cybergate | 3dbda00f0c64f9536a9af02754a0ffe506390450e4ac9ec3a88c8810558b21ad

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Size

780KB
MD5

ade892aa505efca90e9619d379a60d1c
SHA1

c4172c36e132f5520260c7ddd7c067bb0fa647c0
SHA256

3dbda00f0c64f9536a9af02754a0ffe506390450e4ac9ec3a88c8810558b21ad
SHA512

693322877d46e15df0a7f3c7bec5290471770a8cea0da63f8a525e672779cfdcf81e0c8b194c7896918df7d07f11c1bd8e52d49c64ceb94582511b302159ca11
SSDEEP

12288:GdlOOwjvfUj1GqjcYUJtP/QOng33UzsBWxbtRXEXmbj6DSUeBr:GdlOOwjvfY1jXUJt/tn9zjp5E26D8Br

Score

10^/10

cybergate ironhand discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

ironhand

ironhandcs95.zapto.org:999

Mutex

W361UN4HSHXWS5

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
.//www/
ftp_interval
30
ftp_password
4565r5ty5
ftp_port
21
ftp_server
www16.subdomain.com
ftp_username
user1878047
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
4565r5ty5
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U0343867-R33T-HV4B-238S-770862640Y6S}\StubPath = "C:\\Windows\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U0343867-R33T-HV4B-238S-770862640Y6S}	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U0343867-R33T-HV4B-238S-770862640Y6S}\StubPath = "C:\\Windows\\install\\server.exe Restart"	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U0343867-R33T-HV4B-238S-770862640Y6S}	explorer.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
1620	server.exe
2284	server.exe
848	server.exe
3068	server.exe

Loads dropped DLL 3 IoCs

pid	Process
2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
328	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe"	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe"	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 800 set thread context of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 1620 set thread context of 2284	1620	server.exe	33
PID 848 set thread context of 3068	848	server.exe	35

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1748-564-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2636-588-0x0000000000330000-0x00000000003F1000-memory.dmp	upx
behavioral1/memory/1748-999-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2636-1000-0x0000000000330000-0x00000000003F1000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\install\server.exe	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
File opened for modification	C:\Windows\install\	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
File opened for modification	C:\Windows\install\server.exe	server.exe
File opened for modification	C:\Windows\install\server.exe	server.exe
File created	C:\Windows\install\server.exe	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
File opened for modification	C:\Windows\install\server.exe	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}\InprocServer32	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}\Server	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}\ = "NDP SymWriter"	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}\Server\ = "diasymreader.dll"	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}\InprocServer32\ = "mscoree.dll"	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}\InprocServer32\2.0.50727	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}\InprocServer32\2.0.50727\ = "2.0.50727"	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}\ProgID\ = "CorSymWriter_SxS"	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}\InprocServer32\ThreadingModel = "Both"	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}\InprocServer32\2.0.50727\ImplementedInThisVersion	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}\ProgID	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FD2B1E9-DD46-A4D8-EF41-163908EC3CB0}	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
328	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	explorer.exe
Token: SeRestorePrivilege	1748	explorer.exe
Token: SeBackupPrivilege	328	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Token: SeRestorePrivilege	328	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Token: SeDebugPrivilege	328	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Token: SeDebugPrivilege	328	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
Token: 33	1620	server.exe
Token: SeIncBasePriorityPrivilege	1620	server.exe
Token: 33	848	server.exe
Token: SeIncBasePriorityPrivilege	848	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
1620	server.exe
848	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 800 wrote to memory of 2636	800	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	28
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21
PID 2636 wrote to memory of 1212	2636	ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Users\Admin\AppData\Local\Temp\ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1748
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ade892aa505efca90e9619d379a60d1c_JaffaCakes118.exe"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:328
    - - C:\Windows\install\server.exe
        
        "C:\Windows\install\server.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:848
      - C:\Windows\install\server.exe
        
        6⤵
        Executes dropped EXE
        
        PID:3068
  - - C:\Windows\install\server.exe
      "C:\Windows\install\server.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1620
    - - C:\Windows\install\server.exe
        
