Malware Analysis Report

2025-01-02 12:26

Sample ID 241125-tjs9asvlds
Target 9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118
SHA256 b217b5ea2241fd7e935b1338c125dbb065d3aa4fcc8dbea51caf8d21f03ffe9a
Tags
cybergate cyber discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b217b5ea2241fd7e935b1338c125dbb065d3aa4fcc8dbea51caf8d21f03ffe9a

Threat Level: Known bad

The file 9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber discovery persistence stealer trojan upx

CyberGate, Rebhip

Cybergate family

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 16:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 16:05

Reported

2024-11-25 16:08

Platform

win7-20240903-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Cybergate family

cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O1CKK13E-7660-NSV2-Y1Y2-0357YD1AP17N} C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O1CKK13E-7660-NSV2-Y1Y2-0357YD1AP17N}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\directory\CyberGate\install\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 268 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 268 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 268 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 268 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 268 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
PID 268 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
PID 268 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
PID 268 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
PID 268 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
PID 268 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
PID 268 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe

"C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\directory\CyberGate\install\server.exe

"C:\directory\CyberGate\install\server.exe"

C:\directory\CyberGate\install\server.exe

"C:\directory\CyberGate\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/268-0-0x000007FEF592E000-0x000007FEF592F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 b4c2453ec83037d2cb018903469ae3d2
SHA1 f7a0d3dc15fdfb932ec252ab68a86e59f32e5f01
SHA256 c65bd349584d41d031e0177a9ce6ae77457c5513dbeb281358c3ac5509202bfe
SHA512 911264c770ad94468c6e652b4dacdc2c9a040697cf1e5b7a743e6588c834365be53fbc9881cd95ceaebb3290a2527ab60e7837bcfd4a6475f5f59e0c053ac7aa

memory/268-12-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

memory/2332-17-0x0000000000400000-0x000000000049F000-memory.dmp

memory/268-16-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe

MD5 105e2de7ff993e325b0afbc8bd9085a7
SHA1 ee9eb98832870352141c680934ea3caa98dce6a3
SHA256 8d01394f944bc4b98cab4623ed4a0beaa2d70bf781c15f1db61c89e1b12bd16c
SHA512 eb4042aaa98831ca32738029ecb3885b07255a23f6738cdc32583a1770a4e375c314c133abc7b3946f9e93b4cf747b7c32bc30b962222758000ca881d78772f0

memory/2060-13-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2332-23-0x0000000000280000-0x000000000031F000-memory.dmp

memory/2332-22-0x0000000000280000-0x000000000031F000-memory.dmp

memory/2332-21-0x0000000000280000-0x000000000031F000-memory.dmp

memory/268-24-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

memory/2060-33-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2060-28-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2768-40-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2768-52-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2060-50-0x0000000000220000-0x0000000000278000-memory.dmp

memory/2768-49-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2768-34-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 8036fb4553ba25098196cc66f530bda3
SHA1 aed57d29093099db4e42766b72190a5d0aca8eeb
SHA256 0069f112b5a0c7ef77275e1c965873e993359e47676ef1db053b96c5c346bbdf
SHA512 05d610ee1089c77c39d24111fb724e5de7e6733cace00d6ecc2dd6110ee4e0a12e4197179f92b423159f4415352a4855d319674be7e9e9471dede4e3ded526c6

memory/2888-370-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2060-369-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2768-389-0x0000000005050000-0x00000000050A8000-memory.dmp

memory/2516-392-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2768-390-0x0000000005050000-0x00000000050A8000-memory.dmp

memory/2332-396-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2332-397-0x0000000000280000-0x000000000031F000-memory.dmp

memory/2332-398-0x0000000000280000-0x000000000031F000-memory.dmp

memory/2888-400-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2516-402-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2768-403-0x0000000005050000-0x00000000050A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1c30bb12a97ca0191cf1570ed38a6475
SHA1 edd4d1bce431d2847723eaf23c139fdca75998a4
SHA256 c4cd3d9555d27784ec3815bb47f4e84134b1ec0e064d13dbbc3e6c46e2f79105
SHA512 4e39bb98161e7cd6fcac7404c32f07182005b5d2dce3cc8d1169210fa058b8b4667aa6e8942dd2a59581095765456a993d432e736fa24ee360c42f28d30a6985

