd8c862a47fbb8f3a130c44f0779878
SHA1 7a17d7aef611ae747e5b5286cefc38aecbb15f64
SHA256 a7f846dcd1e1edf32e213af17d141998f2b8ebace034579000585f62e73fcdf6
SHA512 f3c9ef09cbe759b6173b3a8641969ce8eee2f687b9c00eb936eebc748bae2cebb280d82918f85db009ee255fef99e919897662463f038bf2912b51941cdfc38a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e42f30bd77d5d07e9d1d1939661e6333
SHA1 8343c36d22d7d2dada69e4f9f4d753c91f1b9e71
SHA256 c09d2175e6d593987c1e5904dd194423cd2ad61e358ccdeb28de670a26d8c10d
SHA512 284e0677219e70aa7b53a1a27ee239c13f797f5957b76f6a7f8568de41a43e1f2f899539c189fdc3ab3865db73721c9c495089f2c7f41f4928fa23225531b321

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e3af9a62bdf118d9a89d7aa93d14bf50
SHA1 6761260a9ad7b51768f95f83b74171a71d28532b
SHA256 56be8ea33a2f1e03ecf27782226cd821c0cacb3f8db6399d5ac5b055c3ccbe38
SHA512 87ae9da5735d6f6bfdc2d7cb8105aa85f674c1a9d1bab4fa68d2a32b7c6dbc41515a0196b7c3ac113fb69d5a715e16b1842a37b361f3d2e8a4ec970c1af7cd80

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a88b56be4f86a9ec1e9f47e0d91dee45
SHA1 9b40b73b68153746d815f9c1093456fa806c1ab1
SHA256 1bce2e025d7f0bcdae108bbdb2af264d7df38c7ddcafbfbcad01a876dcaa7b49
SHA512 1b197032d632821e69808d49e2b2094b24aabcf024da14f3b62934f9f42bfa060495b0bcd5ab791383c8d310429f608f538255087ea8a5f1bf1d64bab8528363

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 51b4ce557407c17466f6043b101acc37
SHA1 48692d135b8c50a96264b26cff758074186482c8
SHA256 198ca96ad20225a2c7bb3f42c7f2d95249a2420724aaac4b7607f6b469c06b82
SHA512 3f500ad487938f2efd136bf73c54fda0bce65b17b1dfce5900111e077f68f8ab8d56230326349bb8ae21e4ece16536d373757c4be10d4b23c312cf58ec7cfc1a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4fe354ccd6a8be0e5e69b5fe019d878b
SHA1 f8bfeb37d66fa7ddebb176d9d54c6bc11c52490e
SHA256 944d75d0787584a3af861d1134fde71c94497f1abb9649540e8f27c78ba21dbf
SHA512 13d3997a83b8e5a8bf5e30aea08dc4f037a27680a9cc54c5cf9d1f2e1dc411c826835646912c4f39080193d42537d86bb96baa42e33f082f46b5965757bb4fd1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f75e725baa8b96f5940fcac0667fb6eb
SHA1 5069baec5d49805fde95c947bdbfa79c880f42dd
SHA256 0d4d39180da139793bc0fe4b407581cb198f7bd621894b8aa86ddf40aaceab0b
SHA512 20e86211e95660ee135337d18fac71c8f814e5b4139e19a7a310930156c365a196def82e32220c8902b38896515dadd330dcc242fa2077699efb954cc7c7a87e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4f2008dff43b371743e56a323a5a24fe
SHA1 313c485eaacfa5dc58f8be30222b0f9e77673efb
SHA256 61c92e8869535a0e7552efa5c4c7897b5d582e12df6972e7c3881751034b22f8
SHA512 6b524aeb883a9ec78ca71c775f9c50732c7234abd02ab46449b6666b18e95cbda4dea53555b2bea8e525badf59c4c03ff2518ee1054a0c98033764c5cbecc4c0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 02bff359f49f03bea727c6eff77040de
SHA1 4cb17913e9b45c62fb310ccfc034b207f2101dc2
SHA256 19d64560183e62700efd519aa68205c266094695b21d87d729346d4f183c3120
SHA512 162ee283920db5c19969bdaf68f813cebfe707e16892f0a97ebe9862403a4020c12cf4ad470e1ea1081f4ef561a5435ae0af7903877ad26757427d73453fe424

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 06:44

Reported

2024-11-25 06:47

Platform

win7-20240903-en

Max time kernel

147s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Cybergate family

cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\PIC\\PIC.exe" C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\PIC\\PIC.exe" C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3J511274-8X31-6421-6N86-M2DJKDJRP5G1}\StubPath = "C:\\Windows\\system32\\PIC\\PIC.exe Restart" C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3J511274-8X31-6421-6N86-M2DJKDJRP5G1} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3J511274-8X31-6421-6N86-M2DJKDJRP5G1}\StubPath = "C:\\Windows\\system32\\PIC\\PIC.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3J511274-8X31-6421-6N86-M2DJKDJRP5G1} C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\PIC\\PIC.exe" C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\PIC\\PIC.exe" C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\PIC\PIC.exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
File opened for modification C:\Windows\SysWOW64\PIC\PIC.exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
File opened for modification C:\Windows\SysWOW64\PIC\PIC.exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
File opened for modification C:\Windows\SysWOW64\PIC\ C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PIC\PIC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe
PID 2936 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe
PID 2936 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe
PID 2936 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe
PID 2936 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\localhost.exe
PID 2936 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\localhost.exe
PID 2936 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\localhost.exe
PID 2936 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\localhost.exe
PID 2936 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\localhost.exe
PID 2936 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\localhost.exe
PID 2936 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\localhost.exe
PID 2712 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe
PID 2712 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe
PID 2712 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe
PID 2712 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe
PID 2712 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe
PID 2712 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe
PID 2712 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe C:\Users\Admin\AppData\Local\Temp\Crypted.exe
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\99d934cc3c3f80ae473810a3e29c98ce_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe

"C:\Users\Admin\AppData\Local\Temp\Localhost (2).exe"

C:\Users\Admin\AppData\Local\Temp\localhost.exe

"C:\Users\Admin\AppData\Local\Temp\localhost.exe"

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"

C:\Windows\SysWOW64\PIC\PIC.exe

"C:\Windows\system32\PIC\PIC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

\Users\Admin\AppData\Local\Temp\Localhost (2).exe

MD5 99015dec9d9edc8a9869b565c4d2cc48
SHA1 2991d0aeb91d062e9637651a99f09035f45accf1
SHA256 af8ca5db504855a72c81b95e15d5c7128cc7d56ee68ba8ce537524ae0464f9f0
SHA512 79ba1f08e39c0d50968528195be341623f7b73bbb5a40652775d26ec8323ec4ff190a2667c38621543a92496f2427944dc1d7181b4e795eba474ce1ddb3653da

memory/2712-8-0x000007FEF5AFE000-0x000007FEF5AFF000-memory.dmp

\Users\Admin\AppData\Local\Temp\localhost.exe

MD5 6e6165f2a71731527a6bd575b6a9bfcb
SHA1 3aa2ee4c6ac27ecf17fb0fa00be4787c62204f25
SHA256 82c03eed7fdff77b936e0f0c8d38aec9f419d95c44c8a473fe658ae8e5f3e9b3
SHA512 592d951ffb7a23845ecc816ff84965f83ce7d0898ddddbcc8a07254a526ec8f4648edb56ddd13f9dd4fee1a815ae980e7452bd8f2fb18fa0de8930c10d05eb26