        5⤵
        Executes dropped EXE
        
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1D0189E0.TMP

Filesize
78B

MD5
0b99fa135aa788d9bbf216e224958a99

SHA1
775e29004a636b79102cb3970f1876c15e6dfffc

SHA256
6231d0b8d99ee40f672a14c18017a6c55eb43a7d93c451a3402f5f23a7267a5c

SHA512
125e8085ba03b6499c0be7aa73880615375dc9818c54a37846b42550c5eb068440c6196299d65e47e914199a495b099f9083eb8ebdb937bc9eb69e4342f6fa7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D0189E0.TMP

Filesize
78B

MD5
1d139087b8a722480e22003dcaf81b09

SHA1
b339516d56792ed7f91b91b111642855925a355a

SHA256
c31b1ec445820cb309c0a97f12bec48f161b3b5150dd017038f4b75b7a628b2e

SHA512
5f82c0b4e99df92006f23919cbe520e9c2630ef14e033b4a981e2f55170111cf046d2b6c71d352e4d91245dfb7141acfee794cfc9ca47aa79fc7650f0d6353ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
92cf2da2674d4cac2a96f9430e2009ec

SHA1
30af6c553c16789f8d7c2ef34934c4ab9a9f928c

SHA256
8fe6b907a1645ab7f8bbef1364a4609a1e1214012ab37113efe7083ed41618c8

SHA512
7f96aff2d0c2ad9ab33b444bfead7339446322f8db86a5600cec547b4a6993be0cab84537f81ed8ee651e1ba666b7501a468c7383bfb556be3959a42c6fdeaa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
174c870808a7c66295cfedf1ac654aed

SHA1
0a4ed76ce1280de3c3b63c7d7a87408a1d9123c5

SHA256
d90ee450a2b4d6aa061cddfe9bca807e94eb2a2facdd6e7da341d8df9dfc5294

SHA512
af848a1959ab56a5a9eb4cac0971434a8cdcf793c6b1526a0b195fa99a1dbed405fa7b972143df92e2ecf0308e2daea32e70d1aea27874cbb41e875abd05b17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
80eee74f86bedad40a5d1c24af5b651a

SHA1
882e1e01a2e62f42550c4c459cb3012b2878ca97

SHA256
14e9311394d7e7cef693e81a8e90156ec11bba08c7b4541550b5cee5320017a6

SHA512
9932e17b30e9a76df6afccb5e005542345679f2e028f3e0beeda855dd178cb4ab8d0a90eb131526e061e8a233c46ef55921e2bec04c9fbe647d990ad5dbf4a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f21181832c1fea496da535d5e5688680

SHA1
285a951caed90f55c414bba0fec82c232c4d3cb8

SHA256
e28de1b3e2598e2b2e2e5f3f25e18d467bab1a20b167e4f76b3c75c10987d228

SHA512
3a2ed1686c0863cd3a63c30cab24115b289ca9b32a7276f8b13665569af4f7801077abc8c22a4cf241a643fc1f8afd0769655c23ab61a1fd79c14cf8bdcbf07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ad021d0414b768614fd12ce2e42c4210

SHA1
9511e4825714c491690897a6c3a9e8819a2a66d9

SHA256
959274a68ee37c96107d1d9f08b12c57af9cfd89b8d00b66bac9f4490b95fc25

SHA512
1b86a13ccf7c7eccf0f87a5d94b097378d2a07e2d0bd5e978200af3980e7d3e53412025e21ad67ed85ffd3dc9e491c7b8a6a27c4b3e36f4ad5a628584efd90a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
40d4ac10824e4d3f4da11802d26866c6

SHA1
5c8c057d736b7579684a3fd6dc35831b7d1449df

SHA256
2171b786ea6c363847954d5e48869ef40723d31d96210b56c157e5e1d0773724

SHA512
6a20dcd09fb097d265c7c533ced0a3b9099651d5ebc17e1c6e28ecbd6181d4c14de43aa74fe3c371a360d66dcb69274fa79b68542b738dcafe077390f964fe38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a9055b3330a799d05787c64d64a85bf0

SHA1
601a1cddc378e8ea42f08a4bf8db9eacffa2ebd1

SHA256
13b06b91037a1a04d359106c0491abe2459d732e727ce2b687e001ca2a2d229f

SHA512
ccd291f925ff1d7da708f44d20a4e8139beb4b4ed92f2f001b148dabc18b0156c9bb9ff2682330a4d1eef407c5c4ff06b812c31a43a7514d151bc905ecbd94be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
685e6e4b9eedcd5d8dab0c1ea3047556

SHA1
2da6f79939102303f64f26817c80df9a6c99b3e0

SHA256
024c16dcae691d3ef59fbc58f4b27c31f06972e8ff773514d72dda52db60fce4

SHA512
e2b432cd7e9a49879e5a2eaf5c6b59e094521c3b1a10ff9c61af7819f0be0978d9f5f7fcb517d60cebd31535e897dc7146684232982820cc029ad55e947dad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0e042267be8149cfdb08da3ed786d62a

SHA1
b83bad5940d9d34b48bff05a6b62653b9af0cddf

SHA256
2e24c1fd455c83c7208600e3a170035f606a35efddc1babd3b524523721dc1a3

SHA512
b33efda4e0c119911637c771a8722455a4e277dd18fa6dd1df67106c4b11ede1cb4c74b46e417b14439852006cfdfe84c0862ba37f4432617735ab32548895fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
92c30cef07139b5688681c7ef4fa60fa

SHA1
8262549c2ec9e87c167c5e8c0ced3147688b1f67

SHA256
64910689c97ae43012c03908e70f76b386ff6c293978462d2d7dc279cfa578c8

SHA512
e1277d8c570b36150b32d344f4b43293e8348082e33a0d744631a122e423d4293f867612951dd8018a3a0ba29b1d7f0e1249a271465a4fdfd6d868649fab8739

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
900075d1b6843931818a899301caff61

SHA1
e1df3b0d87b67e86cf331b6dace46c294d6d7ca0

SHA256
baa36ed124275c4cbe22c910e28d5d9dc57d18f84af700d758b3941faf15e961

SHA512
8347477be16d4c103994ffefc263ab960abfe0691a3d7d93d49c6fa0cfad2b95b427575bed7f2e5c61690ad8b6982d312adcf5b7bd1722166da3d4c9e80cb4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
60a076c44e103ee09f0f5cb11e615d50

SHA1
8feae6f85e1c602f92f828f493c55a6c753c9ad9

SHA256
edd4540561a74e2d85e1fa286f6de758f9351746a4966b2acd16e5b5258ff963

SHA512
74bad787675905779661063872fc4f2a33f56a4b3801fc5189610b053b6f1d890ee2a98663469c976a5a338725aa2097640a774d4cc01276b686ea7d3f492899

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5526ec17d3532efaab2d68d7855bc4dc

SHA1
1d805697a128d217741fe9566741b3d8090ef638

SHA256
df2116ac022fec2b0f700f102dbe2809bc7932977ea38af1cf259dd6ca6e9827

SHA512
b983431d40a93d9360a6c14d24ea0b3ed0416d83cb2f58a250d2760f3be27aca49fac160e5201b352166947fc4c33b471c134d38a05f540dfc99e0ccefacc2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
32c7a6b01b1b696df03a5cbbedcb4ba8

SHA1
fd7703451d5eb388e0bc3613ba023e2372688f59

SHA256
34b931b4a4158666340ac76d1a947ed5a03857e6de4d62aa2ff9bc78275f49f9

SHA512
b8025e6302fd7ee4c3e52d221f3dea9b6f946a1b92465a174a035aa503279c3d8b5fd5490513163883e4956d5e83074712e6e25cedd37f7a9085f78ea32f12e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
104a0989b5ad2cb808a9a670f3094de5

SHA1
8df40f12f83555f22225f06e6a64ccf02d8460fc

SHA256
a209baf025371d19f2b114a0aa0eb73c4da1acc74ffcf0b37b8c345ca30248e2

SHA512
634d9b5323acd2a977c312e9bada8a9e252e776f116a0daeb29f9b58572a840b4b0ee4dd2cfcc5f181b9ad6f38ad15e3ddd653dacf074aa7c33dfa8824ca8858

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9e5852c9876d1a9eb6948fcb3db3bdb3

