cybergate | d86e005f0d0cdf6f00a922f898b52b8eaef841436babc36f82c27ea8461eaf55

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/12/2024, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Size

354KB
MD5

d8d26545ddfc3580639399ce2c499873
SHA1

b53c9cf82ad10f813ff652d6bcb60aa03f751968
SHA256

d86e005f0d0cdf6f00a922f898b52b8eaef841436babc36f82c27ea8461eaf55
SHA512

f471ce7af57f3160d18c5b857a872665e5ca42a7bb2c70d1ac2de8c6dad23cb5b7dc41b97908d0831a99c81a736a9e3e1a90a9d3410d3393f88945c701b2459e
SSDEEP

6144:Hi1TzaLuI5v4TZuvk6tua/R8PyQdK/lRPCxAi8IAon9w8T:C1TzaLzK81BRRQs/lR28IfvT

Score

10^/10

cybergate lammer discovery evasion stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Lammer

127.0.0.1:81

h1n1hack.no-ip.info:81

h1n1hack.no-ip.info:12345

h1n1hack.no-ip.info:2000

Mutex

Pluguin

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
Pluguin.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
message_box_title
LAMMER
password
kek
regkey_hkcu
Avirnt
regkey_hklm
Avgnt

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PELoader.ocx	cmd.exe
File opened for modification	C:\Windows\SysWOW64\PELoader.ocx	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2644	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	58

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid32	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ = "_PELoader"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\TypeLib	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Control\	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RunPE.PELoader\ = "RunPE.PELoader"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\0	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ = "__PELoader"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ = "PELoader"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\TypeLib	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\TypeLib\ = "{4BB1DCD7-E971-4EA7-B115-745EA1467E43}"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\TypeLib\Version = "2.0"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\TypeLib	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\0\win32	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid32	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RunPE.PELoader	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib\ = "{4BB1DCD7-E971-4EA7-B115-745EA1467E43}"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\VERSION\ = "2.0"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\ = "PE Loader"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\TypeLib\ = "{4BB1DCD7-E971-4EA7-B115-745EA1467E43}"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\TypeLib\ = "{4BB1DCD7-E971-4EA7-B115-745EA1467E43}"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\MiscStatus\ = "0"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\InprocServer32\ThreadingModel = "Apartment"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ProxyStubClsid	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ = "__PELoader"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib\Version = "2.0"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib\ = "{4BB1DCD7-E971-4EA7-B115-745EA1467E43}"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ProxyStubClsid32	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\ = "RunPE.PELoader"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\InprocServer32	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\MiscStatus\1	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\FLAGS	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ = "_PELoader"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ProxyStubClsid32	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RunPE.PELoader\Clsid\ = "{55F8A924-246F-4EFD-B98F-14F456EDD580}"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PELoader.ocx"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\ProgID	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PELoader.ocx, 30000"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PELoader.ocx"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\HELPDIR	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib\Version = "2.0"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Control	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RunPE.PELoader\Clsid	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ = "PELoader"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\FLAGS\ = "2"	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2616	REG.exe
2552	REG.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2724	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2724	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2724	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2724	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2584	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	33
PID 2716 wrote to memory of 2584	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	33
PID 2716 wrote to memory of 2584	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	33
PID 2716 wrote to memory of 2584	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	33
PID 2716 wrote to memory of 2616	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	35
PID 2716 wrote to memory of 2616	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	35
PID 2716 wrote to memory of 2616	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	35
PID 2716 wrote to memory of 2616	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	35
PID 2716 wrote to memory of 2648	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	36
PID 2716 wrote to memory of 2648	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	36
PID 2716 wrote to memory of 2648	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	36
PID 2716 wrote to memory of 2648	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	36
PID 2716 wrote to memory of 3016	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	38
PID 2716 wrote to memory of 3016	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	38
PID 2716 wrote to memory of 3016	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	38
PID 2716 wrote to memory of 3016	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	38
PID 2716 wrote to memory of 1916	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	40
PID 2716 wrote to memory of 1916	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	40
PID 2716 wrote to memory of 1916	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	40
PID 2716 wrote to memory of 1916	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	40
PID 2716 wrote to memory of 1464	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	43
PID 2716 wrote to memory of 1464	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	43
PID 2716 wrote to memory of 1464	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	43
PID 2716 wrote to memory of 1464	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	43
PID 2716 wrote to memory of 2200	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	44
PID 2716 wrote to memory of 2200	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	44
PID 2716 wrote to memory of 2200	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	44
PID 2716 wrote to memory of 2200	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	44
PID 2716 wrote to memory of 2552	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	45
PID 2716 wrote to memory of 2552	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	45
PID 2716 wrote to memory of 2552	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	45
PID 2716 wrote to memory of 2552	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	45
PID 2716 wrote to memory of 2168	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	48
PID 2716 wrote to memory of 2168	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	48
PID 2716 wrote to memory of 2168	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	48
PID 2716 wrote to memory of 2168	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	48
PID 2716 wrote to memory of 1140	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	52
PID 2716 wrote to memory of 1140	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	52
PID 2716 wrote to memory of 1140	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	52
PID 2716 wrote to memory of 1140	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	52
PID 2716 wrote to memory of 1140	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	52
PID 2716 wrote to memory of 1140	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	52
PID 2716 wrote to memory of 1140	2716	d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe	52
PID 2648 wrote to memory of 2032	2648	cmd.exe	51
PID 2648 wrote to memory of 2032	2648	cmd.exe	51
PID 2648 wrote to memory of 2032	2648	cmd.exe	51
PID 2648 wrote to memory of 2032	2648	cmd.exe	51
PID 3016 wrote to memory of 2216	3016	cmd.exe	53
PID 3016 wrote to memory of 2216	3016	cmd.exe	53
PID 3016 wrote to memory of 2216	3016	cmd.exe	53
PID 3016 wrote to memory of 2216	3016	cmd.exe	53
PID 2032 wrote to memory of 308	2032	net.exe	54
PID 2032 wrote to memory of 308	2032	net.exe	54
PID 2032 wrote to memory of 308	2032	net.exe	54
PID 2032 wrote to memory of 308	2032	net.exe	54
PID 1464 wrote to memory of 2408	1464	cmd.exe	55
PID 1464 wrote to memory of 2408	1464	cmd.exe	55
PID 1464 wrote to memory of 2408	1464	cmd.exe	55
PID 1464 wrote to memory of 2408	1464	cmd.exe	55
PID 2216 wrote to memory of 2480	2216	net.exe	56

C:\Users\Admin\AppData\Local\Temp\d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d8d26545ddfc3580639399ce2c499873_JaffaCakes118.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\rst.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Del.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Windows\SysWOW64\REG.exe
  REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Explorer" /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe" /t REG_SZ
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\net.exe
    net stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      System Location Discovery: System Language Discovery
      PID:308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1096
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\copy.bat" "
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Windows\system32\PELoader.ocx /s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Del.bat

Filesize
260B

MD5
1996788e6f51d180aac40a813a780074

SHA1
4d0a153b5038c0a2bbd8de43899a3b096af9f4f4

SHA256
7e96c0a065e3464362e81b5c524979eeb1d1c5a3dc591ade33249161114e15f4

SHA512
fcf34a53a5ef1abd4de77264d315407e5ba2e935c6cf240d344def6fcf5d0857fa3438798e9c4d0320fb3c9442adb3f633c1a1555ec28396b19fe1e7a62f647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PELoader.ocx

Filesize
28KB

MD5
679818843f936aa6427a9d57446efec6

SHA1
a733b9ac633de38fcbfb56d755547b4745b5720b

SHA256
0af982ae9aedd285b6e4bffb28beba782efe0798b54d0f04d34ec491a5eb8395

SHA512
0321e7d306006e932c5069680c48551b044f4bca854d423d15e9db716fd340778027566edbe3fad228bfe55c475340ff82203c8ad564c81a79df0078fc32a2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\copy.bat

Filesize
90B

MD5
cfb653509db21d1f42180210a19477ac

SHA1
34ef6c12321929363aad04a802c709a07c6e075c

SHA256
9fd81e595efb9d9f949ba3a0360297a258d21c74a6fcb676b4ed7ecb42e5c0c2

SHA512
a37b46519e41a38799b8742a629bc9d51614b696984792c75e4a4db091f79a8206caaf7bbdb1fdc9f86592e6b3cca4228346e477244d4bccf17fbc9113dfc06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.rst

Filesize
354KB

MD5
d8d26545ddfc3580639399ce2c499873

SHA1
b53c9cf82ad10f813ff652d6bcb60aa03f751968

SHA256
d86e005f0d0cdf6f00a922f898b52b8eaef841436babc36f82c27ea8461eaf55

SHA512
f471ce7af57f3160d18c5b857a872665e5ca42a7bb2c70d1ac2de8c6dad23cb5b7dc41b97908d0831a99c81a736a9e3e1a90a9d3410d3393f88945c701b2459e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rst.bat

Filesize
280B

MD5
97e8bcd8d58cccc9dede5021860d199a

SHA1
ac33301a9c4f0778a4f725657e7d1b4aeda65d0a

SHA256
8db4042c22620e3b5c3c95cfd7cb46ce461fac51c1e62036316866ef998edf09

SHA512
2489cecbf5f7096611140f5e4227ce77b92aba39abfa0dd5293310267eea902db7917a1437136e9bea0fbeb909154c1972f01d22da2b0398e50178663b7434bf

Download Submit
memory/2644-56-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2644-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-54-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2644-52-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2644-49-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2644-46-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2644-44-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2644-43-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2644-42-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download