memory/2712-13-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

memory/2812-14-0x0000000000400000-0x0000000000E95000-memory.dmp

memory/2712-15-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

MD5 bf0577c17a68234736f67d5db295b130
SHA1 5e25e119d884ddb8585187c82a9c6550bc85f3f5
SHA256 4d62b9e65bca737e052b6610be21cef8c65016ff7f7b74f799c8dac98daa1c1a
SHA512 cf806bf21d0e084040f6ee9ad9fa18cdb58e8970fb7f4eb32815d254b770d238034d5f28ee440449293163d89cd2ac448be545e5479fbb1c9cdc3ec8eeb29321

memory/2900-23-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2900-28-0x0000000000230000-0x0000000000285000-memory.dmp

memory/2712-29-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

memory/1232-33-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/2900-32-0x0000000010410000-0x0000000010471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 31b0de3f40858bb30215436ea035ae19
SHA1 0a125c6c988468bf685e14aac3cd5246c934fd6c
SHA256 8e85ea076c3ce5f31ff11a40be4327899e9b90c944f90d4c67e8f2b06bc83024
SHA512 7cc58edb51a0c8c2434d3c9c13c00e292de9e5b7d5c2349a5a2bd98b5ee2de41793a7811944456e697421bf589df5cfe8c48ac6e10ba3e21239e05382c466a45

memory/2900-646-0x0000000000260000-0x00000000002B5000-memory.dmp

memory/832-652-0x0000000000B80000-0x0000000000BD5000-memory.dmp

memory/832-650-0x0000000000400000-0x0000000000455000-memory.dmp

memory/832-694-0x0000000000B80000-0x0000000000BD5000-memory.dmp

memory/832-691-0x0000000000B80000-0x0000000000BD5000-memory.dmp

memory/2900-962-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/832-984-0x0000000005EB0000-0x0000000005F05000-memory.dmp

memory/2572-985-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2572-991-0x0000000000230000-0x0000000000285000-memory.dmp

memory/832-990-0x0000000005EB0000-0x0000000005F05000-memory.dmp

memory/2572-989-0x0000000000230000-0x0000000000285000-memory.dmp

memory/2572-993-0x0000000000400000-0x0000000000455000-memory.dmp

memory/832-994-0x0000000000400000-0x0000000000455000-memory.dmp

memory/832-995-0x0000000000B80000-0x0000000000BD5000-memory.dmp

memory/832-996-0x0000000005EB0000-0x0000000005F05000-memory.dmp

memory/832-998-0x0000000000B80000-0x0000000000BD5000-memory.dmp

memory/832-997-0x0000000000B80000-0x0000000000BD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 09f5a521f156a82d592d7308ddfeb4e4
SHA1 36273f0ee77ee8d96e8bb254af4e2466d232bb2f
SHA256 e11662b34a27e88df795f3d8804da1cd9005af6e732232fbb160ec08c2bb8d58
SHA512 01c623bb7f33550ee5545e6ea5a63325edd81f3d44c211a99935bdb08b3b7caccb9b5dcf9766ac3d76d3834e9d23ea660c60243965dc9ba1d3ecd6afe177131f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 73f7d9356809f8dc0c5d58036f7c4ab1
SHA1 28df5558174d553d75124eef260cc004604ce535
SHA256 f7477b38d239d024b1b0a45820fc6aa641344332e31fe076b700610b24b6d829
SHA512 811090d968b53376ab593f5ce121dd36a15ddc95a093aa6481ed8b4ade97cd13e66141dbf6117165bd626f0ea1b66d4b17d0da9e4cb07357f254b9e9178b184e

memory/832-1032-0x0000000005EB0000-0x0000000005F05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 43fdd7d6cf5aa215764af63d4640d01a
SHA1 1181f6e98db09864d5d784fb013bbb5ec189581b
SHA256 4f19fd141e3ca643b1715be290bdf2f0605e278c3f4ca1146e3a18be4a8850ed
SHA512 5376f9b73c52be4c8429ab839f75d8cfd6a0bb78f4c470d7a9d80b2b024f70920d5c655d3f7d42e51f77e8fbd93d869b4a093030c4bd055139214471bbf2dfe2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 11d3d20590dff1beacdfee139aa0488a
SHA1 60b0e6601d03061595d3e01ef156b5bd15178d7b
SHA256 7ffce3f2bc257773555f5ccaa87d123ea43301420cd8077edcccb7eaec11fbcd
SHA512 feb5c7d76ff65fb7ecbaab47948ea68c0534807a6914c854a2a893ddd1e087789c89c863b7d0af2087920d1f3e7a582e5adf0d3ab997b7fceeb28ac06d34e830

