cybergate | bb01e0ace5c29f4e0cbb87bc8bc811f4e7f1c29c6c536e808e4a0195c4f3a462

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Size

356KB
MD5

9ace6d318d293d674a49c23d9bea31b3
SHA1

99e5e5ce1e60293cfc93487ca76193bcac15df51
SHA256

bb01e0ace5c29f4e0cbb87bc8bc811f4e7f1c29c6c536e808e4a0195c4f3a462
SHA512

b212896cb1e9a4f6c3037de59a9e85f101782136a9cebde47074d9c8987a35e38c243044bf898e5c68846067617128b18de285266b5a8b8e794c7c7275c07cf0
SSDEEP

6144:JxMGCdSbogezNxH21hXZcZuIvqwFLk7dqK1iPnScxBwQ9nHHtjaH8ELA:JKsoguxuXZcw4+7JkPntXwQ9ntjaH84

Score

10^/10

cybergate x-01svu-x discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

X-01SVU-X

cobramods.no-ip.biz:82

Mutex

U8KI21EOD6D8VK

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
c\windows\system32
install_file
winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\c\\windows\\system32\\winlogon.exe"	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\c\\windows\\system32\\winlogon.exe"	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GLR524V1-M33Y-582U-5500-R006S057FCEW}	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GLR524V1-M33Y-582U-5500-R006S057FCEW}\StubPath = "C:\\c\\windows\\system32\\winlogon.exe Restart"	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GLR524V1-M33Y-582U-5500-R006S057FCEW}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GLR524V1-M33Y-582U-5500-R006S057FCEW}\StubPath = "C:\\c\\windows\\system32\\winlogon.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4188	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4980	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\c\\windows\\system32\\winlogon.exe"	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\c\\windows\\system32\\winlogon.exe"	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4596 set thread context of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3596-15-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3596-78-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2068-83-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4188-151-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/2068-174-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4188-175-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4188	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Token: SeBackupPrivilege	2068	explorer.exe
Token: SeRestorePrivilege	2068	explorer.exe
Token: SeBackupPrivilege	4188	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Token: SeRestorePrivilege	4188	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Token: SeDebugPrivilege	4188	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
Token: SeDebugPrivilege	4188	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4980	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 4596 wrote to memory of 3596	4596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	85
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56
PID 3596 wrote to memory of 3452	3596	9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Roaming\9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
    C:\Users\Admin\AppData\Roaming\9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2068
  - - C:\Users\Admin\AppData\Roaming\9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Roaming\9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4188
    - - C:\c\windows\system32\winlogon.exe
        
        "C:\c\windows\system32\winlogon.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
f955b1a6d99162bf6480e216dce4c7a5

SHA1
945b59853dba0fcfa66fae71456c7d32566165bb

SHA256
eae82b3459c0b9c7f3a82acaf348b370aa5038c8a8963195faa37f003611224e

SHA512
d1629fdb07a359924d83d0b509787eaeb03255653317f96af4d93624de3eecef79b958393d0272837a6f678d13eb1af878158f0ac2293064c9f5de3c8cda72b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2b31a1df94e4f8fe529a66a555b041bb

SHA1
1ef772159ca5b701c5a1bd06c9ae00fe815a8bc7

SHA256
ad70d1570cd6665414b11e991337645f62bbf51a7c4ff551692f7efd1ebb9b10

SHA512
74eee54d68bd4f0d7d57e9fab44fd8ac7ed3dfbbcfaa8cc61df58780f73d81bf8bd6a102ff1c75808a5ac74305a2a6d2fe1b064e8513e6dffaceedb254751b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
da797926539c2f5132da72b43e77790b

SHA1
cd7f074020938365a24b0e8142964ddb28870650

SHA256
ac939ef27eb5c34ebbbd494cd80df3fd0d35f63c4fc4148e71e821bde1529700

SHA512
d61161048100fc70a676828c0eeef21344ae8395fc3d39962623b21a7cf7c8af3b79977c9ae371efe534b151dd772f924416c3e1637016e0ced10d203e04be4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5f4934c1d23cf560a84883943d469ba6

SHA1
6ce1e28399fd227c0a9f46836093574fa3e67d65

SHA256
a5b41846835b7a8c89815e019c82eac7907a817616427199a2a47752b4b59e5d

SHA512
2f4db39f238ac28197cd2c7b0d207d2ff60131faa829d518d8c2ec7254d580e535bb65fde1909dfde30b608ffba8ae1c66d2d23b55cc5008482a9e653b520841

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0f6b3b46d19955c52186483f94294d03

