Malware Analysis Report

2025-01-02 12:25

Sample ID 241127-af59xatkfn
Target a4dcd5ea254149470d264480eef8667c_JaffaCakes118
SHA256 c0944b41d8898a4f33ce2164ecfe8aae30a4b4348320f740432d4cee727a7a63
Tags
cybergate cyber discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0944b41d8898a4f33ce2164ecfe8aae30a4b4348320f740432d4cee727a7a63

Threat Level: Known bad

The file a4dcd5ea254149470d264480eef8667c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber discovery persistence stealer trojan upx

Cybergate family

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 00:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 00:10

Reported

2024-11-27 00:12

Platform

win7-20241023-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Cybergate family

cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL} C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCL = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\svchost.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\svchost.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\install\svchost.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1028-2-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1028-4-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1028-5-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1028-6-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1212-10-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1028-9-0x0000000010410000-0x0000000010471000-memory.dmp

memory/1036-253-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1036-265-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1028-535-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1036-536-0x0000000010480000-0x00000000104E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 651b6c5ddb0a5e00c814af40736c84a3
SHA1 ddfbef6aa01bb2abc9fe118243408fecc6803848
SHA256 469d00967eecd1061ea9dc9ad40a69d77cedb73cb6c6599302aca5a2545f79ea
SHA512 7cb62797b6bdfdecedd0f2d0ad7490e9e4023099bf5f830715bbc59933f3f93a08183e31f37fdedfe236deabe1bc7a07d9166175ffa4206226a5e82dee58d50c

C:\Windows\SysWOW64\install\svchost.exe

MD5 a4dcd5ea254149470d264480eef8667c
SHA1 e1f5b49586b94a0178ed07239df057c417062149
SHA256 c0944b41d8898a4f33ce2164ecfe8aae30a4b4348320f740432d4cee727a7a63
SHA512 80f8557b192fd3574c74ae69ece48c0a8cabda92459e965882d85d0c5e44772c35bb0568e7ffc64ac7579cf1ddf9b1504e72dc66627ef472aa13eb1564f95f96

memory/1028-867-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1616-869-0x0000000010560000-0x00000000105C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2528-894-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2528-899-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1036-900-0x0000000010480000-0x00000000104E1000-memory.dmp

memory/1616-901-0x0000000010560000-0x00000000105C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 55bab4e26bc0f69a07f24fb5ffa16f37
SHA1 ada482a5231c533e4b14ef730deef2d280d26323
SHA256 e39c16b6e2a4b5f6efbc2053eb6b1668430340d6d3d9042c0c35789d1753a0b4
SHA512 40356b07921bc7b9bb4676eae466016689bdf3206f8c911e3c1029d74c616029ecee20430ba5c433c1ee99336b7a687bdaf5fea89057925285a1437372dc9af6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a8ca4184405e15fd2949adf9fd4505fa
SHA1 bf0a0ded4966c14589f7c15a4e74155fb99033f9
SHA256 b6a32ebe1af52ac7b5fba46d5de88b37de8968054c34c78ccad5cf98ce2facb0
SHA512 525e023a6ce3f55b64311061f006349e5957c1ae7375ca8ce1ad9aff959aa399835f548e2f2ef1556ad0b5b6e927588c4995b342cb5464c89723891088a3d5a8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9142025f313cda7b8c07e5db49b1b965
SHA1 c134453d40c1c91ada2209ef3e61f0271625dc1f
SHA256 883d10376354045eae4847897fb89310388663b4fa06bc7fcc0f68e390f31d36
SHA512 58d74385a1b41eb738c502cffc8578158b3f70f2ad3a18676528488e89cfe2c0f5954f542fe05cbc48b7c2069110b59997e7a30b001f4728a15b8dcc48734595

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8b3a6067933a32c6bc9c3b0967caa971
SHA1 c7a6aab617e44623267c37893fd3a4e65fec8f3c
SHA256 02e9c05c821a9701c3d68e989a734ec46ba968509140ed9890fc4139d9e0e49e
SHA512 d68c02c40677a8ea49feecf3822a000af2430309cc800f8e80a81ac83747854911a1e72f6185c6527d93a44a94a6833f3937ff772cc12f24d6bbd4370f38b696

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 65e37561b15cae36b4ab659b1844350d
SHA1 4be5964d41d85ae0aaca533e8f9e850da70151db
SHA256 c43e8632e67446a945ac562a1bfa028b2e385a82f4437480b89273e56e4de03a
SHA512 82398f6382500ed1a1f192ed42a1d9f387e80285d78ce4f3f5594cf5adebe75fa73ceff1f3e204d734071d2921c51efc1a3684a50c537a05d5ee0e8be2880d91

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 022b424ec04bbb65730dea85f7aefda6
SHA1 eced7582480e32414ec3c9b490c175bc5232e6f5
SHA256 e44dbe4a1f30961b6ad34466fd6084a581b804146aad0947334d3b2f002baf24
SHA512 6436d57229b73e94f90be4b9c2fe8f2b567a87e76608d42a3e389e69df1ecbe899bc3934bbc9b6723c58f7f414dc96669531f0f66f750a497369c460d3f50db3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1151d61c9e552e2286105d445c261f39
SHA1 7ab4fe2ec923d7b24be0096e7f13bdf5defe3654
SHA256 cf56c7e58250eb75d281bca7cad1bb50e5c4e881067cbf7b0aa87265cbf8f8d2
SHA512 1d3c22aa3468fedcf4147dd7a830774d36381d373ccb45beab4b6c5d0e19a3d9142b596280605893d793b30a20e0017f67a3ad9020d36c6076650cef79835920

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6e1d981dc362ab373d4fd0e082755a8c
SHA1 3886f43d3acac8149cf1a0bbfb90a9a15ffa7760
SHA256 878655b32960597ba87724430361ff773a4cb917621a181b36d6fe266fb39d34
SHA512 c0f424519af1816d22ac19b31334eafe05fa34322b6bb3332955abbebf0db628f452845e1a14e1fede6e6c8d7246f74936a1d94952df483f0f3753483c8f0746

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8041945afe1bc36688573e84a8572451
SHA1 e854831ef8341876a92948a9fc9c917b34cb0d84
SHA256 07b531b02fc09018484dbfb917d11507861a86ea4bfe114a93cfc041216c9c7d
SHA512 af7ba8bc4cea442c81fd469caebfce84e8217153d57fa141829722fcbaba83d2b4ad40c33df20e56d972fd04e1bf131782f579191174e7314cc2eacff1a2261b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2e1eb4301e8d408b4e1aae0dd85e62d0
SHA1 08e9068f329411a3d6ecf943e2a565fbc1e690bb
SHA256 eceeca0769dfaae398b41a09d16378c2e5c3ed8483230e7683161abcc676a4e8
SHA512 274cb86b18f26a96f5d63360663316df176cbc3217fb52dbfb304838be43ce3eaba8c4905121110bf5650db7dca9ca41c54c8a8cf7b49bd39599f59ad5a4445c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fe136fe48989f4d88289aa44c0d80866
SHA1 6be83be631ecb8c567f59e4153680444d114b0b4
SHA256 eb3c9b292dea57468c3517fc6bef580c8dcdf520a03e11661d969ab2112672a3
SHA512 520fe69c00729d74941626bec4c69b769204078eb8c83ef9f3f1113462755edfc770dbc0c41789a11469d4709a5192de79e83184da619c84bd32c0097597f1b0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f25ed9ded1afd2716cc1a4c41e729d6b
SHA1 f505487c3620dc7558962b6586f471dc0e76d529
SHA256 06433ccd550296b31afb3a01d7a94b8cc2f1487fa7021b246dc66d19101f79f4
SHA512 2807b0e44d80e486def32070f35e4cb42e52698e342a7fe1fd302ad154627180be18c83be2af8da70cfcd3e8117c4bedde38e86a2078a2f7fa7f52ff6db397aa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 151b3214651495caed33e775c0355b85
SHA1 53676804488e881130faf260a5371b9c31a59eac
SHA256 9ee86a002473fef0a12eaeddc892e154a52c2a9e72d6fe7f63ed8186e7b08c79
SHA512 f1ec8525955ca0d663114f3549f28772b29f0b9840a625cf3b45e3119acab6a53bdb7d2621aa53ca1a76eff24a54beeb9ed3eb74bfa5ed5e43afe9e6ca17d286

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ec2f25a317cd8fb638037260bc927a79
SHA1 ec0b232fe5da0c1e59faa26b58d343afe921b92f
SHA256 505b207f68f375b09fdb3c017f13327484bfaa7a3a70ac97fab12fa3284e385d
SHA512 60a6afd200ecfe43a1de3dd366feeadcdbe384c565feacecb566a676f08e4f6ac8d9791bcb3fbb9793fabf6c65f15711762d908b3ee1db462130dda9f44f7e83

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 80f87b99ef3fbf52a0a76fbf27a5a29b
SHA1 79bf47de622f6408f173bde4a383ae0268696e4e
SHA256 d98c84809c0b36e7be978b0974351cbb079ae47cc61ae01d52536214ac14ef9c
SHA512 1f95c39ecbbf4fce9be2995c2aa46e9077ecc90a70e6faa10e8c3d900a29c603cdf42b598adbe3c64d09f23e229eadc9e6d0a4dc8be24dcf20329f82399ea4e9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a4a63f045244237225603126b494923c
SHA1 a0723fe388daf173d59d9079e621f0298b1dba6a
SHA256 d9f5afd7eb97e185f8f59eef0f78cf8ffbc89ab5378b4f504209eea5908af51b
SHA512 52411bb6dcc28a842b7aecf6e0bce78f93cc46aa9d0303681efb114e07719fb82fb4c92c279842d2e5bb6db944236687c3ca655859386d269cdf4587c33638fd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5e9084052239f76df83c12a072289cd4
SHA1 8ce060a48c04ccef1a7976f2649f0d7df67caa05
SHA256 2abc34f69b91ed0125e145dc2a3fe649ec5eb5dca84f2f05af38ebb63ea377c5
SHA512 7a41c99fee448ebc2d63e02757eebdb777a5e3bff0c8d16421bdbc95e40f48dc1eb0a5c09e8394d537a524ade05ac0fca87350cbf99740ac5044002d330847de

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a4f4561759f7158259c3b95e6bb3c14c
SHA1 034eaa5539aa05ac027fd3638d66d823d92dc7b5
SHA256 f018e7c5fef1f3a51a656d13150aeb1f9c16e168b93028891683c2923442974d
SHA512 b976e12652b038e7c111bbd6424c1bada4e163073621702b8610a0071fd298e66a2d40637aa91cae2cd2497965f1bb48540df5dc4414b18e2b5cf6048c0c834f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 da273f19601f7d41f8fd8b69db0f80af
SHA1 669a199514b2e8fd1c1412cdd3900f4dd84cf890
SHA256 93f70e23a5b8e0f8a5d92e829022e5ec2034206272a4e3c63a634fe92ba7c821
SHA512 93a314f71bccf8088a39572f83390ff362beedf468d80d54eb3327741b818b604117cd20df81a54b7d6ae00771f9f4c942a0049a0249b02124c4f9773aeb7de0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 02d8029f2566ac982ef00c5e840432bf
SHA1 b658aacb822163087d0400dbab06f8681a64c9f6
SHA256 74d60c8e42666787be8292a32c997b068f925b26bbb391b709285114b5bd09cf
SHA512 d84c9bb46ea74039bc5b0124850fef05481a331bb42101fdeb9fee65399544c027f05e07f59d9aaf8603f6a213d9b51c446e0927c767bea96a89777539530053

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 00:10

Reported

2024-11-27 00:12

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Cybergate family

cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL} C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCL = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\svchost.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\svchost.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\svchost.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1560 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1560 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1560 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1560 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1560 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1560 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 1560 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/5020-2-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5020-4-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5020-6-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5020-5-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5020-9-0x0000000010410000-0x0000000010471000-memory.dmp

memory/5020-10-0x0000000010410000-0x0000000010471000-memory.dmp

memory/1396-15-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/1396-14-0x0000000000500000-0x0000000000501000-memory.dmp

memory/1396-75-0x0000000010480000-0x00000000104E1000-memory.dmp

C:\Windows\SysWOW64\install\svchost.exe

MD5 a4dcd5ea254149470d264480eef8667c
SHA1 e1f5b49586b94a0178ed07239df057c417062149
SHA256 c0944b41d8898a4f33ce2164ecfe8aae30a4b4348320f740432d4cee727a7a63
SHA512 80f8557b192fd3574c74ae69ece48c0a8cabda92459e965882d85d0c5e44772c35bb0568e7ffc64ac7579cf1ddf9b1504e72dc66627ef472aa13eb1564f95f96

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 651b6c5ddb0a5e00c814af40736c84a3
SHA1 ddfbef6aa01bb2abc9fe118243408fecc6803848
SHA256 469d00967eecd1061ea9dc9ad40a69d77cedb73cb6c6599302aca5a2545f79ea
SHA512 7cb62797b6bdfdecedd0f2d0ad7490e9e4023099bf5f830715bbc59933f3f93a08183e31f37fdedfe236deabe1bc7a07d9166175ffa4206226a5e82dee58d50c

memory/5020-85-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5020-145-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5020-149-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1128-148-0x0000000010560000-0x00000000105C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1396-174-0x0000000010480000-0x00000000104E1000-memory.dmp

memory/1648-177-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1128-178-0x0000000010560000-0x00000000105C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a8ca4184405e15fd2949adf9fd4505fa
SHA1 bf0a0ded4966c14589f7c15a4e74155fb99033f9
SHA256 b6a32ebe1af52ac7b5fba46d5de88b37de8968054c34c78ccad5cf98ce2facb0
SHA512 525e023a6ce3f55b64311061f006349e5957c1ae7375ca8ce1ad9aff959aa399835f548e2f2ef1556ad0b5b6e927588c4995b342cb5464c89723891088a3d5a8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9142025f313cda7b8c07e5db49b1b965
SHA1 c134453d40c1c91ada2209ef3e61f0271625dc1f
SHA256 883d10376354045eae4847897fb89310388663b4fa06bc7fcc0f68e390f31d36
SHA512 58d74385a1b41eb738c502cffc8578158b3f70f2ad3a18676528488e89cfe2c0f5954f542fe05cbc48b7c2069110b59997e7a30b001f4728a15b8dcc48734595

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8b3a6067933a32c6bc9c3b0967caa971
SHA1 c7a6aab617e44623267c37893fd3a4e65fec8f3c
SHA256 02e9c05c821a9701c3d68e989a734ec46ba968509140ed9890fc4139d9e0e49e
SHA512 d68c02c40677a8ea49feecf3822a000af2430309cc800f8e80a81ac83747854911a1e72f6185c6527d93a44a94a6833f3937ff772cc12f24d6bbd4370f38b696

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 65e37561b15cae36b4ab659b1844350d
SHA1 4be5964d41d85ae0aaca533e8f9e850da70151db
SHA256 c43e8632e67446a945ac562a1bfa028b2e385a82f4437480b89273e56e4de03a
SHA512 82398f6382500ed1a1f192ed42a1d9f387e80285d78ce4f3f5594cf5adebe75fa73ceff1f3e204d734071d2921c51efc1a3684a50c537a05d5ee0e8be2880d91

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 022b424ec04bbb65730dea85f7aefda6
SHA1 eced7582480e32414ec3c9b490c175bc5232e6f5
SHA256 e44dbe4a1f30961b6ad34466fd6084a581b804146aad0947334d3b2f002baf24
SHA512 6436d57229b73e94f90be4b9c2fe8f2b567a87e76608d42a3e389e69df1ecbe899bc3934bbc9b6723c58f7f414dc96669531f0f66f750a497369c460d3f50db3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1151d61c9e552e2286105d445c261f39
SHA1 7ab4fe2ec923d7b24be0096e7f13bdf5defe3654
SHA256 cf56c7e58250eb75d281bca7cad1bb50e5c4e881067cbf7b0aa87265cbf8f8d2
SHA512 1d3c22aa3468fedcf4147dd7a830774d36381d373ccb45beab4b6c5d0e19a3d9142b596280605893d793b30a20e0017f67a3ad9020d36c6076650cef79835920

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6e1d981dc362ab373d4fd0e082755a8c
SHA1 3886f43d3acac8149cf1a0bbfb90a9a15ffa7760
SHA256 878655b32960597ba87724430361ff773a4cb917621a181b36d6fe266fb39d34
SHA512 c0f424519af1816d22ac19b31334eafe05fa34322b6bb3332955abbebf0db628f452845e1a14e1fede6e6c8d7246f74936a1d94952df483f0f3753483c8f0746

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8041945afe1bc36688573e84a8572451
SHA1 e854831ef8341876a92948a9fc9c917b34cb0d84
SHA256 07b531b02fc09018484dbfb917d11507861a86ea4bfe114a93cfc041216c9c7d
SHA512 af7ba8bc4cea442c81fd469caebfce84e8217153d57fa141829722fcbaba83d2b4ad40c33df20e56d972fd04e1bf131782f579191174e7314cc2eacff1a2261b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2e1eb4301e8d408b4e1aae0dd85e62d0
SHA1 08e9068f329411a3d6ecf943e2a565fbc1e690bb
SHA256 eceeca0769dfaae398b41a09d16378c2e5c3ed8483230e7683161abcc676a4e8
SHA512 274cb86b18f26a96f5d63360663316df176cbc3217fb52dbfb304838be43ce3eaba8c4905121110bf5650db7dca9ca41c54c8a8cf7b49bd39599f59ad5a4445c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fe136fe48989f4d88289aa44c0d80866
SHA1 6be83be631ecb8c567f59e4153680444d114b0b4
SHA256 eb3c9b292dea57468c3517fc6bef580c8dcdf520a03e11661d969ab2112672a3
SHA512 520fe69c00729d74941626bec4c69b769204078eb8c83ef9f3f1113462755edfc770dbc0c41789a11469d4709a5192de79e83184da619c84bd32c0097597f1b0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f25ed9ded1afd2716cc1a4c41e729d6b
SHA1 f505487c3620dc7558962b6586f471dc0e76d529
SHA256 06433ccd550296b31afb3a01d7a94b8cc2f1487fa7021b246dc66d19101f79f4
SHA512 2807b0e44d80e486def32070f35e4cb42e52698e342a7fe1fd302ad154627180be18c83be2af8da70cfcd3e8117c4bedde38e86a2078a2f7fa7f52ff6db397aa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 151b3214651495caed33e775c0355b85
SHA1 53676804488e881130faf260a5371b9c31a59eac
SHA256 9ee86a002473fef0a12eaeddc892e154a52c2a9e72d6fe7f63ed8186e7b08c79
SHA512 f1ec8525955ca0d663114f3549f28772b29f0b9840a625cf3b45e3119acab6a53bdb7d2621aa53ca1a76eff24a54beeb9ed3eb74bfa5ed5e43afe9e6ca17d286

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ec2f25a317cd8fb638037260bc927a79
SHA1 ec0b232fe5da0c1e59faa26b58d343afe921b92f
SHA256 505b207f68f375b09fdb3c017f13327484bfaa7a3a70ac97fab12fa3284e385d
SHA512 60a6afd200ecfe43a1de3dd366feeadcdbe384c565feacecb566a676f08e4f6ac8d9791bcb3fbb9793fabf6c65f15711762d908b3ee1db462130dda9f44f7e83

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 80f87b99ef3fbf52a0a76fbf27a5a29b
SHA1 79bf47de622f6408f173bde4a383ae0268696e4e
SHA256 d98c84809c0b36e7be978b0974351cbb079ae47cc61ae01d52536214ac14ef9c
SHA512 1f95c39ecbbf4fce9be2995c2aa46e9077ecc90a70e6faa10e8c3d900a29c603cdf42b598adbe3c64d09f23e229eadc9e6d0a4dc8be24dcf20329f82399ea4e9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a4a63f045244237225603126b494923c
SHA1 a0723fe388daf173d59d9079e621f0298b1dba6a
SHA256 d9f5afd7eb97e185f8f59eef0f78cf8ffbc89ab5378b4f504209eea5908af51b
SHA512 52411bb6dcc28a842b7aecf6e0bce78f93cc46aa9d0303681efb114e07719fb82fb4c92c279842d2e5bb6db944236687c3ca655859386d269cdf4587c33638fd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5e9084052239f76df83c12a072289cd4
SHA1 8ce060a48c04ccef1a7976f2649f0d7df67caa05
SHA256 2abc34f69b91ed0125e145dc2a3fe649ec5eb5dca84f2f05af38ebb63ea377c5
SHA512 7a41c99fee448ebc2d63e02757eebdb777a5e3bff0c8d16421bdbc95e40f48dc1eb0a5c09e8394d537a524ade05ac0fca87350cbf99740ac5044002d330847de

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a4f4561759f7158259c3b95e6bb3c14c
SHA1 034eaa5539aa05ac027fd3638d66d823d92dc7b5
SHA256 f018e7c5fef1f3a51a656d13150aeb1f9c16e168b93028891683c2923442974d
SHA512 b976e12652b038e7c111bbd6424c1bada4e163073621702b8610a0071fd298e66a2d40637aa91cae2cd2497965f1bb48540df5dc4414b18e2b5cf6048c0c834f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 da273f19601f7d41f8fd8b69db0f80af
SHA1 669a199514b2e8fd1c1412cdd3900f4dd84cf890
SHA256 93f70e23a5b8e0f8a5d92e829022e5ec2034206272a4e3c63a634fe92ba7c821
SHA512 93a314f71bccf8088a39572f83390ff362beedf468d80d54eb3327741b818b604117cd20df81a54b7d6ae00771f9f4c942a0049a0249b02124c4f9773aeb7de0