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0d225c68cd3929211686a6b247b597bc
SHA1 ad38259fded536242c118db718b4be62b312536c
SHA256 35a3be75e972ac80f5d759705843044fbe5bc257a1993339fa67ccd485079bc1
SHA512 c95708c495d49cf0c38e92715e6964fe59975f8117a784524899ab22864bc94bd0ae3910ed54a5117e2a46bf3f207e69e8710f248d2a34890ff493514de34552

memory/2332-500-0x0000000000400000-0x000000000049F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 67de8b393f82783ab52e2aa089b49a02
SHA1 268e1d399a4bb97dca01d3caeaa241824a14bc59
SHA256 d8180698a61f6c255adc4e84aed9ca3376b2594c65dcd6d5a9a4a9f878d11670
SHA512 c88dc37a018ba0948c929d6fae1ee00fe37d2bf3754d993122a4cfcd0161b3b9813dd53a689290359b9115e11baf18be1f7a292d433bbaeedc5e7ac541ddda97

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 559f6b9a49b3798b723ccac46751a028
SHA1 85f2972a30e497be55e949c74c65168616dbab7f
SHA256 3a900b817bd5b90f3d485517e938efa667ff6c61afea03e8bbface1844f4636b
SHA512 147c4da80f58d6c21add778fd10191643adf8016622215ed85c46efab4efa324b0d371478a585b68562698459d87e2fc76a66c70fce4f04b086a2d9b09088474

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4191ac91e3e58003dcdb3bf3234be668
SHA1 af99cca328704a1cc9870d3b972ff2e65885a6e3
SHA256 950c2c1e504e3944a65baeb786172f89a725dddea1ab80ceeb5eeecdf4edb0a2
SHA512 5ecdc3438e0a0241a86e1534c664fdf228abe489368f4764c54cdbb6e02d0f4b291f2b976d8211d30b63592df1038132c6de184fa53dede08fcad597d38b0a06

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 58680eb2aea34ab682b19d9ae420cfdb
SHA1 321fb8893600982bd28ed6d0ae3e0e1c4666c33b
SHA256 7deb7b47d76fcc7bdbd8b6c2f52d22a8469f31ab284abe59f82e511cdd28f16f
SHA512 ef5f42e4bad18b134355582633f06613434f2b2b785abcd393f575c7ba5924a2478c59c8ae105ae05e2cee85a4d95fcd064cbab4a96c25ae21e8725311d60228

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c56e32a8722bec9b049d7878bf36fc0a
SHA1 d10830d523c06146bf817aa0d456b19fd435e1b1
SHA256 32f0f5f17352de603ec1db20e231311c880bfcc6eec708ac97b8c70945f5d41d
SHA512 76ff851212dbf0f1615c0e6e5d3a17b642db0cb7d368652ae9b033b77ada34c9b05a8b1609d1ccbf088fb345c720f3694613829e162723d6df716bd35d17936e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fd3345b62bd083a38a22c70960d82227
SHA1 bfee1bdcd960a4ce765595423c91dce82c0ff128
SHA256 1b55cf216d1cb70dd5228a4d3e985480d998f5ead357879deb53115653dbd555
SHA512 ef454944a042f3ef8a82c7c05a626f6f5f1b56bb9fa9c22d42e0ea4a501c8328e737304f297d9cf15b564aa92db15a5a671e6e8285908a11b1d84c80ca7b30bd

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 057b19fbe0313974e9e9e05f989c7d5a
SHA1 493815a61fa40d01ddcdb30c22d35cd36720d6d4
SHA256 d0d247fb801979e92904003992916a67203c91b567af678c4c53f46792d275c8
SHA512 6e511a0f4ddf16093c01db7afd93d76ddc70e88c940101666d1e1f8acfedd6b467e406fd8aca6a22994b8c4316da2042436f52bb6779e7333dfcd2d3fb72d68c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4bc397ef89114eea542b917ae4705f8e
SHA1 f3d8f5e677c78956ed8634e52d315d8e653ea49d
SHA256 06c587ae46e8b63b0421bb030db721c8a93ee4b85ec3b0ad8ad72ad073eca50e
SHA512 403cdc0af5dbb902415ddc91c11d655b24e1d5d85299f9aefbeb826a7bb3c74bccfcf04c942d01cf41a25b4f0fb16cff24d1a7c53865e1beb198016473ae5744

