cybergate | fb3c66aa05455f01a4123f7e0da96176864b64548a37cbb23952aaeb7f2043a6

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
Size

753KB
MD5

d9352c735d7fae5fcf4ac84ee2eb2bf3
SHA1

3e19b500ea42890e2ddb7b44bf9ea3aa1237db49
SHA256

fb3c66aa05455f01a4123f7e0da96176864b64548a37cbb23952aaeb7f2043a6
SHA512

97883e4ba4e31538c949e361443fbb2a6aa8585641ed450731fd2c9c323b647fed1e15181c1186d29001e503138c47b928d0a71086673a32476d51f48a549117
SSDEEP

12288:Dp1zqkYuGSLkWiTDDzBkUQfk7jbf4jdfIzGBSItFAHM00iPNHN5T73UAErZvS:1xqKnLkWiTD6xUHf4jNLMIrAZ0ilHN5i

Score

10^/10

cybergate vitima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vitima

fastzaoloko.zapto.org:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
lucasamaro
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2784	Injector RL Hackers v1.2.exe
3924	CF-AL Tryhack v1.4 Atualizado.exe
1820	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5008-0-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/5008-4-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/5008-7-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/5008-27-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/5008-65-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4176-70-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/files/0x0007000000023c72-72.dat	upx
behavioral2/memory/5008-141-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/2236-140-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-175.dat	upx
behavioral2/memory/3924-178-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3924-181-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1820-183-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/4176-184-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2236-185-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/2236-186-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
756	3924	WerFault.exe	87
3680	1820	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CF-AL Tryhack v1.4 Atualizado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injector RL Hackers v1.2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe
2784	Injector RL Hackers v1.2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2236	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
Token: SeDebugPrivilege	2236	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56
PID 5008 wrote to memory of 3524	5008	d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:4176
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4416
- - C:\Users\Admin\AppData\Local\Temp\d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d9352c735d7fae5fcf4ac84ee2eb2bf3_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\Injector RL Hackers v1.2.exe
      "C:\Users\Admin\AppData\Local\Temp\Injector RL Hackers v1.2.exe" 10
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\CF-AL Tryhack v1.4 Atualizado.exe
      "C:\Users\Admin\AppData\Local\Temp\CF-AL Tryhack v1.4 Atualizado.exe" 10
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 576
        5⤵
        Program crash
        
        PID:756
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 576
        5⤵
        Program crash
        
        PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3924 -ip 3924
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1820 -ip 1820
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CF-AL Tryhack v1.4 Atualizado.exe

Filesize
276KB

MD5
2cfca007fa450a27bb068f163003b22b

SHA1
42ca5c40a5bd363f59cf1e4efac4266add3ac7d2

SHA256
09c1949e229513ef61b891d01bdca10c80f2d83d2ae70cf3e83185a1721bcbff

SHA512
d764bf521c710d0083a9a311e24e339978c3ff3a62306d3822e35f70004f33dd8f475a9052bed094e70aaceb44e40b138c0aef70dbd4387ae6d9ccd3f29d1655

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector RL Hackers v1.2.exe

Filesize
400KB

MD5
40e30ffcb57a227c409618b948e72997

SHA1
f9dcaf64df2b2a20c5c5f8bc5bec04b3a0a7fe9d

SHA256
1f8cdff55f3822cf4348f224f7d2747d652a5e0468e0db950dbaf8716f52cf6c

SHA512
da7317ccb925ce00208129c2a66be091ab56cede3ed33a58cc52836bc1067ba04d52bf9784cfb9db43c594735e64eeb9df619f80c92714138ef6cad7f201b40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
906KB

MD5
264a5f4e025aca7176ce78b85211006c

SHA1
f205b6f44290a076b252a562da400617ad3cb7f7

SHA256
91452134c0fe8e0a6ce2e3a12f49e67e841fe21f805b72db197526b676a0ac1f

SHA512
458f0f17761100c3c1c8998256f63e39653ea368f27d760a29b37f53ea5ff2f837259dc7802b4533196ae3a58cd4474392cf50df8dac6ff1e6d2ffb9f619a366

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d8791e7098ccb9a21718067f6b1a4036

SHA1
1d944af9024a172fe4f7e8ad5fb2712b80ebbb1e

SHA256
e8889491706a1f4c765f13a8a13b85bc31601fddd8dead96385d049a2535e65c

SHA512
928cef228302bd8ec4b2b3ed18241a06e7730a1d9c0fa77c9d2ffc2acd14ea3b16ba4977791b0cd13fcde288b41d1a3ebb2df4de476e4e2a7c3767db016de6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ed91ed0c991a291e3fc22fbc68bca9e7

