cybergate | bc6f08e58f9eb7388243c2b8a24c202b0e6ebd6f63a2ed8d4575d794e42fc067

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
Size

303KB
MD5

ca928b445ad1260be45fdb5958065db7
SHA1

15b49c5251b53d5ac4d45ccd03c718aa542d6b9c
SHA256

bc6f08e58f9eb7388243c2b8a24c202b0e6ebd6f63a2ed8d4575d794e42fc067
SHA512

a5f59dc551430e9d92e86e7378b4aa9a19b9f01f293675f12e8f64161eb7196cdf9a4d8a0aaac4128ea666d746cf73b5c7da004e907167df583e1523b39d8fdb
SSDEEP

6144:JkFgrlyjaGh0+lrySTVqz4lSinvX64fpGcGMjK1mvPLtQbU7cZj8fMqsSSnoS:OFuyGK0+luSTTvX640kucvSbIcZYEEQZ

Score

10^/10

cybergate server discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

ratz2008.no-ip.org:80

Mutex

°°°K3rb3r0s5°°°

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
DaemonTool
install_file
daemon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
admin
regkey_hkcu
NvCplDaemon
regkey_hklm
NvCplDaemon

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NvCplDaemon = "C:\\Program Files (x86)\\DaemonTool\\daemon.exe"	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NvCplDaemon = "C:\\Program Files (x86)\\DaemonTool\\daemon.exe"	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2440	daemon.exe
1292	daemon.exe

Loads dropped DLL 3 IoCs

pid	Process
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2440	daemon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon = "C:\\Program Files (x86)\\DaemonTool\\daemon.exe"	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon = "C:\\Program Files (x86)\\DaemonTool\\daemon.exe"	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 788	2148	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	30
PID 2440 set thread context of 1292	2440	daemon.exe	35

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2148-0-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/788-3-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/788-6-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2148-7-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/788-9-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/788-8-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/788-12-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2348-51-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/788-16-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/788-320-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2440-401-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/2348-400-0x0000000005270000-0x0000000005390000-memory.dmp	upx
behavioral1/files/0x00090000000165a7-398.dat	upx
behavioral1/memory/1292-3033-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2440-3040-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1292-3250-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DaemonTool\daemon.exe	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\DaemonTool\daemon.exe	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daemon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
Token: SeDebugPrivilege	2348	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2148	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
2440	daemon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 788	2148	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	30
PID 2148 wrote to memory of 788	2148	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	30
PID 2148 wrote to memory of 788	2148	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	30
PID 2148 wrote to memory of 788	2148	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	30
PID 2148 wrote to memory of 788	2148	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	30
PID 2148 wrote to memory of 788	2148	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	30
PID 2148 wrote to memory of 788	2148	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	30
PID 2148 wrote to memory of 788	2148	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	30
PID 2148 wrote to memory of 788	2148	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	30
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31
PID 788 wrote to memory of 2104	788	ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe	31

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:608
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2040
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1696
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:1856
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:10368
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:11140
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:684
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:824
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1172
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:10856
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:984
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:272
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:300
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1080
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1116
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1232
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2952
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2300
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ca928b445ad1260be45fdb5958065db7_JaffaCakes118.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2348
    - - C:\Program Files (x86)\DaemonTool\daemon.exe
        
        "C:\Program Files (x86)\DaemonTool\daemon.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2440
      - C:\Program Files (x86)\DaemonTool\daemon.exe
        
        "C:\Program Files (x86)\DaemonTool\daemon.exe"
        6⤵
        Executes dropped EXE
        
        PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DaemonTool\daemon.exe

Filesize
303KB

MD5
ca928b445ad1260be45fdb5958065db7

SHA1
15b49c5251b53d5ac4d45ccd03c718aa542d6b9c

SHA256
bc6f08e58f9eb7388243c2b8a24c202b0e6ebd6f63a2ed8d4575d794e42fc067

SHA512
a5f59dc551430e9d92e86e7378b4aa9a19b9f01f293675f12e8f64161eb7196cdf9a4d8a0aaac4128ea666d746cf73b5c7da004e907167df583e1523b39d8fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
a129efff0ebdc6f6e57a428b412ea7c3