SHA1
e514e87c4e88f762d3582fc77b99a57e353d88d1

SHA256
88b379837078bace4bcfe91095eb534029aae3d574f7bb5456a193b1b9ab2978

SHA512
e996967926ece6060fe2ff768886c7e85fa3b3da2502a3fd5c7fdea67ca270165a2d48bece23e35496c8cb0714268193a016f53947124cd5e313e42725b75ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
daf06e71e7b950b30d387a684648c296

SHA1
f8640041e39a67b54818dae4eb18305bd27ca528

SHA256
8b61ea17ac041f9c5552408290465afaf075166b1bbeeeaa49466a06a686398f

SHA512
3bb58c15ee9752d5657cdbc18f4634e08452364161c6729fa89f7443b97e31c3f8003e287fb5360d0c9dde5e7913556711ea131953dbfee30a165a0c5ea8a08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2038e43b4e0ce4ba0961e68789cf53af

SHA1
3fa2b05e42ec77e793a458ee05ca91c7bffae2cc

SHA256
54c0f73e9d844cc3be08647441a4d883a3acd0d20f554977657915ccd7e1b46c

SHA512
6e2aef5d3464c94dc5b490244c9a94f84954dc35ddfdd84c2a26279882175e5b59be803b46404cf206fd8b334332dd92e67f001aa204689a276a07ecbe803d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e6629ef8f0e146291aadedc19cb08594

SHA1
8279d75c29195aa487e77182f2252dd6174b7182

SHA256
3d280f696c676d3851ddc5f2041eed3728590e7d2307df84a1acbd1a673eba00

SHA512
3dfd75653de2e465eafd4e3c28a44d815881240cba3f318d1f325db7861e682c00404627d9ac6c7748aaa9f8c4f9ff8df525e9086035404447cd86e38313bcfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8c9ff82d483a7be90dcd20228fde6481

SHA1
4e0c4f8551251177460e7ed4ec462da89b2dd730

SHA256
f0f3b7b941af1460748ce5e82299143c91c125d8c51f6685f64ecdb6ddada318

SHA512
9b6c935d8d5fb072ef25a6716bcc9543d60fca30c38361fae023ee66ddfc9e81f9a698754cdbbeaf50652f4d5ec771ef77add7e3db34c9f4bdad103f6f58ffd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0ad81bbb9e95aa66bb0adfa215e66a4f

SHA1
226557d96ddb3ad66dc58cb26eca64c42f17f7cd

SHA256
05d2e6e4444199ded384fb9f8f25d846d66daf823dfd521e8eab3a18f6272fd7

SHA512
887d1ba8d75e29168a9f8ff8b39714ccdb2ffb8641c6ca17268f088fb7df8a122c2a5685ff5efd970f3aefe325a71008a0b2005dd8ba4f93b27b21bee4c564b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fc25319c3cc3d86a2c7631ff43f78c9f

SHA1
0071001959fcd95bfe3d16173beb6fbac8862b32

SHA256
37eabda570a94703d8d6d68370ea9916d9d332cc2b52f65b29f4722ce6bf1371

SHA512
c21ee9c292be07a5b84f6440df552cc8439bfaad09952417a61e620e57a650cebf82c748e12bef9abe47d80c5815470faf05d046e8e656d66c46d0184178ae62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bb2d2e7d2dc154e84d1e9fce338e221c

SHA1
d45e3cda5bcb7d6453a49c2423b448b39dcea3c1

SHA256
287b0711aedca89c71707ee3f89b3e1d9561a93878faa610785f6b832eee61a0

SHA512
028d1497fff9643689d6797d4161e57b6b15e9259ba2fd7e16b43445af68d2f0f9fdcde07ab6e1813b301247840d08a96252e077f0ff0580c7b9d0e7ba2c4e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8087810c3265e1b3a0d6ce3f2a04e456

SHA1
1080f75b3ef5327f423e37cc1a1a0af5a2a996e1

SHA256
60d84a1a0c301542f5e052002f8ff673b80023ed5b0598c9b78a13e286c2337b

SHA512
91b96d32648b27aa422b917f20148b44eb369b9e4526f139978bc5ce22ebdb8b01e0c83b4dc821a497a59dd509a810ee8b611ae79394ae766a0999d386a1886c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0116d27628e9ed14f4adebce79e31a35

SHA1
b09638025b5bcc505bd632f549ffc42f80fdc6d0

SHA256
da97e93def3444c44404ac4ce6c266d7e20602c8c7df971e46a10ae43107e45d

SHA512
4d552ea55e24c8f05151245a286b8a5f9da09a5dc69420261d85cbc48f9b6a1997b26bd1680546c9844064f2d00c7030b3b7f47bf89070eb888f44df15adcbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
254d51f7b5ab6140307733a2bbacc474