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f394ed6152663fe6a7899eadf89231ea
SHA1 af067a6f680d5accd0422def09a11595ba51d23f
SHA256 305dc23393ebeaf7195d56ff74a5684d6b48fb5dcee1d932e51be1342ecaea35
SHA512 81bf5a2560575fd14b36f38cd242ec8a56378024781bc5d6aeaeb71c694d08dad2671a21959af58340d00b6ecde278dd08220e9c2c4f65d7142d306a292b7b63

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cbb705b5c90bf2158e00e93842ce8439
SHA1 f632b1b5b672afe4bca242dab80f4dc60ec090ac
SHA256 300b967e8f1fa5adb9301ca728aba3368cd302dfbd510ec069715f0001618b4b
SHA512 b0b21db2632f9b2bc20457e73811ef540898cd35aae966d12e19834a79bf7d98559e6999be763ed7a5b7c1ddc3aa28f66ccec2d49599948fa9699d52a7606395

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 93a22fb8ba2c0c34403c0f1f82f1c96d
SHA1 5dbc4337983e72cd9413ea64d81cd65ef30f38db
SHA256 dd9207bf575506ab6a2409cbf3210a24a0bb1d05c82f2d8dc948cbc42a0bd068
SHA512 190b80f4330445336b69f4877151b053e3ab953a78edd87a9e4ff93d811cbd9359dcbd028c2dae4d8fcd45ed99de00107eb68e24f2ccd95cec83754975e2eb83

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1591eb0454e2b152fa2b1780fdce1b35
SHA1 c0ca61d18d0503a5731acd005be3fdd46c140832
SHA256 da615d4c9170a4a01c0ad7549abb42a1c0a2b87d6c1b6d605d5553215d5523cd
SHA512 6f13154fbe2db7b3eac314b6226dfb00f7bd0529066c1d79d4416dadfd6fe7a6c70af4eab034e9fdae1f0da366a64cb91588fc0239df108cc25bc755d2a0cd2e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dcc41ede84ea2c314ef5818effadff08
SHA1 486006c75a4804581d6490a10e0bee7b5ebd6476
SHA256 5c3e83dd91e837b6ee926e5f83906b61f1145030754e6fe03532440b4c9babfb
SHA512 95ec1edf9c0187984b842a5882d88665d0a8a6ec263d1410553911e4eb5204eb8ced6495890016dd6f66484241ca687e5df76a23ec59727e6e482804bd81da78

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 15182f4d8bf2107639aab26d5587186f
SHA1 5297ca86d14adfb87d2464a78288583c48b766fa
SHA256 9329a371a1baa9f4e0edf51b3012c43ca886ededf4501564b40df172fcbeb548
SHA512 aae80852a308abbd8ca96038cd37e2b477a51a14f3599fb3ebf4dda9e114442ff241a1f9ea0b4971183f3a276351187c8be3f1e97cf3efbca88b9ab8059f753b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 92b586e31cd066892602e8c32c2decd9
SHA1 1083a3adacd0319301a214d3e8ea46e32e140f7e
SHA256 59bd849c58540ae46071b9143a66f4cb6ad1acf414e27ccc90a56937be654d8d
SHA512 5b08b342743d98aade7bf7743f3a70c09b83b1597bc9a00769dbb5904bdce38b49d7a8eadcab312ac7d13fa164bdb2c9b513034809e252581e0b6113ff34fa28