SHA1
67f09a6eacb5507d997ff163d04100ce993cc1d8

SHA256
d367885ace2fd6fcbf0157e86f2d6214a394f92adb52a92c9fb5fcb9c722be01

SHA512
ebb064913fae555aea84890884b6e018167e328a60d639ad4d866ff92802c4f04bbb2dad0a8ded3afc06f7730a85b82721e1ac2ddc6bff3279c49ef118a9e817

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8631f20eb42fa13869bc50eac828188e

SHA1
9f32bf3842ab344a1afcbef353ba52ed6d129eb6

SHA256
0d35a785b4dda9d77e7e40516a54841bbfba0e9b8019b68164c86dda31618c03

SHA512
58bbb87003302307e08ab33d0a9eb2b5aab363b548bc7112a2b471aa7627156e27c36119a07372286d1db02c39df7d6f7fa25a71ba62e26240a4b1d35d9fa65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
34a84be3284fbf491f7365d8e05a56fd

SHA1
f9304654f2df6d8be1ee54de03fa89614ff1a825

SHA256
ff9b1424794fd77c7d7311b16d4210705115d20e7eda18d2613b227db8aa0166

SHA512
188f553c7ce799b4d4143fb5d9f61d683d0e7ff2b1c8b4ce5fa88bb91f05b8c5727ed72bd6d6cfe23c724fabf570cad8fde12149d1c89c1e38de8ec8ef06623a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
710d3d693a8c2a3d7615369fc467e99c

SHA1
a6aeaa41641969b2e1115fbf9c51044b5dc2c75e

SHA256
5d8d0322cf43808f86893ab3efaa204ee5dc39f9e46e6ae7273ae559d08503c2

SHA512
44a2bfe0d3116c190e0a3eb3ea2d4056ab0be136427b993e9b229833a3032e21acd90c859e078b56bd655876fcd313e855b59e5fb7c026667763420fd6ec1ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
64fbf6d37ef9fd6ee1570655ac4eb91b

SHA1
51c13ab5c5b55b74d501fe6a8b6f99835ee1347e

SHA256
28cb42ba6f1c86ababc29d127c647f5472059a70727f6f675b69e5287ed468a2

SHA512
e3161fc6e40c402bf87b37319db26b91007aab9d7583792dbc69bb3ea1c2dc84b6fb99631994662c458405a4be2c7c3a5479a7d34bb96847e4e519ae07d40b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\install\server.exe

Filesize
780KB

MD5
ade892aa505efca90e9619d379a60d1c

SHA1
c4172c36e132f5520260c7ddd7c067bb0fa647c0

SHA256
3dbda00f0c64f9536a9af02754a0ffe506390450e4ac9ec3a88c8810558b21ad

SHA512
693322877d46e15df0a7f3c7bec5290471770a8cea0da63f8a525e672779cfdcf81e0c8b194c7896918df7d07f11c1bd8e52d49c64ceb94582511b302159ca11

Download Submit
memory/328-589-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/328-955-0x00000000074D0000-0x0000000007591000-memory.dmp

Filesize
772KB

Download
memory/328-1003-0x00000000074D0000-0x0000000007591000-memory.dmp

Filesize
772KB

Download
memory/800-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/800-9-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/800-29-0x0000000003320000-0x00000000033E1000-memory.dmp

Filesize
772KB

Download
memory/800-12-0x0000000000920000-0x0000000000968000-memory.dmp

Filesize
288KB

Download
memory/800-15-0x0000000000920000-0x0000000000968000-memory.dmp

Filesize
288KB

Download
memory/800-11-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/800-39-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/800-10-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/800-38-0x0000000000920000-0x0000000000968000-memory.dmp

Filesize
288KB

Download
memory/800-6-0x0000000000920000-0x0000000000968000-memory.dmp

Filesize
288KB

Download
memory/800-1-0x0000000000920000-0x0000000000968000-memory.dmp

Filesize
288KB

Download
memory/848-968-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/848-998-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1212-43-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/1620-928-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1620-973-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1748-999-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1748-564-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1748-286-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1748-288-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2636-21-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-1000-0x0000000000330000-0x00000000003F1000-memory.dmp

Filesize
772KB

Download
memory/2636-25-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-27-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-30-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-35-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-23-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-17-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-34-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-915-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-588-0x0000000000330000-0x00000000003F1000-memory.dmp

Filesize
772KB

Download
memory/2636-36-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-37-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2636-336-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads