Analysis Overview
SHA256
e5cba6c7c3799af656089ca87949fd6e80cb7b52f1cce0e6c90a74cc4b7b4c9e
Threat Level: Known bad
The file a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Executes dropped EXE
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Unsecured Credentials: Credentials In Files
Adds Run key to start application
Drops file in System32 directory
UPX packed file
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-27 16:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 16:38
Reported
2024-11-27 16:41
Platform
win7-20241010-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
CyberGate, Rebhip
Cybergate family
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{27F37038-JMI8-6BFP-03JI-OXT217W6IA34} | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27F37038-JMI8-6BFP-03JI-OXT217W6IA34}\StubPath = "C:\\Windows\\system32\\install\\WindiwsBackup.exe Restart" | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71b20ffa4ed3416197f7e70efa29a321.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\WindiwsBackup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\WindiwsBackup.exe | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\WindiwsBackup.exe | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\71b20ffa4ed3416197f7e70efa29a321.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\71b20ffa4ed3416197f7e70efa29a321.exe
"C:\Users\Admin\AppData\Local\Temp\71b20ffa4ed3416197f7e70efa29a321.exe"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\4495f914374547d0855056f7766f1136.mp3"
C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe
"C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\install\WindiwsBackup.exe
"C:\Windows\system32\install\WindiwsBackup.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2104-0-0x000007FEF68AE000-0x000007FEF68AF000-memory.dmp
memory/2104-2-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
memory/2104-6-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\71b20ffa4ed3416197f7e70efa29a321.exe
| MD5 | ba35670096e51b9db5c4d95243a67e66 |
| SHA1 | f18d230059bc12b16bb06d8efb8d1f1a9de3f603 |
| SHA256 | cc0d1c3ef2daaeb4b4dadedc1c47372c949981016184a1f4af63068b5b31847f |
| SHA512 | e7525da0347a940de43e9e307f51db956e97b91c293ef4e988cc98a0c7daaa8e0919ccfa4f4270a28cb0124759f3366b2d259d0a513d14152c84b57140a16e77 |
C:\Users\Admin\AppData\Local\Temp\330952af9c144001ba05a4cc50918295.exe
| MD5 | e41d76b1a8151af0156bbd944cd693ee |
| SHA1 | e234bb05e37aac0d6be5db78222487e0706a22eb |
| SHA256 | 1876d3332e2868eaa9ccebb9ba7bfaf46bce3d71a59f79c4920393d3d6d99b21 |
| SHA512 | af504866a69193d03239fd4df19430042e02ad28e7e405a33787ca9fa04db5090b3afc4a56096c5f5c0f63e4428e0f92ba34f5f5bfcaa387989c4d717eec760a |
memory/2104-18-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
memory/1364-25-0x0000000002210000-0x0000000002211000-memory.dmp
memory/2408-24-0x0000000010410000-0x0000000010475000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4495f914374547d0855056f7766f1136.mp3
| MD5 | 38407d56f81267dc167fce91e7952176 |
| SHA1 | a049533a1cb687e75967ac90e27d9c2267f6ba35 |
| SHA256 | 473b88721778c837e7e53599b99194e9fbd37518f5bb0981f311b86c076f1ca0 |
| SHA512 | 859a2742b24cc364cdeefa8a4234bc716c5d4e916886524a1eea8f1d9273d12409fb8475409fe1fbbb36921d2501de4d0daf78e20ae86f7535d3be0f741b5786 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | ff5344038e2e7dc973a446297d1b762e |
| SHA1 | 77ff1fb0365f6d4dd513da48ce4fb738cf21d342 |
| SHA256 | b8528cbb85c46d65e86a4c229d8ffe5c3c4a84076eb11d00787ffe8083c5753d |
| SHA512 | ce41aef98091f952f6aa915932740a31b57b08a82bd2aad3a5b07fd7414ce0a53fa328b0bf408b4fd8660bc643d969f86432a8b55a0eddf645b9f8d42cd6562b |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 16b32d538f3370669df2e735f4462ccc |