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7437354ef2c5b1162a436442ddf5d481
SHA1 140a1635f007745775f9fe140c6af491aa7abca2
SHA256 135952843f0af0c63ee44000b87733e76ebbc323b235f0d2198e6cf0848ca1e2
SHA512 12414f65523940226c7b410a5b437b92de8d1231e436bc38539b6d3e098d9baa1d8720c8522f69c0a8a488e412bfd4890bb16068df744c5aadf7897875a31fd5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a5b0e93c3d1159851c24fc6b2719cae3
SHA1 784d8f4f72d439a91b2a887d429513ba080b2185
SHA256 179e262d0ba82448bbf86813fb6e18dd5fddbd40b9a2670c328b63b9303c95bd
SHA512 f3d7d6d18a7c5df95b6ef516543a5ed7a5a4dfdb7c287015babf999915f7e70e957d180b5c0820529f27592578b8d71715df0cd204f9a5b2174070daa186d0eb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9f68219f51c6322694b14769a7aa46c0
SHA1 aceb6102c868568cc15b53bb970db75fa0cebe73
SHA256 8d737b0edba706bdda4c69f627a1b6da46d44d9cb6ad39e27e3e93b9a9d81e01
SHA512 175be3a7531993f5bdf9f4726c4936bf2f68182201a3f9ca3d4c09aafa65711bbe4c37c081e0dfc6bd8f4bfaf132d2a463e6c5ec27451385018766190b1664dc

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 16:05

Reported

2024-11-25 16:08

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Cybergate family

cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O1CKK13E-7660-NSV2-Y1Y2-0357YD1AP17N} C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O1CKK13E-7660-NSV2-Y1Y2-0357YD1AP17N}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\directory\CyberGate\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\directory\CyberGate\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 452 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 452 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 452 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 452 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
PID 452 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
PID 452 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4424 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe

"C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\directory\CyberGate\install\server.exe

"C:\directory\CyberGate\install\server.exe"

C:\directory\CyberGate\install\server.exe

"C:\directory\CyberGate\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 368 -ip 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 592

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp

Files

memory/452-0-0x00007FFFD72A5000-0x00007FFFD72A6000-memory.dmp

memory/452-1-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

memory/452-2-0x000000001B730000-0x000000001B7D6000-memory.dmp

memory/452-4-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 b4c2453ec83037d2cb018903469ae3d2
SHA1 f7a0d3dc15fdfb932ec252ab68a86e59f32e5f01
SHA256 c65bd349584d41d031e0177a9ce6ae77457c5513dbeb281358c3ac5509202bfe
SHA512 911264c770ad94468c6e652b4dacdc2c9a040697cf1e5b7a743e6588c834365be53fbc9881cd95ceaebb3290a2527ab60e7837bcfd4a6475f5f59e0c053ac7aa

memory/4424-11-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe

MD5 105e2de7ff993e325b0afbc8bd9085a7
SHA1 ee9eb98832870352141c680934ea3caa98dce6a3
SHA256 8d01394f944bc4b98cab4623ed4a0beaa2d70bf781c15f1db61c89e1b12bd16c
SHA512 eb4042aaa98831ca32738029ecb3885b07255a23f6738cdc32583a1770a4e375c314c133abc7b3946f9e93b4cf747b7c32bc30b962222758000ca881d78772f0

memory/1260-24-0x0000000000400000-0x000000000049F000-memory.dmp

memory/452-26-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

memory/1260-27-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/4424-30-0x0000000010410000-0x0000000010475000-memory.dmp

memory/4872-36-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/4424-34-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/4872-38-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4872-35-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4424-94-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/4872-98-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 8036fb4553ba25098196cc66f530bda3
SHA1 aed57d29093099db4e42766b72190a5d0aca8eeb
SHA256 0069f112b5a0c7ef77275e1c965873e993359e47676ef1db053b96c5c346bbdf
SHA512 05d610ee1089c77c39d24111fb724e5de7e6733cace00d6ecc2dd6110ee4e0a12e4197179f92b423159f4415352a4855d319674be7e9e9471dede4e3ded526c6

memory/4424-122-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1260-123-0x0000000000400000-0x000000000049F000-memory.dmp

memory/1260-124-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/368-126-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4872-127-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/4492-129-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 67de8b393f82783ab52e2aa089b49a02
SHA1 268e1d399a4bb97dca01d3caeaa241824a14bc59
SHA256 d8180698a61f6c255adc4e84aed9ca3376b2594c65dcd6d5a9a4a9f878d11670
SHA512 c88dc37a018ba0948c929d6fae1ee00fe37d2bf3754d993122a4cfcd0161b3b9813dd53a689290359b9115e11baf18be1f7a292d433bbaeedc5e7ac541ddda97

memory/4492-190-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 559f6b9a49b3798b723ccac46751a028
SHA1 85f2972a30e497be55e949c74c65168616dbab7f
SHA256 3a900b817bd5b90f3d485517e938efa667ff6c61afea03e8bbface1844f4636b
SHA512 147c4da80f58d6c21add778fd10191643adf8016622215ed85c46efab4efa324b0d371478a585b68562698459d87e2fc76a66c70fce4f04b086a2d9b09088474

