cybergate | 7f081ef130ca8c6efa1ab2d90278eef84754ff7d1b233cd8cc9a9eae2da2c8a7

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Size

678KB
MD5

d345f96bb56293d23f5ae4e148c9a912
SHA1

67b12b289a1c95b016080af4e969edc4039a7dc6
SHA256

7f081ef130ca8c6efa1ab2d90278eef84754ff7d1b233cd8cc9a9eae2da2c8a7
SHA512

7b065da737862d4267aeeaa40dc43b7ef0fa0fcae2281465bbe8fc30b8250139e156de3702021c49104889141318fe8033e6ab05fafbc56a94c5264fa2a7631d
SSDEEP

12288:4pEOo6dfbUHUHcC8X8UvbRCf+OpiNpOTEojCP4/XrI5P28Sq+f:zOo+jUu+8KbRhggP4/P8Ef

Score

10^/10

cybergate qqqqqqqqqqqqqqq discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

QQQQQQQQQQQQQQQ

qa06.no-ip.org:3460

Mutex

qqqfqq

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
File exit Nood Foun!!!
message_box_title
Lütfen Javanýzý Güncelleyiniz!!!
password
azabhantr55
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\svchost.exe"	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\svchost.exe"	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IP2427AU-EVX2-2AA6-3E75-8BQHTU67770G}	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IP2427AU-EVX2-2AA6-3E75-8BQHTU67770G}\StubPath = "C:\\Windows\\install\\svchost.exe Restart"	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4936	svchost.exe
2828	svchost.exe
4904	svchost.exe
4492	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1520	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\svchost.exe"	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\svchost.exe"	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 4936 set thread context of 2828	4936	svchost.exe	85
PID 4904 set thread context of 4492	4904	svchost.exe	88

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2828-105-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\install\svchost.exe	svchost.exe
File opened for modification	C:\Windows\install\svchost.exe	svchost.exe
File opened for modification	C:\Windows\install\svchost.exe	svchost.exe
File created	C:\Windows\install\svchost.exe	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
File opened for modification	C:\Windows\install\svchost.exe	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4624	4492	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

NTFS ADS 13 IoCs

description	ioc	Process
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
File opened for modification	C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_	svchost.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe
File opened for modification	C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe
File opened for modification	C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_	svchost.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	svchost.exe
File created	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
File created	C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
File opened for modification	C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	svchost.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1520	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	svchost.exe
Token: SeDebugPrivilege	1520	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4384	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
4936	svchost.exe
4904	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4384	2728	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	83
PID 4384 wrote to memory of 4936	4384	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	84
PID 4384 wrote to memory of 4936	4384	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	84
PID 4384 wrote to memory of 4936	4384	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	84
PID 4384 wrote to memory of 3468	4384	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	56
PID 4384 wrote to memory of 3468	4384	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	56
PID 4384 wrote to memory of 3468	4384	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	56
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 4936 wrote to memory of 2828	4936	svchost.exe	85
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86
PID 2828 wrote to memory of 1520	2828	svchost.exe	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\install\svchost.exe
      "C:\Windows\install\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\install\svchost.exe
        
        C:\Windows\install\svchost.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\install\svchost.exe
        
        "C:\Windows\install\svchost.exe"
        6⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\install\svchost.exe
        
        "C:\Windows\install\svchost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:4904
        
        C:\Windows\install\svchost.exe
        
        C:\Windows\install\svchost.exe
        8⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 536
        9⤵
        Program crash
        
        PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4492 -ip 4492
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF

Filesize
971B

MD5
4fb011915ab8cf8795bda338db529637

SHA1
5aa3c7dbe22e7f822eb0a3ee02250b520029f32d

SHA256
8116c2c81d6a6cf64432bfb9e340b8b11c320d970349383529a43bfcef0d64ed

SHA512
fd5e7f2c154b642b0e4045a64646d44ff51635710dd7705e44fcca8cffa8b33db8943a73c196a461620c4fb6e0e5888b4ff4d5b5aa132804f83a83b5171906c3

Download Submit
C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF

Filesize
971B

MD5
3adf21c4ab9c6705980c3edaba3ffe0e

SHA1
5e0e17b7709dbeb5c211feb5b11fa8b3994cc2cb

SHA256
61ec6aeec78b5c4378ee153008eea3b2753249ca5a0a9338cde593c948f30181

SHA512
94e716c27e01d0bf04e277ca739d9beb24f4b0ac618c6b91bdf520cfd7a18db40a4062ba008b0a1bd4c11dccd20457afff24849c59e998647008efda3caeda7b