| SHA1 | 4acb6776b091b21100a5c5020545a95d2e04c413 |
| SHA256 | e31ccc2c4e4dfbe43e0422e8702ac3cf906c58b5699bad5b8890a90b4071ffb9 |
| SHA512 | dc5e6faa0309930806875eb433497af62f4a936e6749ea3e3674cd025835502ed4a5b6638d82895936e4e54f265dd13aa6e3796cdd9ae021f341f3c404874c0e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ae0f5f58e08d0d671045cacaae9ecfae |
| SHA1 | dee42fa34edf8183970f8cd27c2ec50bcb854735 |
| SHA256 | a0bd92ba1a6483f88094c5e9bd5e6e8a1c145c538fa0192fdd90a72c42efdf8b |
| SHA512 | 424b46f3bdd50c87ecb9c9ea2461f788a767357443bb31f9e59465c97cc02341e127200f32cd56449fcd7cac802043364e094d8870f4d3a967620256d6be8866 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4312d8c23560aad171346ac3a777e853 |
| SHA1 | da250d85937773fc77d978cc43b79a7dc1cab76c |
| SHA256 | cb9d5d6fbb5c485bf85c6aa32fe33eca6ef6da6e154bf3b101839dd914b049e8 |
| SHA512 | c17e4ae4357116a128d309bc904018bef1a51513e90f62588c2887ad09c9cf265448822be669b204e11ff8a1304b673bdd2ae72272aa08960c27555540fb86e2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4309875898263ba6f9a6ed0a651d7733 |
| SHA1 | ce98e8c6d72c739d2f0b137e74f72c4667fe9c8c |
| SHA256 | 90f1b1f20a65a14797677eb97f277d1d5fdb5bbf6d18c7fb7e18f49fa2c792b0 |
| SHA512 | 98a79f794ecdc63b95ee8daf2b2b4643282e8ce2adb90418359b89412d7dfd10e99b8e141735383b0c5ebb90b97c5ebeede3e59fbdd63afceee438835332cc35 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f79827b854d34a58846397113e671253 |
| SHA1 | 872cf5544774115a55acb449a5bde81ba5e7a071 |
| SHA256 | a8b04abc394e7fe7998db80537e21bca256d9f33878dcff958b8671eabc169b7 |
| SHA512 | bdf05501660857ef8ae8f8a85fc5a90338cc42d4cfbbb9c0c6de67aa8dd9173f9780de89b849694e3e1ae67e693dc38dc11ce7a1896329beaba8e8dfbc15856a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8ba705bab2e84b27f71cd5f11e1a10de |
| SHA1 | 3fea8282a7d6a7568de8ba55209dea8c520e5b33 |
| SHA256 | 1258c425b9e057f278380748027cf850e4e05f9f005dfff1d8eabea1c5960f80 |
| SHA512 | 570e75875fcb349e9963c0ea1e87a0101c6dedc06b32a4b8e239756ed9b615345c513d9ba50988f4766fb69b537fcf6a6c6dfa362630e930b3e51e250abfe162 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 553878697c7ba4fc298bd27621855779 |
| SHA1 | ed7f40a344a9f05b1da1c69c2802de14cfa6ea82 |
| SHA256 | 74080cad92f799df643dfe01d9ce81fd6804f7036bf1e2ff98d26ea25e5592c2 |
| SHA512 | a51f873badaf21e45568a66ce1c30830e068581688894ccecefe6497d73c8486765252e15bc52cfd064fab90af266c446a404c46eac0a281d5dfbbab3913ae18 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8b48eca2cbf8de0a3ad93054747588dc |
| SHA1 | 0b236c85ed61342c0efa5296cc5b57ac95d69009 |
| SHA256 | 3f6a08d2204b1202511316b1efc19792e2b0c9ab3701f5f4799a36689663ee09 |
| SHA512 | 8df419ed68ad982197a0f6f4cc3886c26950f3b40f24e48ef98c27daf50cdceb273f4d7c9287aa765911634a357e3f4fc8182fbd93c4dceed61b6b33a079393a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cfa10e64934818cdbaefc8610c937ea6 |
| SHA1 | 2ced4579be6609252f576e4d4e4b9470c0522f87 |
| SHA256 | 0b6280049043758f0089443e15ac73bdca67d09f0107a5b7fa666bfb066e0c44 |
| SHA512 | e52fd4a4c9cb8920ec6b4d9f917a8afa515839abb29d43cb7887a46ea594240a0719ac0363126031b1ae30ff5ee88eea5ab73cc902620d790ead65528b3e18c2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f7300bc75cba8dcfdfa07521d184ccc2 |
| SHA1 | f1639322765f320a4d62c1cf79769916d2061742 |
| SHA256 | 49679ee9841b862ad3c0888e0ab51ab3541b6f833252804503164930a19be910 |
| SHA512 | 701549e0e19739951ecd22fef43e3937b88dc24368de67d5e91bfa4ab46fbda221cf7cdd1868b5e6dbfefc43c4cf582db450bcc9fae46ef0d21625e4e377bbb5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d3162f3e28eee8cc943693fa56fed926 |
| SHA1 | 113e1b1718ea9be10bbc191e103fa6324bfa22c6 |
| SHA256 | b56cd6f684473da3ce88c4c74a390aef50518475c7af85aa936fefcd3fb3be32 |
| SHA512 | c697afc8851842857dc0c977597fcc6779822c122b1d066ccd2a537cc1c739aa2dcd51988b3149e5fd2184a7438462f61202b6b6e6a4843da3282a86a5f040e9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5d3d95bcf19401c0597710cc7fa89716 |
| SHA1 | a4714110dd44c8aae1385b1819e52529a856e632 |
| SHA256 | 8c32b68cd1181fbbf2844b799c544e60a7b22b034ac440a92231f1327eb247de |
| SHA512 | c14c79e6635c74506013473ad79943dc5f01f23723df986e5fb24a866d200180772e38108da7afa6660d0daed8202452506165bd97f528e1c7859e2c0a364acb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fc45dd9c8a5184cf564e37e529c1d934 |
| SHA1 | a1cf2905d8eb6780d7ec4817fac0ecf1957a3fdd |
| SHA256 | d5d57c82d5605f4304a41c6b584f772fa7b63db587793799667232c9a8f25100 |
| SHA512 | b5b62ea71602ef9566b1970d5c8e45b81d5a2c5a985d890c2be68790062e16f6fc55d2a4df9375202ed783f220d45606dcf6a8a9602aa304b1546d99e4265b7a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bfa700a71615793cea0055ea345b5d93 |
| SHA1 | f2b6af68f702c0b70975cc3e8d70b587819c596c |
| SHA256 | ee07518c993f0d6339c368013fc42f4ce2436642439ebdfa2610c2452ead26aa |
| SHA512 | 9dc82bcc79bfc7b42b0d45a5899c45cd30d57f3b97858dd34242fa12d58aa532cc98d1f7ef640a2e2ae4b914fee077ad0ce8b9bd4a5a0aa78e5116576f3f9645 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4a1356ee60562e823f77e1a9748a7cb6 |
| SHA1 | d0dd5770113846af7e0828d31b5da9280aa9f8a8 |
| SHA256 | be6cf66de9eb52c7b7818a475c0e6f346939601350a6c92ae1c82bd7bab5cb91 |
| SHA512 | adfe8bf3d4d37a13f51095c42847eb5dbcc713c0d8942ab5b75b088b1a41cf6ad5775ca70f92bd9b511ded800a0ac93a74b0fffc3246ddddfa9c4c34f89fb454 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1e5d58e04edddf8a30bb7b52b178a5c5 |
| SHA1 | 87c1a2447e25777c749377fdb8a1c8de8901f44a |
| SHA256 | dda5ac47b85a8b72310f47893a758e8c32510cba661ea08393bfe43624fce64c |
| SHA512 | 2649b37ebfddbad133f2117c0b507506b686bcacc219ef8c0aa4fdd03698c962b3a7fa3b2c5b791308d2e63b7fba21417341804123eda2196a380dac81500c73 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a52c668c5ef122de71e058b763a26d24 |
| SHA1 | 3bbfad89a6cc7bc0e7658d86ca3ef0da6ffe32dd |
| SHA256 | 5bbb1d2537f0d9e289d11a23e64b88fb2c3890ae1bf1dc7f4808655b5b06c9bc |
| SHA512 | 29752e2ce1a304a11b9f6127efa60ecfd74dcaee05e4afce29c33cf30bae681e965d6737f1f91c0567a960d1eed925630b3da320e7da83e0789e4fc1fb4f6929 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-27 16:38
Reported
2024-11-27 16:41
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F37038-JMI8-6BFP-03JI-OXT217W6IA34} | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F37038-JMI8-6BFP-03JI-OXT217W6IA34}\StubPath = "C:\\Windows\\system32\\install\\WindiwsBackup.exe Restart" | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a88d8bf6cca42e3afa16e66b06b738e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\WindiwsBackup.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\WindiwsBackup.exe | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\WindiwsBackup.exe | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\install\WindiwsBackup.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1a88d8bf6cca42e3afa16e66b06b738e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\install\WindiwsBackup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1a88d8bf6cca42e3afa16e66b06b738e.exe
"C:\Users\Admin\AppData\Local\Temp\1a88d8bf6cca42e3afa16e66b06b738e.exe"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\e4657175d7d74e2186ed653b66ded75b.mp3"
C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe
"C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x41c 0x2f8
C:\Windows\SysWOW64\install\WindiwsBackup.exe
"C:\Windows\system32\install\WindiwsBackup.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3980 -ip 3980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 580
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.208.201.84.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/3700-0-0x00007FF803275000-0x00007FF803276000-memory.dmp
memory/3700-1-0x000000001C4F0000-0x000000001C596000-memory.dmp
memory/3700-2-0x00007FF802FC0000-0x00007FF803961000-memory.dmp
memory/3700-4-0x00007FF802FC0000-0x00007FF803961000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1a88d8bf6cca42e3afa16e66b06b738e.exe
| MD5 | ba35670096e51b9db5c4d95243a67e66 |
| SHA1 | f18d230059bc12b16bb06d8efb8d1f1a9de3f603 |
| SHA256 | cc0d1c3ef2daaeb4b4dadedc1c47372c949981016184a1f4af63068b5b31847f |
| SHA512 | e7525da0347a940de43e9e307f51db956e97b91c293ef4e988cc98a0c7daaa8e0919ccfa4f4270a28cb0124759f3366b2d259d0a513d14152c84b57140a16e77 |
C:\Users\Admin\AppData\Local\Temp\e4657175d7d74e2186ed653b66ded75b.mp3
| MD5 | 38407d56f81267dc167fce91e7952176 |
| SHA1 | a049533a1cb687e75967ac90e27d9c2267f6ba35 |
| SHA256 | 473b88721778c837e7e53599b99194e9fbd37518f5bb0981f311b86c076f1ca0 |
| SHA512 | 859a2742b24cc364cdeefa8a4234bc716c5d4e916886524a1eea8f1d9273d12409fb8475409fe1fbbb36921d2501de4d0daf78e20ae86f7535d3be0f741b5786 |
C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe
| MD5 | e41d76b1a8151af0156bbd944cd693ee |
| SHA1 | e234bb05e37aac0d6be5db78222487e0706a22eb |
| SHA256 | 1876d3332e2868eaa9ccebb9ba7bfaf46bce3d71a59f79c4920393d3d6d99b21 |
| SHA512 | af504866a69193d03239fd4df19430042e02ad28e7e405a33787ca9fa04db5090b3afc4a56096c5f5c0f63e4428e0f92ba34f5f5bfcaa387989c4d717eec760a |
memory/3700-28-0x00007FF802FC0000-0x00007FF803961000-memory.dmp
memory/4260-32-0x0000000010410000-0x0000000010475000-memory.dmp
memory/4940-38-0x00000000012E0000-0x00000000012E1000-memory.dmp
memory/4940-37-0x0000000001220000-0x0000000001221000-memory.dmp
memory/4260-36-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4940-101-0x0000000003DC0000-0x0000000003DC1000-memory.dmp
memory/4260-99-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 380c607e23b913134389fde5238a67bf |
| SHA1 | d79d87ee73feee2a60811f14c1f84010d79cce4e |
| SHA256 | dd10200a2db0967429f259a0ea519c4a852e5e87a9d53d425f9db594c9c87fed |
| SHA512 | 1badb3fc7648b0cafad04d3c3ccd70d87faa999f0d3f0e03b59cdece1e5d72184b6ad837b8118d61ab462d61d4eb410ed43fcafa228a554efde80cc6a7db45b6 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 66216b1fe4e3b958fdd80d1b90040682 |
| SHA1 | e48f8b875a1256f0c620da0f24c67acdd34f67f1 |
| SHA256 | dd31da3f1d7ea81a8d07ca2c5a5a1a57fbe62ad385b1fca2ea230860fdee064a |
| SHA512 | 9d3647f05533b4af027a53042b0e8a831fa225c0d36057b0f46aea3067e87c993bfb22296de2b4df97bbfaa27b3e4186379371bed1724506a5a1a3868e7414f6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9c9f13d2eb0b9aa515020a266f50ab84 |
| SHA1 | 0da726f7d7607c68801ab9ed754da341706129bf |
| SHA256 | 2d51b44319ce89ad74d0612e5ec9cda4487b7e0f08a3194d19f07c3011f4624b |
| SHA512 | 19a7a11ed7ff5911c4c5c643a3b6e61134b4b0e4ea8f6023d14842e34ec72b071d959c25cf0b26565efc986402373c7ee9bfcf674df96d15431dd2e00e3cc1c5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 045ab487de8ef86e938d44d997d8f051 |
| SHA1 | 623e4dcf0292292acfb7acb41d05382a77004144 |
| SHA256 | 3edcf7793fc051c0e8003122ccacb0186f85b8ed722bcd7918944d44a790ebfd |
| SHA512 | cb2a56ddb74dac7fa02330b18bab62807c6144423fb8559cd591ebfd718dc63f07ee798da23d08c0db81992e83ef29c5fd69ed14fb00510f720d45ec7db9ad52 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 16b32d538f3370669df2e735f4462ccc |
| SHA1 | 4acb6776b091b21100a5c5020545a95d2e04c413 |
| SHA256 | e31ccc2c4e4dfbe43e0422e8702ac3cf906c58b5699bad5b8890a90b4071ffb9 |
| SHA512 | dc5e6faa0309930806875eb433497af62f4a936e6749ea3e3674cd025835502ed4a5b6638d82895936e4e54f265dd13aa6e3796cdd9ae021f341f3c404874c0e |