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4191ac91e3e58003dcdb3bf3234be668
SHA1 af99cca328704a1cc9870d3b972ff2e65885a6e3
SHA256 950c2c1e504e3944a65baeb786172f89a725dddea1ab80ceeb5eeecdf4edb0a2
SHA512 5ecdc3438e0a0241a86e1534c664fdf228abe489368f4764c54cdbb6e02d0f4b291f2b976d8211d30b63592df1038132c6de184fa53dede08fcad597d38b0a06

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 58680eb2aea34ab682b19d9ae420cfdb
SHA1 321fb8893600982bd28ed6d0ae3e0e1c4666c33b
SHA256 7deb7b47d76fcc7bdbd8b6c2f52d22a8469f31ab284abe59f82e511cdd28f16f
SHA512 ef5f42e4bad18b134355582633f06613434f2b2b785abcd393f575c7ba5924a2478c59c8ae105ae05e2cee85a4d95fcd064cbab4a96c25ae21e8725311d60228

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c56e32a8722bec9b049d7878bf36fc0a
SHA1 d10830d523c06146bf817aa0d456b19fd435e1b1
SHA256 32f0f5f17352de603ec1db20e231311c880bfcc6eec708ac97b8c70945f5d41d
SHA512 76ff851212dbf0f1615c0e6e5d3a17b642db0cb7d368652ae9b033b77ada34c9b05a8b1609d1ccbf088fb345c720f3694613829e162723d6df716bd35d17936e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fd3345b62bd083a38a22c70960d82227
SHA1 bfee1bdcd960a4ce765595423c91dce82c0ff128
SHA256 1b55cf216d1cb70dd5228a4d3e985480d998f5ead357879deb53115653dbd555
SHA512 ef454944a042f3ef8a82c7c05a626f6f5f1b56bb9fa9c22d42e0ea4a501c8328e737304f297d9cf15b564aa92db15a5a671e6e8285908a11b1d84c80ca7b30bd

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 057b19fbe0313974e9e9e05f989c7d5a
SHA1 493815a61fa40d01ddcdb30c22d35cd36720d6d4
SHA256 d0d247fb801979e92904003992916a67203c91b567af678c4c53f46792d275c8
SHA512 6e511a0f4ddf16093c01db7afd93d76ddc70e88c940101666d1e1f8acfedd6b467e406fd8aca6a22994b8c4316da2042436f52bb6779e7333dfcd2d3fb72d68c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4bc397ef89114eea542b917ae4705f8e
SHA1 f3d8f5e677c78956ed8634e52d315d8e653ea49d
SHA256 06c587ae46e8b63b0421bb030db721c8a93ee4b85ec3b0ad8ad72ad073eca50e
SHA512 403cdc0af5dbb902415ddc91c11d655b24e1d5d85299f9aefbeb826a7bb3c74bccfcf04c942d01cf41a25b4f0fb16cff24d1a7c53865e1beb198016473ae5744

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f394ed6152663fe6a7899eadf89231ea
SHA1 af067a6f680d5accd0422def09a11595ba51d23f
SHA256 305dc23393ebeaf7195d56ff74a5684d6b48fb5dcee1d932e51be1342ecaea35
SHA512 81bf5a2560575fd14b36f38cd242ec8a56378024781bc5d6aeaeb71c694d08dad2671a21959af58340d00b6ecde278dd08220e9c2c4f65d7142d306a292b7b63

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cbb705b5c90bf2158e00e93842ce8439
SHA1 f632b1b5b672afe4bca242dab80f4dc60ec090ac
SHA256 300b967e8f1fa5adb9301ca728aba3368cd302dfbd510ec069715f0001618b4b
SHA512 b0b21db2632f9b2bc20457e73811ef540898cd35aae966d12e19834a79bf7d98559e6999be763ed7a5b7c1ddc3aa28f66ccec2d49599948fa9699d52a7606395

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 93a22fb8ba2c0c34403c0f1f82f1c96d
SHA1 5dbc4337983e72cd9413ea64d81cd65ef30f38db
SHA256 dd9207bf575506ab6a2409cbf3210a24a0bb1d05c82f2d8dc948cbc42a0bd068
SHA512 190b80f4330445336b69f4877151b053e3ab953a78edd87a9e4ff93d811cbd9359dcbd028c2dae4d8fcd45ed99de00107eb68e24f2ccd95cec83754975e2eb83

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1591eb0454e2b152fa2b1780fdce1b35
SHA1 c0ca61d18d0503a5731acd005be3fdd46c140832
SHA256 da615d4c9170a4a01c0ad7549abb42a1c0a2b87d6c1b6d605d5553215d5523cd
SHA512 6f13154fbe2db7b3eac314b6226dfb00f7bd0529066c1d79d4416dadfd6fe7a6c70af4eab034e9fdae1f0da366a64cb91588fc0239df108cc25bc755d2a0cd2e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dcc41ede84ea2c314ef5818effadff08
SHA1 486006c75a4804581d6490a10e0bee7b5ebd6476
SHA256 5c3e83dd91e837b6ee926e5f83906b61f1145030754e6fe03532440b4c9babfb
SHA512 95ec1edf9c0187984b842a5882d88665d0a8a6ec263d1410553911e4eb5204eb8ced6495890016dd6f66484241ca687e5df76a23ec59727e6e482804bd81da78

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 15182f4d8bf2107639aab26d5587186f
SHA1 5297ca86d14adfb87d2464a78288583c48b766fa
SHA256 9329a371a1baa9f4e0edf51b3012c43ca886ededf4501564b40df172fcbeb548
SHA512 aae80852a308abbd8ca96038cd37e2b477a51a14f3599fb3ebf4dda9e114442ff241a1f9ea0b4971183f3a276351187c8be3f1e97cf3efbca88b9ab8059f753b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 92b586e31cd066892602e8c32c2decd9
SHA1 1083a3adacd0319301a214d3e8ea46e32e140f7e
SHA256 59bd849c58540ae46071b9143a66f4cb6ad1acf414e27ccc90a56937be654d8d
SHA512 5b08b342743d98aade7bf7743f3a70c09b83b1597bc9a00769dbb5904bdce38b49d7a8eadcab312ac7d13fa164bdb2c9b513034809e252581e0b6113ff34fa28

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7437354ef2c5b1162a436442ddf5d481
SHA1 140a1635f007745775f9fe140c6af491aa7abca2
SHA256 135952843f0af0c63ee44000b87733e76ebbc323b235f0d2198e6cf0848ca1e2
SHA512 12414f65523940226c7b410a5b437b92de8d1231e436bc38539b6d3e098d9baa1d8720c8522f69c0a8a488e412bfd4890bb16068df744c5aadf7897875a31fd5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a5b0e93c3d1159851c24fc6b2719cae3
SHA1 784d8f4f72d439a91b2a887d429513ba080b2185
SHA256 179e262d0ba82448bbf86813fb6e18dd5fddbd40b9a2670c328b63b9303c95bd
SHA512 f3d7d6d18a7c5df95b6ef516543a5ed7a5a4dfdb7c287015babf999915f7e70e957d180b5c0820529f27592578b8d71715df0cd204f9a5b2174070daa186d0eb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9f68219f51c6322694b14769a7aa46c0
SHA1 aceb6102c868568cc15b53bb970db75fa0cebe73
SHA256 8d737b0edba706bdda4c69f627a1b6da46d44d9cb6ad39e27e3e93b9a9d81e01
SHA512 175be3a7531993f5bdf9f4726c4936bf2f68182201a3f9ca3d4c09aafa65711bbe4c37c081e0dfc6bd8f4bfaf132d2a463e6c5ec27451385018766190b1664dc