SHA1
108ce1273b66c26f63fc14d68e4db4f89655a274

SHA256
6bec96a0c54ef50f05eead5ccc1af8b270590cced2947adf34123b1a2dd6161e

SHA512
a4114272d2f1f82963ffef47dfc4fd00fd6a3510dba9e3ff8b420250035000a3abd509890d9d55f3902410f8fd4c2e6ccb301e586ab6136fdd9bd7605823c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
21ed04d5798b1a0e05b9fa718df0f813

SHA1
5ef0b50938d77c45711ca6734ad8bd0c9566b957

SHA256
25616d470d588831d4edf9a30b4d74ce115b0e00d5d7cba9a2827497459bbf03

SHA512
1daa1d8fdbd24f7862fb6cd84d825de5c5e2671200d7b6b7ebffc6822c4c8139ac02f932aa6a07804a0361721a7bf3e31cbf950f2a21d0d2ca6370f737adf32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
433be1a1c53725f5c9880b6c1f9cb789

SHA1
5e7b2fa6a820166131026a0499fcd3334b9af66b

SHA256
2f729a1e47d48f97493ac03f6e1d3c3b921f8013c84cecf4291bc0fa91a40241

SHA512
0107216a7efeb360778fb4225b2ba02137c571b0de1a2394c19768b395e885931d66f6ae95aa79bf4a65af36a6e66b6a04fd7ba8f8395f65a64ffea0b14f28bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3ac7ee9e1c58e8a70559ef04eab481fa

SHA1
9f0db403f378b808565451f7ee6c43fce4c95560

SHA256
e09c745bb5650476fba8fa79d22d10b57a348cf29b2b303c33c10b138f3be06b

SHA512
e1f0f477c0e60bb0ba530d19ad1471251e26ff74162ff0d4f94bc2c2b9d1337f8faac8d9d926386e847cdb4ee4c41e9c56e9d9ce0da6d33b79d19666d431ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8a9e22ebb74d80f368a9c65d135e4c4e

SHA1
1c71bcdab7f85d080ade1a57dd3fa8f87d997849

SHA256
6964786cfd49e8e4c9b3f00534fd33b290b2cbcf5fcb52ae0a69936b85af605b

SHA512
13db5fa1d4f7eeef089aab7e23b53a8f3e4bf4ecfe0cd6efbb1863b4a0a65443cbebebb3b851338538f5e39cee8df64ce36379b1e37861dfe3e76afd3dcf60a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
78bff7fa83e47441b19eaadc85035c7b

SHA1
a4b0da7a648fae7dbee8612bd3494734ff3ff065

SHA256
ed94159301e7ff8276c7cfc9431fc02ae9b84fbe1831d01e4fc448d525bb6b25

SHA512
46e59f772036f39015b45b1a4fe392ec6c1887bcda6b49631ca818eea303e23138f0022bed779614342d5e45d1dce1201d5177fff25bd20b6a78e7acd9c8dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6bc8ba56246489f532f3c1684dc5d863

SHA1
cb3012d6a691b044fd08e9a3f68fdb513016cfe2

SHA256
d85e2a2e2f5cec9c97bb96434f01682b1c0f09e28f33680df830629505d3c692

SHA512
310baaad56b8116f3b5357e74ddab237a200599d750514f530b10fee04e11e6a4ad0ac043f8eeab44ce129dbd693749c42f4d8734ba2e27305d1b9d7f6561d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c6a3cdc2704224bee1f510427cdf6599