SHA1
9bec6b60749deeb77658c1ebb7a4b7cbd332da3a

SHA256
70b97550ebe688938767182f1e1e74f62f70c36f43b22271d262521715f63ce9

SHA512
ef91375f46200a26710984e3b75d3f6e1575f74e7d120d79405fe7a776cdfda9d75b1a04c84fc63a6ed8c3fc0c4063c0dc4a9a3ac753191343d8f8fbca6f13ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3008a029921e405098b55882234e4965

SHA1
f471edbac44f200b97b8f7fd733c894de2082dd1

SHA256
8cb2ae1c62ebaeb9d12771b4b2c3d0e06da60fd3118f42463f6bc4648a4f5eac

SHA512
f5a0d0a96531ca832412291e33924ad7df5746a5edfe59bec761c3f82a66baf5ed55a37556502c620f3663aa4a4a648a38b1db87a9199fb704298170c9152fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0cb6a74cde8a9d9a88aa838b082d30cf

SHA1
cd947281aa6a273d918f92e85188d1a740b1118d

SHA256
7798dbf2f0ae5d47e769ac63337fa32d6a15d08eb90657bbe039a493f1125e95

SHA512
d363a6a2dcfd6ac3681f45a66aa73bcd8ed01721c79998ce4cb7fbbe9dd8eefc6d98cca00f050a08ebea81d9809bdd2727a0faf34139da883684e3c045d502a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a0393d01a6d37a5165d723f94a7f35a5

SHA1
1ef6f75a8bd818f7288a7cd4388135ef9d8b00b9

SHA256
50568d4a9323acecab96e692a9bf01e4a6507adaa03f4fb9766dbbad6c6031a2

SHA512
6217d99692e5bb2a58fbc27e7ebc8e182cd8d0dfa46a879259856a25c36673c7e23248193cc6d6c696ae1dfbaa42611ee914c85721296d9fe6889b0ea58564e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
45914403cc303387f919f3ef255142e6

SHA1
2d90e0b0afded36ab6b814533b70b4eb6da17924

SHA256
52eceba7991be47e636d3d3adfe030e0ec50a3df6b6b8f4919e928fdf8ad8cf4

SHA512
267a96cecdba8b51279a007dff63bf69a9f8b1c8ba736707cf27af04175b84dfdbb7303a2590a6507baf62942aa59880788f0dffb1e662dc87e14e03da099ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a6212e54a4597871c1700d1ec7ee9ef

SHA1
f7af5f6d93bff9f29a51924dcd98c7b42839a30d

SHA256
c9e0ef635282359d3953405c9f7ff1affa1868d72abe77c7308712a86321e247

SHA512
1333a153bb2071d51848238a7b06bfee72ca40f00ad49d0db4a3483e88cc3637998c17b1c8a959f0b8638e3b700c95468ad597205fda6de88a059472e323ec02

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fe16f783aff60ed6941665f28e7478c6

SHA1
69fdb5bc3a32f75a5b3e484d69e27cb218180c63

SHA256
aabe9f609eb335de67e543db351a71ac8f8dc0ef26cf1b295e31138d4213a5eb

SHA512
b6a845d86698f85214a8a008ae967e9626ca7eb1e1e7ed848f3c57bf5196846c03a24e9db99ebd870e2a35c90e97f625ebc14cd8728a6b54f7c393a6c64c946e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7619702aeefec1a2135f7e72b44cc87b

SHA1
0fc8aface0ba62ffb5b232fb97ce6423bd4de85d

SHA256
4706a9ea57c9774554e65a63f77b8c831cb87f10b57adf5ef1c88fe84d25d6d7

SHA512
02137d4bd484855c0029f2d51eb4cb1c970a32b4383f273d8a72b05e3905741faad684071d085e6f9dd92cd8a280a5fce54ae2a5d313608f05dbd6cfb36df006

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
45bc754a263581ff8c4ee99fa6c0a9f1

SHA1
cd68423f0507b7d06ff35fd77abd913c7d38a093

SHA256
953a8c1f33dcaa65e260b73b131ce48877b8adcc024bfadc1d26c16819928f23

SHA512
3c69ac1b5ed4c40d7326c998c5744eae68e559a4490e1c6b96f57ca8b3d0897a80108e48e1c05691d169a9035983e6f3d577f67c0459eeea232aa51381cfc389

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
95b382184fd7bdb4e8059bcca7f1db60

SHA1
550e921244cb9659f783d9a9cd3dd3e5c35c74cd

SHA256
91b144208c8f063b44f88fb057466660a8a6337dd28c66c1c61bbc257c985205

SHA512
0d06fa81a15ff2319aebc969351f4fe6aa6c5b1847c2ae0d024cdd1b2c4122a6e61c116bebfe78aac104be10ce576747e0d09dc882ba4074b8711c4ffaa89eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
937e0d045f79c6ff540b9d41387ced77

SHA1
c6b697171c9b1959b5df524cec78e1af3fab1171

SHA256
4b7b57f2cb16d5a70ff5894e779beb3d1b2769835e6f6c002e2e4f1a28a43ca2

SHA512
eeacd723ba180391406a5348095c88fc15b4bf119adb625d561e215c1af6c07f31cd25abfae6532cd839ab93af54b4bb4e7fa452d27a4d4d559c67f62b3d032f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
66431af0c7928e9ef5e6166fd8b1b1f8

SHA1
802455eff9ce809d0f44c56110869c0b63500caf

SHA256
5ab3a9790b330638dc2a6999c8691662374a547fc656b953d676493508d69b1b

SHA512
142253813e6b06d75d113f993e2773f1e4729c62ec519f7a4a302336586ac1533737e0fb17e933f44da6d42cee1b0e76cd52d0212970a1bead0e283cb49a43de

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
74b43dd320eac9d1c4ca725a4203cd9c

SHA1
1f519027f25556ce477a9f7f161eefc0bbf0286e

SHA256
739aedaed13eb3d993f87225837c13b8dd9d6182377c57fd892300e03f3e01f8

SHA512
23a2d706085db9dd2a381e5fe12c218556ea97258719f5923995c7accd533674b3fec33b4f87224f037af3943ef0f5c2d271b2842505c56f49498102591afe6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
200d99b3439f620937b446f067e247ce

SHA1
b265f5e6ccee538d1b1e12811275a485b851345a

SHA256
f28b7aa05408485ff72a6840d35c62d052c3b2d25eee472e2fe5a6a48ae43932

SHA512
f2512079394e262e663d7115e29eb671c8738fbca193eb7c009ea2e0e26dd07477b793a0183bea675e1609fad8992bb272a9424658693bc7a55844de2bd95185

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3772ea5b9fd4bd602fff440f00f146c3

SHA1
bfd8f277175468d2c2366c0b8a3929d25c085a5f

SHA256
602d16e820943123907f9fe83629f9a32b09db4952192899700c7cdf277d4b14

SHA512
36201339a309023b80cef303765207c3a2a251a2ba42ad6cca2ad8a0ba8131c53dcc8cd67ecd058a0d32e8a07b505be5b0692f5986972e31e89fca04cc25fb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
602221439ebf56dbf880c824f9ca76b0

SHA1
8d09c65cec4f0b24dc7e238478b608ef8f208256

SHA256
a8daa187ebcc793aa6fe986099c07c43d5256a910c961c55aec7a13a93e656cd

SHA512
f5a73d68a56251f8b50dabee89dbd7017e51b6ced2701d459102b414a831de5078ce10e186a7f158beea1c7c9ed38e4329465e46ef46b42691b029f86d1591a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a44cea083e82b47c5979ff8d4c453ab2

SHA1
fb8063ce01df61ebb41f7676d4ce4a880bf071d6

SHA256
d02a4ccc8a351301445f8b24dfc4a8c356cb9845693dfe063e13de17af2e6860

SHA512
66cc15e8cd525f0e560e6ba474cdb1d6f0501c6560309b2aa772829c0b3b1a97005f6a6632261dcee0576f8b7acffa67d3178ae86ca3f7fc14f6c95683e5efe5

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
753KB

MD5
d9352c735d7fae5fcf4ac84ee2eb2bf3

SHA1
3e19b500ea42890e2ddb7b44bf9ea3aa1237db49

SHA256
fb3c66aa05455f01a4123f7e0da96176864b64548a37cbb23952aaeb7f2043a6

SHA512
97883e4ba4e31538c949e361443fbb2a6aa8585641ed450731fd2c9c323b647fed1e15181c1186d29001e503138c47b928d0a71086673a32476d51f48a549117

Download Submit
memory/1820-183-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2236-185-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2236-186-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2236-140-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3924-181-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3924-178-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4176-70-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4176-184-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4176-68-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4176-8-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4176-9-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/5008-0-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/5008-141-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/5008-65-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/5008-27-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/5008-7-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/5008-4-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download