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 de7616a706fdc8d49d1069c639efdb76
SHA1 8005a0b0e4ae0958703b56f6975e22db45743a85
SHA256 759916127e94ae7f5cf83b34893eb9032ff85377eaa4d820832e15fc95bf3dc3
SHA512 83ddd03ccb94153fa6e676b0b775303ce0df72992ec8a816ff09bed62b36b6fe2fdda2a20d141f613cc8f43181359edb80a948cb80c098d8dfa02ab0c8dbaddc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5283c684ea242ff3375aada12e112eb1
SHA1 c6333d2ca6563edb066f69569580b4f8b2a2701a
SHA256 c539521e7ffa6c933c045f4773d18dc6159b60ebfe0e8d36408519a48b8b3169
SHA512 9f5aa31e48d098887b75ed9d4703e52c27c30bbd945569df4cbeb1af7a73a6bd61044eb4264502883ae41706970dfcd8c93d954e3306ad5744ac512d845ac6e8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7ef8d7817232f7d09812e68363b380c3
SHA1 7668299198d9cbbd029b756f34cf228710a94088
SHA256 4c46608714c8994dd4d20113c97985be3ae156453c66cc3e89fd7d73b046fa5b
SHA512 2d85b5a3bb6539f80111a2df74f0640b1fde376239cbd72ee0b5cff61164cda56e6080c57ea4eba57e5c968511fda0fb67f4fc589971d2162fef89a452bf6044

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 442985aab1436bff4930b1053bbfda2c
SHA1 bb20b49b90f5329a532dd29c24e8d46470643746
SHA256 f496d5048b02300ff1abe9dbc4b1354bf2f7c9591807c2b8c42e57f7bf9d2ae8
SHA512 cf5705a4b15955e0e11905f71f7e653218fd621422582a9b05301497c4b36a8e9585dd408f517f8899fb56c5f7b4de2f39e33b6136af090ec59288c3f647cd06

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 deca2c2eafff708ce181f4dec8d0cf2f
SHA1 0a3e94c6d83ec6ee8693c5cf8d454475817e5cd5
SHA256 46f0cd9a7318328e4b49ef1e247f39352aedc8a2158140cc9bfe2eb8c9b52aed
SHA512 2dd77890ac676a7589702b2d74f23222e6b556d65d14454ab10c42bb834089cd8ffd4bfd71ad5b02db1c66d02a1d8d5bda505391675aff18a8bc4aeeebb84b82

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9d77e64c1e0b11d055a63140104856ca
SHA1 7cfb3cb18f07d4923a3d1856a43bb874117db6e4
SHA256 599b5605e8fa563e45802c6be0209ca8357605b3a7eb3d051ac070941fd43dc2
SHA512 9e0e3c4f9d4ef13b395c1bb07573a0bccd30a299cd90264f3607c500248fcb83f1ff9906edd9c85f957831fa58aa0206fe8dc6aaaab09ac056bf9ebeb4d069fc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ba7caaf51812b6f1b6e4ab07a2bfddef
SHA1 aefa8a5aa9a026b2d7c3624991d0a72055aa0c89
SHA256 9fb42ff19a3d93d84654d84e76e690f7d89dd4170659c09d66729b8902d2b251
SHA512 cf93c9a457fd138fb7799d4679d482696fbf2e8573ed0cbccc8c42c60c676c0568d2d1feb1855c3e88adc43f3a8fce1a059d304406342c7072a6ef4f95b52322

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7da7e5009ae61d9f4ff1bb5eed051abb
SHA1 c23700470adab32d2600f1764726f64be490aed6
SHA256 500414418e9f23647c81cfc92908392f4f7de4fc9d85b33e8f6f2b01b4c7fddc
SHA512 83a9cb138dc53cbfd4c518c4001bff325b1db152b2f57fea4dea2b06627da30b9176dc763f87d9c8669acc1a3f47e10b91c5dcdf71c8267e50e8488c8170c800

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8c0f364ab85d65048156b1106bc86e56
SHA1 2dc95e0cb143ca0f9defa11e50674b3052af03ff
SHA256 fe91ff6225a3b888fec3c7393b267d44e6a22cc52b99cd4c70657090cb557ecb
SHA512 187701ed12f24c680cf5c2c2f5277a8bd89ced2a4fde455b7141caac869373e17c64e6f1050dcd297b98c53b10a8a3e2437b8673f45e6f194dd7761944f21020

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dc0a7f38b3698a5d76c2c0497e45e630
SHA1 54958110cbb88b67ee5106ad767e7ee35bff4e7d
SHA256 d5c251742714807a6843df7711baa977e14c1062221234b8fbeb377111ca198e
SHA512 b79bd2f7592284f353fe56359055a2d8012ee15943a6b85ad5680d277514f55b72f5a073a36601e62a24811f08f9e53ca3e915e751cf298295226c14b3f639fa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 53e1b40551be7343a9455213524d46fd
SHA1 a5c57306db25fd0823205310ba9c32c15ef94014
SHA256 05cd09a56ea5612618ce305e6c090a109558dc0c319b45fb07e05c60d85f6807
SHA512 c65af46568e852c0915dce48a686235d793635c3603b4d2bdce663569611d47b5a6f8e6a2e87601f436564ff2d20aa05e59ff3734924409b774584b152280308

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 af33f2ac4b574cc2c6adf570d4274396
SHA1 2885586fd6b4f17249451cb59b20313ae7b481b5
SHA256 2c9a782dc83b6a323ef9349851bb5fcdff07baa438e62dc9f4f94aaa70c72e9c
SHA512 3e29eabfb872306f946981bd827ea226c7fded5ab704c09a9491a27f57deb4bb65dde5ffbbc8a84cc942e9b8bb7bd5ea942f7c616d4b1778cd0e4dae0e16acf0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ffd8c862a47fbb8f3a130c44f0779878
SHA1 7a17d7aef611ae747e5b5286cefc38aecbb15f64
SHA256 a7f846dcd1e1edf32e213af17d141998f2b8ebace034579000585f62e73fcdf6
SHA512 f3c9ef09cbe759b6173b3a8641969ce8eee2f687b9c00eb936eebc748bae2cebb280d82918f85db009ee255fef99e919897662463f038bf2912b51941cdfc38a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e42f30bd77d5d07e9d1d1939661e6333
SHA1 8343c36d22d7d2dada69e4f9f4d753c91f1b9e71
SHA256 c09d2175e6d593987c1e5904dd194423cd2ad61e358ccdeb28de670a26d8c10d
SHA512 284e0677219e70aa7b53a1a27ee239c13f797f5957b76f6a7f8568de41a43e1f2f899539c189fdc3ab3865db73721c9c495089f2c7f41f4928fa23225531b321

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e3af9a62bdf118d9a89d7aa93d14bf50
SHA1 6761260a9ad7b51768f95f83b74171a71d28532b
SHA256 56be8ea33a2f1e03ecf27782226cd821c0cacb3f8db6399d5ac5b055c3ccbe38
SHA512 87ae9da5735d6f6bfdc2d7cb8105aa85f674c1a9d1bab4fa68d2a32b7c6dbc41515a0196b7c3ac113fb69d5a715e16b1842a37b361f3d2e8a4ec970c1af7cd80