cybergate | 1e59bd2b7a9b15ff9c7df28e30906fb90a4e8932e6a6083426234cd19496ff10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db8d957b11131ebf6dc263e248b3d3b4_JaffaCakes118.exe
Size

912KB
MD5

db8d957b11131ebf6dc263e248b3d3b4
SHA1

a800b5fb44a6509a90d0b90a322421a31aab995a
SHA256

1e59bd2b7a9b15ff9c7df28e30906fb90a4e8932e6a6083426234cd19496ff10
SHA512

6586e17deff892ff1615aa528ef9cf461c5afde1782d24b22d132f60aba399c9caa557d13c39acafd1686670b4ec2fe01f647ef11d90d8d04f16f405a2f4da9d
SSDEEP

12288:T6M2sdII0jqCFGUu9GD0hKI+CjfARNNDSRIZF3mGmv4yTWhmNarjCu:T6M2pIvCYJGeKejfAR8IZF3mwyT5avC

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

vítima

bokbokbokbk.no-ip.org:300

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Appe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	Appe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Appe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	Appe.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{P0NI4058-PRIC-35CL-283X-O32W8YAWKE38}	Appe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{P0NI4058-PRIC-35CL-283X-O32W8YAWKE38}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	Appe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{P0NI4058-PRIC-35CL-283X-O32W8YAWKE38}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{P0NI4058-PRIC-35CL-283X-O32W8YAWKE38}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Appe.exe

Executes dropped EXE 4 IoCs

pid	Process
1996	Appe.exe
3024	Appe.exe
7332	server.exe
7288	server.exe

Loads dropped DLL 1 IoCs

pid	Process
3092	Appe.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	Appe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	Appe.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Appe.exe	db8d957b11131ebf6dc263e248b3d3b4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Appe.exe	Appe.exe
File created	C:\Windows\SysWOW64\install\server.exe	Appe.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	Appe.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	Appe.exe
File opened for modification	C:\Windows\SysWOW64\install\	Appe.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 3024	1996	Appe.exe	84
PID 7332 set thread context of 7288	7332	server.exe	91

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3024-9-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/3024-12-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/3024-14-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/3024-13-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/3024-50-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/3024-1376-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/7288-1475-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/7288-1704-0x0000000000400000-0x00000000004B0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6788	7288	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db8d957b11131ebf6dc263e248b3d3b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Appe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Appe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Appe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Appe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3024	Appe.exe
3024	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe
3092	Appe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3092	Appe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	Appe.exe
Token: SeDebugPrivilege	3092	Appe.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3024	Appe.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1680	db8d957b11131ebf6dc263e248b3d3b4_JaffaCakes118.exe
1996	Appe.exe
7332	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1996	1680	db8d957b11131ebf6dc263e248b3d3b4_JaffaCakes118.exe	83
PID 1680 wrote to memory of 1996	1680	db8d957b11131ebf6dc263e248b3d3b4_JaffaCakes118.exe	83
PID 1680 wrote to memory of 1996	1680	db8d957b11131ebf6dc263e248b3d3b4_JaffaCakes118.exe	83
PID 1996 wrote to memory of 3024	1996	Appe.exe	84
PID 1996 wrote to memory of 3024	1996	Appe.exe	84
PID 1996 wrote to memory of 3024	1996	Appe.exe	84
PID 1996 wrote to memory of 3024	1996	Appe.exe	84
PID 1996 wrote to memory of 3024	1996	Appe.exe	84
PID 1996 wrote to memory of 3024	1996	Appe.exe	84
PID 1996 wrote to memory of 3024	1996	Appe.exe	84
PID 1996 wrote to memory of 3024	1996	Appe.exe	84
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56
PID 3024 wrote to memory of 3432	3024	Appe.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:756
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3008
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3776
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3864
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3928
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4012
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:432
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4788
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:544
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4920
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:412
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4760
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:5032
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:5416
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:6120
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:5188
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:6620
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1132
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1400
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1736

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2700

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\db8d957b11131ebf6dc263e248b3d3b4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\db8d957b11131ebf6dc263e248b3d3b4_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\Appe.exe
    C:\Windows\system32\Appe.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\Appe.exe
      C:\Windows\SysWOW64\Appe.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2316
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4160
    - - C:\Windows\SysWOW64\Appe.exe
        
        "C:\Windows\SysWOW64\Appe.exe"
        5⤵
        Checks computer location settings
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
      - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:7332
        
        C:\Windows\SysWOW64\install\server.exe
        
        C:\Windows\SysWOW64\install\server.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7288 -s 564
        8⤵
        Program crash
        
        PID:6788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4584

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:6976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7288 -ip 7288
  2⤵
  PID:6892

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ba36932f1b6918ddd960a829b596cb16 ocbNQBNUY0+rfzNybQXPRQ.0.1.0.0.0
1⤵
PID:3052
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2028

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
602KB

MD5
bc2becb23826d72a7e76716eef4f31c3

SHA1
48396bd5387c057d129e5db2de0b31ce3e7513f6

SHA256
06a2f5f8d4ecd13c60177dcea18f1c821a77508105de6762bc0772740d3598ab

SHA512
29684de0e168d9421ae8776e6b23d454fe288f55c9acc21993d65ebb9fe6509d69248b09a3e2b78d4f34fdbf8efd4d97c3e5b8e96f1e9e658118c6cdd0961636

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e245a7a4fcfbcf09dfaef615048ff7dc

SHA1
84541dfdc9eaa20357b880a3743324ea65cd16ae

SHA256
1862d660baf25ade5bb252452d4971dbf5e0c5027e7cc7cb9d40d86f0dc77007

SHA512
5fa3c9b149de5da956060c2983b3a7dca71020b80ebc430da917f68fb14a1f07c6644f2d7da9f00fec003481213f54ce7290f6198ce893fc107c3006ac918865

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f86bec8dfd20ff3bbc24c7a2af7caa18

SHA1
300d319e8c336a992049c87a492a297e94cdd8ed

SHA256
58c371275ce022a0014b8431174e7ce7fb207c1faaadc6ad645c0542c96a5f55

SHA512
63d58941e13c14043dd077afdbeb71a8acd18f3e8e7c4558d8dc566056d7237b0d3aedaf7f82f600d587acc3a2343c21e3e9037d7bdc7ad83fd84f9add61447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7ebd68bb3caba966bf83118fe01d2c4a

SHA1
4418e91695e085dc8af58bc52a770df6a2224980

SHA256
ab22416e1eb44eb10bb324ba06764098c82cc3aeeefa94af93f97b318e489b25

SHA512
f84c163b3e8a848b4f30e860f031401b9e353926751fb19e69b6f5a05850a7338c51d58378a876916cfde379448ed4a34077b029b61bfe3547823f7195b97d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c5cd3545e6667783eb8266dd68b8b7c5

SHA1
9c98f8069e446901ccfcb1e99af9d2222f94ac49

SHA256
19cbc16a5a6095d0729f0c30d7e115526760d6f669865044f9d70a5784ade38f

SHA512
7ba1b622046b6f8d21cc819c9ea6fd642e53e48db7044e99dc1c2651419dfee6714c593275de87a1e28fac760feb979beae24654d29d13ea99af5aebbd841a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d1622afcf616161863d92e44e58b7d8c

SHA1
f161c6ea8baaee2fedadfe6e98074a99fdb85f68

SHA256
316158fccd9017e3cc82c6a20e932be14741802b31aacf9d89b168a925d57457

SHA512
a28e177bc68ee11b908721ae25f56aeffb573fa68c5e95ccef5a41721fa489cc9ecc716bc03d4cea7f1043f18d5b65ac9f5557a74577985503c644078f042a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1749b0fb544cf35f01cc906f57305e43

SHA1
80b51bca3bf25b5131f113ea118d6bd59d856b5f

SHA256
831ed201d443cf194df84c95b334334bb5b9f9ee41b0bc16771f7962f11c3ed7

SHA512
7d9961d6f31ad39bca4c02e85e8bb06d32f46e446c40e3fc7e6569634014a96e36ac6e77d05a88a02ad9a897714041fa2846f38a437565f38e69b3d8481a68be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
48a60b4844430cc53e62c972be78c126

SHA1
0f50d776e8aa722ca4f73c4bd3ddd3ac1f83b005

SHA256
706713c9182a257f50c23ce2d29c83757e0b742cf9e8a0171e31dc9f44fc9134

SHA512
4b549c789c24502bd0ca104bda21f9b273e51bf79b37bba703b2638664d117b1d289d4ebd214a66bf5ca39e74d783f4a4e0395af22dc8266efba4fa2a034b0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4ecd630b2867921b202e58ff315aa740

SHA1
7545d058d1bd64e275670582f77906dcd3a732cd

SHA256
583114b9255c5e8ddbfffe136dd11370ff4aaf09364bd8504331a72b78baa882

SHA512
a5235678aaf217d5181eb9dd33318a719f473f2a4aa880a1462580e565795bc2a1eab174370ffb4620c4898305a81feeb001bb03ef91cff57b2aebc409aee990

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
85363a088649f876e5dcaaa3e2f96175

SHA1
4d8058a4942586dfe683595e90d87b0ffede9678

SHA256
7498beef1d86b55be2cd9d1159c6bcc8b4e57035fcfb33833573afe7b60c221b

SHA512
fdece88c165d0881d136c0ed4395787aa19cdd288e0a05095979e89c879e79de6738969192a85eb9a3b4fb0156a52b7018a90df74eee192e73b3ef43c3b64b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
28fd72164a35a52d0dbad872a6a0e24d

SHA1
97b7b346c2faff4266111c39fa1537a5f5fbdeb1

SHA256
8cc63028cefe060ea12ecc0cb03647a1bc54335b008c031c7a71f347756792f3

SHA512
ab072f79708a8eb66140a01efd47e0b0a9ffef5ed5c777ea7753643afc9bea4977979d061376e435ded3c7536775c1339ea9a4e7dc2a5f28ce53d5332c02ce61

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
526f329ee44e9f4b410a19358ed77cd6

SHA1
2f295928d378d02714a8c061967327e6c15981ba

SHA256
494c325fee949d6745efa1f256ce8357529c01f1ea36c1bca5808713344fe198

SHA512
35f8fdf439417e607f6e68cfa4ea4a0ffab4851820cba6e8dd88203aab76d9e37be2219c552a793abef522bce14e40f087394175192d7d24c99386c500d08ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c966b989cd131163e61774e0ed35ddef

SHA1
4d92426b2d63bb02bf7894650d3ec45bacaca0f0

SHA256
ec1d730fc2a2907e01dfad0ff29d56051f3b8033e889c559fc8a37712048c4d6

SHA512
9f4aa63ac040f4f10ab6eb892e8f38f33b81ce577f8f39876f450fc4b711a1acfc9facde9849368f587ec7b1935d8bb84b6a99eed0b1cfcc89a044b5754b4ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a175d6cf1437281ee4e017a9a0517b44

SHA1
3d81423d3cb6774b6c3d22585646b291aa105b54

SHA256
ad94619a05bb3c8f4978a8f36f0df22148ddcf3d74d3b8c6e57a0cf33007cc76

SHA512
ef1e860a7128ad4c603a7d78ed226ed401192f278452cfa24eee88f8fe9a645dd2770a43e3be145f23dab6f90f9600858f4818db1cd4f0199a9060e3848b2713

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9d6829a1b0fc6584697af85bb23f7df5

SHA1
768a552c25f5a6aba7aee988d33465a13c3f48c4

SHA256
fe00006248dd6ebe1970fa2a20a022549c5cc054102471f135cd2e1a6d73428a

SHA512
254904880b5ca26ec92749a0e915873fb340727949ef94e215c89a1d734250ed435b5359f529df43ee8786eeb3072dec6aed172e2d3a96b7ba1a04882c6db7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8fe48b2695a177d0028c14de9e2f10b6

SHA1
d21cba94ccf8037d01ad20e5e27d35ec681f7c93

SHA256
440e446b62325367459abf3710830286156397aa8c223fbf70e5d30c50bf1ba8

SHA512
412007faf2e82e15dd5775f730b213be9f5d1049482391221af8b7ad6c83186b9c09c4fffd58a62ca255221fdaf4198145d37433e4bd97b6921914ab17ff0840

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
318aa9ad19f5e70020a60c521fec0037

SHA1
3bb545063caab42ce6d43ceaf0ce454e1f276e2e

SHA256
b4122ae7161fb5a422f85c36a992c72001facd5012b943ac8ebca3d34b6ded28

SHA512
bf651fc25a452b342e81c3ebc3b7eb65f423d7ba72d785b899f2d7cb144c7627459ec18ab6d4fc23438e5cdf46706af3d1fb44e7a45367508e3e8d57ca7965d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
22f51179d473dfdedf2cf21992e54f25

SHA1
61b5271c55608bb30078eef972a0180586af99cc

SHA256
eabdd4af79bd0e2dd2f0e24fad030606d27f8dc1668fcbb723e25d6beba6e893

SHA512
bcd40f685300d247d60b22cc363e4d097a3705ed8f5c6beb3735b6b39550db803bd9448ad7ab82ab43a4448c7bb5404e88d1ef6a1862576ee8e67ed3ca35d8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ca5d53f9448980eb36d356fbed934690

SHA1
6ab32e7fa6fdc9a04fd63ed0d9bc356d69134869

SHA256
4c24bd70ce7c56a08be08ef680c61f08eea3b653d2d18b83a121fba1c1e95ab8

SHA512
061b3e1630bfbb742db9d428582e93ccede971668ac5af0d91f316d3de594b5360160eb218ef10433ef42aaeeea0e6363fd130bf3684f0d295a038fa4579ffd7

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\Appe.exe

Filesize
844KB

MD5
afa0030a42de37ede08254bc97f9329a

SHA1
20a5c8c1b104b37c30cbdceb7f6ad46bbba8ed38

SHA256
48e81fe4ac43e6ebd1755d461e8533ab476d7ea8e9dd3a174cc1b34fe0249050

SHA512
5847306486d9efc72a2d880d5fb2691b758acd1f5e3fa4140b263a11e35fe87db1545b63eccf77aa7631642deffe0fbfa92ae49cb3e83967565e0b893596561e

Download Submit
memory/2316-2028-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/2316-694-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/2316-26-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/2316-25-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/3024-50-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3024-1376-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3024-24-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/3024-18-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/3024-13-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3024-14-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3024-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3024-9-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3092-2036-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/3092-1377-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/7288-1704-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/7288-1475-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download