Download Submit
C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\app.dat

Filesize
971B

MD5
2ecd8fa316dfcb1aa44a26e8b40b3ed2

SHA1
3416713748948a46d59f8268ac91be7496aa5b7e

SHA256
989b8059c91e81b7194cc25123e600574a1edc338442e4a6b99f478e6bfef86f

SHA512
7b9a5c4485437f533b9d8a681d3cab8716bb70937b25f1964313f48384d7d28cdce899cd63bcc1c25c355145cce7d2f408e8ff5da50f4d6cd54ccedeb86c3b4b

Download Submit
C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\app.dat

Filesize
971B

MD5
e6d91561ae57349cefcd893f8c05f498

SHA1
c61504baf772e895153c2cd8cbd1c75072f7f864

SHA256
db44adc0d5bdfc3a4af30a56ad44d322a6436cf180ae0508fb40397be3fb6ec4

SHA512
9ec6180b6003ead0163de38933ce386ca10a4593cc858772805e0493e8c31c96e5b876ddbbb4569d076f5cae2b71baf4d562a4731a27f7731c0574c631f8666a

Download Submit
C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\updates.dat

Filesize
971B

MD5
4116c95caf9a64954875842aa4347477

SHA1
79e6bb67942b5537c358ae20852e489e19fc0876

SHA256
c7ffbdc5182fbeb09d146b537e4a4a16836d2e3dbf9f50fe79db02de3cd0b6be

SHA512
35af028d84224aa58ed3b17c2a8c47117bde05992672c54fbbfdc284a98b65bc18a5e8ce8a5bd8ed447be96bb42ac5524334566d3338b567bd01a9762fdef2eb

Download Submit
C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\updates.dat

Filesize
971B

MD5
82c88990144458d888b11068a0bdb48d

SHA1
eb4ee6be11532be1bc2dda45fc49ff969417262f

SHA256
f41e7e9fffc978cc97a3c1f4dcefebed8810badc50e1fc8e02ab585eabf35ae4

SHA512
eb6e82af0afdc6f1421155f6a11969db24777202ccaed3cc0b2185fba543ea2fc0b9adee4e49b8046d71500ca6208ceeb8fe8c3f897d38f46aedfbe87f5857a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
2132bb909e4a3642996b367dfb1b7d26

SHA1
01700bb18522ee66b2283bf1f318af4906e78997

SHA256
fb1b2a477b6131347566a25dc4373c9e7da024936afe8d24190b93a19cc4d611

SHA512
d80b597c608d3e9c8556f08412db0e05c3df7f81537591eb8946ac25ebb373f7565277b5f50931dc9913ea28a3852b78e18ab4605179c75374508e4be86b17a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
65133058954c9e44f2498e60b89600bc

SHA1
2cba0b99ebabb5e1dcaee66a1187a00458a8f5de

SHA256
4107cf1a06b2c5ae5600f2c50891bc0012fae021feb9c8d419070144c64c29db

SHA512
2d174b8ad680a235ab09c957af353fd4e94c11eff034602e654a6de89d1fcf1940aeb5a9f278a3529f14e6f07b57aad52cd247dfa0aa1ba4fb104c2136159141

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef41e03b5647c8411c0e460ee6827e44

SHA1
02b59a0edef6d621dc78bb735736e26cff5b3b6b

SHA256
80a8353062c2d04b6038021db034b6d2edbb3a59f8ab6fcb76a70e7c3d5c8ab5

SHA512
987dba002d670076e5604c347b6490ed1cb30a3384ff239f501824d16a2db9f021eea6ead945390a502e37e6b0d85a6c7e634d730c2245390fecc185e1cdfee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
abb8a697a4e3dcc9942b731ef63438e6

SHA1
6c39e610107b435f4e9daa216bf1deac56711ac8

SHA256
19093dcca3104b7ca34472b207634ab2f8c18e0ef00a2038ff078202e03c665b

SHA512
7efef3477eff0f3d126c1852d6d9e2560dfe96ac76697ad5c6182fc10bc72e02b77db0f504576a8e09b74e960efc68e89db27af42067b86da6ceb8988c0eb903

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b6d5f5e78b248aff45f11e54f68ab80b

SHA1
106767fbed8d99bd118e04679adf78d11d37ee83

SHA256
a6ee0440b965c1517e007b8f8f8e6607505b468c0c119ead7107d6157c621541

SHA512
549ee4b2941081bc3006e885ca432dc2eb2c2a4512864c0afc9c6a10e921fb308f4e0d62d1355e6119c74a13bd19b668343451b135e5dd63d95831e45d8fb7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
04087fd14f7c65f0397815527120deb1