SHA1
4deae2fcf939bae1e297f84f97c70616eb46238e

SHA256
94ffab52b3f2513f52e71d48f40f99c2bb3552eb31e36af9ac697b46ab9d981f

SHA512
9a90e5b89e8a8b3370ffb1550002d7c01c4d4f20585254f7a857738f433b3c96208e9509991f2cb0d7ece35740776fb70ee48beeeac58886cad5373ade6c47e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
030abb735e0309f2a434b6a05e822296

SHA1
d930450e3c9877f3fc941aea9b69d67c077462d9

SHA256
94a7d3d016037a59bd7630e1236d3fb49ea176539f07ef0c86d9589867e31654

SHA512
281b635843a8efbaf37f8287b627c71de134dc07f05cfc5a3ef03d380ed66102df4de747aa027640e65a643ff2f0693874633ae5022ebe9a88045c1a8afd808b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
22e72fa873b3921460718fe4e6f9598d

SHA1
9e7735e9f38dd10c98b21c3c783b886ef9f6bd81

SHA256
16b2b252374bb86b4d5be87d13b29d71026b9d0a6566956e05de64db81a07fe5

SHA512
536169dc45b4cb5b4cdc3e315be5ca16a03940386221f5394bfa14324e9b4589dc224cebd874c46273c12f6c99a175402ed275571b3c179ff9188ed5037a1030

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a3e0b40dcef13cb4bcec581c532b73d7

SHA1
3024f390da2ab39b01952ec6e82f67928317c2f5

SHA256
ad7a1d50df7a5b4b0f64fb2cef1eb697085efb7c7b5f3bd3d74b1b94cd0dea8e

SHA512
e926299ed5a01133fde6c850cf4ccc099163530bcc78a14942a7126ada4fb49766aa86257ed2c3c7d530a7553b6970340c134ee6e2c3435d93d3edb39e883d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0b4aad5c6b91b5b803e42a142a0ca1b5

SHA1
49c6545d85ef3c60cc6a6e66882b717d46f60340

SHA256
40c69b1b3ba801e2843368f31f0599052ea652182c961bb015b26c87b6e409f9

SHA512
65bc8393ee5fa98374587fbb283db0aa35bb24f8dc9da01011b6a587b4bc00892da4e14488fb5c6959490481308e5b07b613dcbeddfa876202438e1362ac1f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4c6bd8980818490712b13a0348341c79

SHA1
de6bd5e9c97d91977ba915391ec905bdd742e0aa

SHA256
93d67c053c53d06d033e5c3e7f95044b2d6eb1a48f64ae07b78838e0153b10f7

SHA512
36ddc6ab734c58d0f5511d4f48c3cc680439dd1e8aae0cbfd6433cf62b8e4cb525672a5c8bb5961443d29a24af3cd8b003768886ae37879422f99bfde48cd1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
51f667b4f1f85d500805dc3f0bd36a7d

SHA1
701e0c18ea039de7c405a963b7176f5cab63989d

SHA256
d35b74df1b6115dd5fc82b308a4642fbcfcdd94bc263f2c36bce28ae18fa99e7

SHA512
040884f880b95bb7ef98df27b75ac8cf65ef4781786a02ad2586f3400a1b11d115d9f6ca44e6200cb4a245b3d5993c47f8748364f6fbf0c49a2601bfcc08fe5a

Download Submit
C:\Users\Admin\AppData\Roaming\9ace6d318d293d674a49c23d9bea31b3_JaffaCakes118.exe

Filesize
16KB

MD5
c66f69b234fb0bcd09a15654c8b4d01d

SHA1
2018b3663b6844632a0a49fcd272a500f029770c

SHA256
952f10539fdbc54d4d1da05558c2a6cc491604d2c46e586441cbc4682bdc2bdb

SHA512
5ef4eed281811f38c4508e141212468d34df7362d6cc08e3ae87d5f0d1f6cdb44c72b2f5bbccd720e4f8f02bf6d65ddc493bcc3e8642c8fdbe8017450e548f72

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/2068-83-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2068-174-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2068-19-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2068-20-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3596-10-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3596-11-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3596-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3596-78-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3596-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3596-92-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3596-15-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3596-153-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4188-175-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/4188-151-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/4596-0-0x00000000750F2000-0x00000000750F3000-memory.dmp

Filesize
4KB

Download
memory/4596-30-0x00000000750F2000-0x00000000750F3000-memory.dmp

Filesize
4KB

Download
memory/4596-36-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-41-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-2-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-1-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download