SHA1
79cc31e0e2177668b3ee867fed1aef2639bb3309

SHA256
272fa01b0ed951f03abaec8715e4244332c123eb9301cb2a766e66a437749290

SHA512
49a271e66e3ddd3487b5fbe3e537f33b600b7e9a530efd0c30356dd0c5a220fe45b2c5d71640ffbc5f9285d18bcf5348b9376d5251b5ecde9df6eaa9c05a4e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6c27cd112db1d6a73089195bf94fc18c

SHA1
778f6b1773299b575b30642b143b0a12ba1e10ef

SHA256
643448be499412860e0cb9c037138530f477c609684a92454e961a5294b6a327

SHA512
7e046e14a0f04b8562ab09e3a557a4cb15284b371e191d7c2c17589af376456a8354b21b35d485ca6343ef124772391006ef03c21c67ebec25136985e6e61e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b50ced2af55ad6f44cce7aa31091a2ce

SHA1
e9218c39b5b5fcc202c752f045219546f37f0b25

SHA256
095c2f030a86c9e935676cafd3f7a1fe75e80969622d4768c63771967f8ca29c

SHA512
5c67d1c5ac07ff7a7e0076da7bb36ac4cdafc8527c5f631e7b4daccaeab2b18d6d2918b60bb8f2c7dadd2ab7b58d6ba9710b0b972a5d8b7a43c5f0b5150c4134

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fa73d31f413dece1268d8e85f9f75c74

SHA1
c0a5957c8399c76d661d06b336a2baf6949f6997

SHA256
4b569a9a28f13b1fc99c0d0a9726397af3b369320c81e653392e8ee237adfacf

SHA512
e59bbefefc08b4c4c3412874217cf60e9a6aa3f9d82a3bb66b74a311e2d6400fc039dd5fd7b817d6d63a2f2fc99d456a1e05d36ecf7dbc82d06b046b92446429

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c989d35f1102fe6de8ebf2e0575fe5db

SHA1
84fb69fc73e77ed7fbd71d6b4f793985c6b4ee7e

SHA256
7b3fd69269b4bfad23d07a21860d014bca57d98454c5d2386a362cfafddfcbd7

SHA512
b8a8e0bc5e1c9bb08f5c3ef67aaa56fd9c0501d6fe60a2e85dc3c0efef76c9da7ade353c03b39aba8c95e9dbfad51aca1855184c753916fbf00971f16fb659ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
efcadfb0834bf42d541aad753cdd1b6e

SHA1
e0190f0dd3b55599d75b98e7922f53422dcc9970

SHA256
7297e679cdce8ab8e7915a2f33a2db5d66ac2b8891096c7ed3e679af6cc0b7ec

SHA512
8a8773667bf54a878e0934d52569b7e45e19f18b54c6d0dff4f9c3ba6d1e72fa72c56a513f9ca06287bf356afe0e4f9282b52a9629d489efac2adb4ac82b22a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5f2e1e6e92a3414fa7136f837658a61f

SHA1
af9c20e4d6e6e32a49a61a1a7ac1ec8253b269e0

SHA256
05e7816fe59f9ea716a5d48cd20ce25953d460fb541bae6103a9446212203b3f

SHA512
6ea49fff801930dd37fcb28e76d211e898e0f979984691b203c9810d4351497afa2706523281d5ff609f4c1d46a63254dadc3dc267bf60ac411fbe1be001a310

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb6554b24a9a507efa20fdefffddc250

SHA1
1379de01196f4c8a877ead01ebd87b62687cea2d

SHA256
324b3878ec538e48f0dff2f6860146d3e27dab715bc410993bb4b4769caa3db1

SHA512
634a385f296803bc0040c3e28878b5e8d93d48eb7569da6998cc53cfbda9fd9a3abe99e8712badeb4f5a5d52c6fd136593c114f9ec3c58111fd0ddead1e05423

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d0be741354803474f6a6af16ca882072

SHA1
474b8cc7ce254e2943d7e2159652416d05ccb140

SHA256
1074cf0b3e04480c79f0e8a22e7db498ab1f0e5b4bd2efd7e3e716d32d2d6672

SHA512
a1145211336159727bdfd3643741549733b436415b7f665ad1036474b67613505c037922e66ef399a1c005c8510d21d03ca5250ebc30244bceb74c69d4e1b2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
32f2aa369ab699dd5f31f27e79a9e944

SHA1
13519e6ada915c6aacbbe55d5e1acd0bb48578c0

SHA256
1b384031b05e245dfaf4d049a462a58c5b7536b2a51277bd87d5a750e1c3d5d2

SHA512
ec63f0d653dfe7ba2ab65ee5b548a32d67c9c8daf2f86f6c7a9891a92c9477ac7d64335780bba337083b5b2bda33bde8f88ce6b0b7b4ceba96b1a2ae4d7beccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
92556ad59d2ce34140cd06eb2ce5f7df

SHA1
929a3a159861df93e4bd44f407a19ab0c2324d08

SHA256
1ce3dd05c451a3df8944dcfcc47377d990b55b7ae10f28ae47f881e7ba2c6374

SHA512
05bf8b62848be0df826041dcb96ac0d2e6f974dfc4aabbeec6a1fc628ba7ffa2ce067d87976bc9a67900fae189b15e189cf76c25e189987e9fef70eb6c26ab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c152e9e9b751afa6edf6a9c5fa2c8e22

SHA1
4a0e4a78f81053b032c272ece4176aa416eeebea

SHA256
33ff87a63f3e513daf970b40396b075ac6d500a8d9ee638f686ca4b2f5a8e946

SHA512
17f9857cc3fd8eb24622b50858fd19d0930b4b04fe84c82b3469b555935c4f7ee7f5b3f2a1abf8f78a0081acebce88d02e58c6bf36103787c511b20d95fe569f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
03d298a528e68232d3e37c4748c4b781

SHA1
c2c891a65081bfaf78e9fcb56745c1fd67eac073

SHA256
e26ee43464b31f73ee4312769b9774f5ef3cbc00b27767237a3d839203ac2262

SHA512
8ac6a4234a9a0c15975fa8f4701ee3a81ef7dcf0bcd8f9cd601f9796f291207930919b3a8aaa1e9b46bbec207514aa1e5c43e352ef2b84861d0579e902b80106

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2ac36428794f39867b6d2700375e6ad6

SHA1
11f9a93bf738392a294c3a3a0f2dde95acbbd1cd

SHA256
e07e4831da3b92f399425b54196b39bf21fdbc6270f6a8fc798ac7cd2ba0a29f

SHA512
64e3121521178c6d40bc09b3396490d8f2b244308585c7dbb23b2106a9fabef6ff0399be0084d2578c9f13e7a70383d000fdd7e6efc1ccc6ae30b2007898512e

Download Submit
memory/788-320-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/788-16-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/788-31-0x0000000001DE0000-0x0000000001F00000-memory.dmp

Filesize
1.1MB

Download
memory/788-12-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/788-8-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/788-9-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/788-6-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/788-3-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1292-3250-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1292-3033-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2148-7-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2148-0-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2348-17-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2348-399-0x0000000005270000-0x0000000005390000-memory.dmp

Filesize
1.1MB

Download
memory/2348-400-0x0000000005270000-0x0000000005390000-memory.dmp

Filesize
1.1MB

Download
memory/2348-3252-0x0000000005270000-0x0000000005390000-memory.dmp

Filesize
1.1MB

Download
memory/2348-21-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2348-51-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2348-30-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2348-3251-0x0000000005270000-0x0000000005390000-memory.dmp

Filesize
1.1MB

Download
memory/2440-3040-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2440-3020-0x0000000003350000-0x0000000003470000-memory.dmp

Filesize
1.1MB

Download
memory/2440-401-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download