SHA1
802e519b30ab0f8feb4ee1d2ea923b5dff587c64

SHA256
874110166375c2d6afc62d1575995dc4c4e9e3f063481605d49f524e2980862d

SHA512
da44d103244e7a222440c0f52099e8703b4dd76a826c484cce105bb302ce1aed8f4f659cbeb72b3a6e912e3461f6ccd262a6baf054b6bd9395239d7587e82ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e6d6a612c88fcd7a2ee1ecb53fddde7f

SHA1
e9d2e36ee4fdfd45f1b183dc9b323e21e86e0a80

SHA256
21fa547b0167a8666fdfb995533a6148380544126c6f84bfcff761893d1444d9

SHA512
552428306f649641396ef2a9e0d56b3922259c107283c70321c44d6e0d22303ff587d740f8e5a18bd0cce276406c4cf793061280e565ad860f608a717dd8e06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f4cb9f57ad2e0cc5953dfc49b4268369

SHA1
e5627d104560cd383e02f6833dad55f44f3ab34b

SHA256
c32c9fba91000fd117de9c331288a1f7d03cb52e9d243e5dffb57809db4916ad

SHA512
fbc2b7f8557e2df93039ad91e12234af2fb14f5b6c724f259653fe7c8082dc602d8901b7f7ff331ce6f02d976f715a406eaa3747dfaf29fd28f7844068edea4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d5706543b9c0f911b008c0bed4826716

SHA1
7f64b871c249cbaf3ed69ad2cbf68f872080bc47

SHA256
294d8e920f4040aa01870341b621b75a9663afe41f66b5f0cf3f8da6586a38a3

SHA512
afb2669b0d7ae9c118bfa60f9f4878d3a2172c2cb1b14e4c5280da29b91021c3f3c3667041daef0c4c56cc44c4057b75d9fe4291b94daa61cc7ae99de359c047

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
24c99c79aa2ebb8a34c0850f4883b7b8

SHA1
7e3e713dc5b80e01111f7f5881ef4975ce83edb0

SHA256
c1ed11a19e41cb4214328350267c0d54ed36a8624ef642799bab127abe9867fc

SHA512
9f0a220585b600278213a72f19123fae0308a0ddd80f5909178203deb52ff584354a03db22d9da3682b33f612ccd4d8d45e0513c14a2f7f180360f2deee7a88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c4c4fb9d408d550b22a989cfdf01474

SHA1
132f566585e55cc46ae0107735a0e6b4d46e5aad

SHA256
54d4c68e3e85267e8b073913a1203d66dba8b6e239a774f9e51c6f4a2a97041b

SHA512
e56fb092ba6ed891e65a1f39ff47019bba92f41d1ca52b4a2acb2fe6985d8b9dbaf5abeed57ae703d4686d75460a31a5441b4c83dcfa46dad0a6cacc308ea888

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
108701603ce0222db3fd0c116e00e4f3

SHA1
4279c311fcbc2cfa64e6340425a372835327f470

SHA256
b7a0856090f6438ea6f5d62d0a4916107c470604bfd87babb0c0f727e54cae30

SHA512
9ee279392b123200da7d066f8e4fc7d333757969bd3600f072cd11cd9082ed7585f2a9153eb628a865f24d52de3703cfc30b2af0f4651f1fcaf40c7ea1477345

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ccf37585e805b276d3cb1bb4c1a1e55a

SHA1
c8393d40f8ae181092f855cf4bf9eb29ee6b7705

SHA256
72ad75633ed885762e3373a052e661792b102c676833ca1f494419920a623c41

SHA512
671c4156eddb3126ccdd71a303b5b845ca0b2168c5f4ab32c78ccd430f5910bc4162329032e47bccb80a043fc9fac3338dd35a19b6c4b0b9705acd992a30f007

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e501fdee9533b26e1587cc8f4e4411f

SHA1
bbb28ba1aa28eabcde3d4f3853dcf2bb48f4e1d4

SHA256
2ba22da4e10ec43554e09313d74ee59815407fc754fd042d8a2c8ee8a90a7ca8

SHA512
73b45b501193145af32736aa92a32bbf2d034e408bdcd695d3f6f9041d1b0a60a4f895ec4a630578c832e7fceb5dda6a23e7c563563cb7009c7150417f411444

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ce14eca9de28aca8338e6cee1b44b4e9

SHA1
f2a7ea0e59962f660246d434d17dadcf485093db

SHA256
d271c3fc58f4d088b83106b2e42b80b27ab47522f4d04a673752322812ee6fa3

SHA512
0d1d29ed8402eea380749d81da2d0932d9dc6e72055ea6c9157938a1e15dbae0ce0b818b53351a0acf9bfd7a8e65970bc9e62094a970913948021f14d3934710

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4f9c64f40b271fc3f87c700e828abd29

SHA1
50b1dc721811dff380f3f3d6d15a0f0c14bfd2d7

SHA256
cc77d6ad942d2d04dbbb131e16ec8a852be6cf43b382f60a2503c147c919f2db

SHA512
571d8b282fecf56c7ef01d0f5cf7d847bc6f08dd3a841fda1ec7096769b45cf2e0f4bc7cef206e3a27f24a58459dfa7a5ba52de7bf5d5a45ee99dbd0b488bb56

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bc9eda35e4fd68de5b48c5731072beaf

SHA1
897415cdcae2bdec5fd87a6d1b15eb0f20f7bdf3

SHA256
b2239af22a72502e2782dc6d8f01855168dae0b6fc37450426f516e42b05f34c

SHA512
cf0cdaece34d2cd1a0c9d45ac0a856b36391e5317935ab891bd9f8d8930dc8da9d13023d9bd9c700a62120c70cedd3f8e5922c8a142e26d3c791ec7e330962dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a7521798715692ec69e5866a9200f80f

SHA1
849268ea9a700d801bbbcfbf32407e2d8a4d9a83

SHA256
d9980fe39e3bd5d1f9ddf3671a8f33a3ff8561572dffcbe3d51385f0404878e6

SHA512
c9d739764c4cdd9cd5babd09105a2c83a010f29d38408848829886ee3d187b31eb48bdc4137fbc410bd1f35a78d29fadd6c70283617b101ff763abecbc4f883f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef7c367f8f4fdae5680a0e57c3ab2fa1

SHA1
328fcecc01fa4a7962021da72bc30a6e6200ab04

SHA256
bdc4cff15203c789523f238618f59080dae51e458d2fad7fdc8e36c1c955102e

SHA512
aa6694dbe656c71f34ac66edd350eaf180fdb0033459e41fe81d40909874ec9fdd845a96d70365be9a12913ff33a1e2a30eedcfb8239fcfdb39f15207c20e065

Download Submit
C:\Users\Admin\AppData\Roaming\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\dya.dat

Filesize
971B

MD5
51205a92e13c0bf90a52a838ad397389

SHA1
973fe63c2327393911362f191ec22b80d6cd749b

SHA256
5280dccd4b01dc3cc7bb9c2e55708d77186d75cef4163b65b1f11c78d88e574c

SHA512
f9c5b73d754d36fe68fab0d16af3fe12884e5c68ddedff7a150167cfab5647726d9f0855b6642e523103c7d033d2390077d08c6b10dcd64684f103eb834a5d12

Download Submit
C:\Users\Admin\AppData\Roaming\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\dya.dat

Filesize
971B

MD5
743d3fbe854813d9a594dec9c55c7ea9

SHA1
0c1192cffb60a3f340f1c0e86629105f26fa6e90

SHA256
f489994b3ecf70f309d249224addb310c2dc9999ea4c24b68c8ccb275123bb2b

SHA512
a8e9ca138e34ffecad3992e1388465159d32b916a3238afd083d32e59ab5631a2f7de282d06732cea0deec3162e3547fbecef023ee39968b490900e94960a7b4

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\install\svchost.exe

Filesize
678KB

MD5
d345f96bb56293d23f5ae4e148c9a912

SHA1
67b12b289a1c95b016080af4e969edc4039a7dc6

SHA256
7f081ef130ca8c6efa1ab2d90278eef84754ff7d1b233cd8cc9a9eae2da2c8a7

SHA512
7b065da737862d4267aeeaa40dc43b7ef0fa0fcae2281465bbe8fc30b8250139e156de3702021c49104889141318fe8033e6ab05fafbc56a94c5264fa2a7631d

Download Submit
memory/1520-107-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1520-106-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1520-110-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2728-49-0x0000000000406000-0x00000000004A3000-memory.dmp

Filesize
628KB

Download
memory/2728-50-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2728-43-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2728-0-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2728-1-0x0000000000406000-0x00000000004A3000-memory.dmp

Filesize
628KB

Download
memory/2828-102-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2828-105-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2828-171-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2828-100-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3468-64-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4384-52-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4384-66-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4384-51-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4384-47-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4384-46-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4936-70-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4936-69-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4936-96-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4936-101-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads