cybergate | b584fd5433d632aa99dca6d74bb54c538c575c2e120b5a42e9ab3ba001dcf143

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
Size

1.8MB
MD5

ebad1565a57049cc945805e803f1e562
SHA1

7e973b5993a3d9091a59bd4fb9aba61693c8ee6f
SHA256

b584fd5433d632aa99dca6d74bb54c538c575c2e120b5a42e9ab3ba001dcf143
SHA512

4879e6f07cc05b0de9f4fae1a4909f7667b9d2ae98e6704b82abd23ec280f750855225f9f5f61c2d485abb7351ea886f07b6ebc9c4297d974d91c79f78aa1190
SSDEEP

49152:MeucdlvadiF32fteZFRaSINSAubGP/B8GpIN37xZuo:ModMYF3EM5OSrbGPzqNR

Score

10^/10

cybergate vic discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vic

sharte.webhop.net:1005

Mutex

***MUTEX***

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
sys128.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
10027224
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rat.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\sys128.exe"	twunk_32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	twunk_32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\sys128.exe"	twunk_32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Roaming\\sefYIqHG6rX.exe"	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0G4JUTNL-NK6C-D1FN-JKY3-4626233A11R2}	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0G4JUTNL-NK6C-D1FN-JKY3-4626233A11R2}\StubPath = "C:\\Windows\\system32\\install\\sys128.exe Restart"	twunk_32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0G4JUTNL-NK6C-D1FN-JKY3-4626233A11R2}	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0G4JUTNL-NK6C-D1FN-JKY3-4626233A11R2}\StubPath = "C:\\Windows\\system32\\install\\sys128.exe"	twunk_32.exe

Executes dropped EXE 31 IoCs

pid	Process
2284	rat.exe
2816	epv_rl2c.exe
3060	sys128.exe
2056	sys128.exe
7212	sys128.exe
7260	sys128.exe
7320	sys128.exe
7368	sys128.exe
7472	sys128.exe
7520	sys128.exe
7568	sys128.exe
7616	sys128.exe
7664	sys128.exe
7728	sys128.exe
7788	sys128.exe
7916	sys128.exe
7964	sys128.exe
8016	sys128.exe
8068	sys128.exe
8116	sys128.exe
8164	sys128.exe
8228	sys128.exe
8276	sys128.exe
8308	sys128.exe
8344	sys128.exe
8384	sys128.exe
8412	sys128.exe
8468	sys128.exe
8500	sys128.exe
8536	sys128.exe
8572	sys128.exe

Loads dropped DLL 29 IoCs

pid	Process
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe
11968	twunk_32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sefYIqHG6rX.exe"	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sefYIqHG6rX.exe"	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\sys128.exe"	twunk_32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\sys128.exe"	twunk_32.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rat.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rat.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\sys128.exe	twunk_32.exe
File opened for modification	C:\Windows\SysWOW64\install\sys128.exe	twunk_32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 2012	2284	rat.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twunk_32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twunk_32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rat.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	epv_rl2c.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	epv_rl2c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	epv_rl2c.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2012	twunk_32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2816	epv_rl2c.exe
2816	epv_rl2c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2284	1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe	32
PID 1752 wrote to memory of 2284	1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe	32
PID 1752 wrote to memory of 2284	1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe	32
PID 1752 wrote to memory of 2284	1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe	32
PID 1752 wrote to memory of 2816	1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe	33
PID 1752 wrote to memory of 2816	1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe	33
PID 1752 wrote to memory of 2816	1752	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe	33
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2284 wrote to memory of 2012	2284	rat.exe	34
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20
PID 2012 wrote to memory of 1152	2012	twunk_32.exe	20

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rat.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ebad1565a57049cc945805e803f1e562_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\rat.exe
    "C:\Users\Admin\AppData\Local\Temp\rat.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2284
  - - C:\Windows\twunk_32.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:12024
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:11952
    - - C:\Windows\twunk_32.exe
        
        "C:\Windows\twunk_32.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:11968
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7212
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7260
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7320
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7368
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7472
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7520
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7568
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7616
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7664
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7728
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7788
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7916
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7964
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8016
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8068
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8116
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8164
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8228
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8276
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8308
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8344
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8384
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8412
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8468
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8500
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8536
      - C:\Windows\SysWOW64\install\sys128.exe
        
        "C:\Windows\system32\install\sys128.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8572
- - C:\Users\Admin\AppData\Local\Temp\epv_rl2c.exe
    "C:\Users\Admin\AppData\Local\Temp\epv_rl2c.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
153B

MD5
5a0dc052c05755f3dde24948cae50f83

SHA1
5a6363f7b52fe03f2dff0413a8e592892672cc3d

SHA256
1f739fce0d85c98d01ff0a7ad2d94a3bc3fa514c9967f3ccc1e58cc57466814e

SHA512
5d6bc0c89581eb04565ba94063a1c4c14c521571d846d27987d4a36197024110a1cf136d3e678e2f01d44437f8b5e67901ac10d0b9efd90a69021b111a0e1a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
459B

MD5
8d36fddd581b4f2d9f217c7ae2ea6828

SHA1
729713bea7fc014ce2ecb265f371d24a6ac1d767

SHA256
5e782eef079219543190baba814ec6b601bff11a6ade44c7a83be3da9f5bd97f

SHA512
73e94bf0d26fd60b3c0db054c391b06dcd3d9f5dc16262fb60682896878436212fc4014faa09e3c80afe0c35be8231052685205c2b8543dd363844820dae041e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
765B

MD5
c3210b5e7a546e37bb086707d1cb8fde

SHA1
ad684a796a4e7e3972db6647b7b00986ff4733c2

SHA256
84cc857706a65b374b713f5db348305e521c43e4a5d50904e241bdb939b6fcc4

SHA512
fcf92bb1a594c33562e004275220e445f4767f305046776582dea246407951c1fa8d1766646565f08c47e1bd1117a23570937b9eaaa99801d8d9eb31cd89d299

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
fe164e8c0f5d0f4252be5b25fcc6dc88

SHA1
fa160614f22d7bd84bfa7df938141b7659b74158

SHA256
2c2e518de03fbaaa08323bf60880c4ae2d5417b42e856c96e79bcc7a4bf3c8f8

SHA512
578288a54ba54ec5a1c65c68662f6363b8631603afcd1441070a8951824fe8a826479da57e4681b974adb820a42cbd4f6c78ea94f9e7b401c392b624528d84f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
c5e57b7ead21384ce422b673de1b2dc6

SHA1
8f72186a92189c527f6bf124ab3c7fb390cd778f

SHA256
98b7cb28e6122a01848c281192d9c656715cf17b8225a56d4dcc697a643878ee

SHA512
15ea02612c66511faefd34b88fe568796ab3ceae234c55c1616e75bb621c7be6a43803370e5b2f85034b10aee26684a61bdae55e04a89dbac64cce49b983451d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
7eab8efa3d126a69c1a92f99095f1c86

SHA1
f165a11de2785e237ab66d9aae0aa591948adfd1

SHA256
af98407c9882ae501ec7f5c9eac47033e39a493783cde16dbdf1e706dcb49971

SHA512
d6dda1bbfb9137fa174eb8f9f4331202732d90c46b61d15317ee1383fecb9adfa7248757fa29a1bf637ea3eb0975adf873eaf8c7abb66435934721f932645904

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
b25ab90d1303b005339684aa6e151a58

SHA1
79c7cd998f8a4733934e893719d225d3646233a9

SHA256
6d5e7906399cd2c479aa06175a8a6921b24481037761336ea047902a80bb5f04

SHA512
247a64406945fba9a6fc46a5ad91ff5cd6f33c7544511012277dc2a23e9f0ffe184aff6b416df06ef64066e0f6d389b3fc48d81f14b1eb4bd81d1fd80efe98eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
5159f6471ada101363e8c27cd34fb3c7

SHA1
5de7f5c12912ce40c93a8ac3ac0932029b74de6e

SHA256
1c0be058a28e0cc66e0e2f77961a0adee50b2d1228e64970bb4260161139c106

SHA512
fd21f49d9ff4a2dea820d9525f7d0e1774f3ac23f9b855d5b269accbfbb4fe9d02075992d011bba8ad247dd47928417a202ba767f2c7aa2098bcc3eb5bd4d214

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
89e81697185fb7468962c2da3a54fd48

SHA1
024f51206c7eb7d80dd6784de12acb60011ec8f2

SHA256
aad76303b1bfb1ebc3e37d31f2b3f725da7f0b2a5bab7c764de62a7d44d2d15b

SHA512
763c9be6d94a8cd3914821e9c7a6510e5a2d10084bad4be36791463ce2255d403a8253464195d6d4ec0cc62d69e4d061db027d71214afb7e7b630d965aa2ca40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
ee57819178472be044026c5dbd2b9a48

SHA1
9b9cfd30239f3d04924b30dbb4a665638392a7bf

SHA256
cb5d134f9801086616fa93dad2d63006f7f42737a1209e875631e5d32deed964

SHA512
31c8d7a3b5ed7ea2875a0b3e850a10e24321c6aeb573579a8cb3ace185110926f6373903eac588a9231318b9f74abeed9919d2952e0ec0b723268e9480fc0ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
fa15e89f5c87a10cdaea30d48b5a0e60

SHA1
7183723158d193d560f104d0d3df66476f3683da

SHA256
b577de42d9e155860b01cfeea174ef623ae70138e1959cbda91d58d4f9634fa5

SHA512
e03349a65bf6c020baa2895b51cffffbcf3c1f911ffb4e376d1a916ae599e88b22db2ab5152e3331b14ed7f3cf908ea5c9d7e301ec4ff356da9a69189f109b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
7e1bfd5380867a01eeb4db171f951408

SHA1
1b495acfb4e2444f01b9350fd4d61d5ec7b0b522

SHA256
92a0d0f7f79d62d7e08edaf2a481ca39b91337ee563d18af819f367edbbe719c

SHA512
e0a2aadba2892d5f9fff064164193fa742f8a645f61088579ef95036e8fb60d3d3c9fe9edbee24c20d3386672bb6d3e9c4f095c826fd6bbf7bc3a8bade9bd88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
4KB

MD5
734f736504531047064ef5505dee8cdf

SHA1
3536ea438db5a262901488ad1168fdcdbb760a0f

SHA256
d0201d233c2a2c2de1bcd95f2d122c8a6e37ce8a73543c81f3d1932060bc723e

SHA512
f4a15f5c448c413c7e2dfe75016456cf1be9e993afede97be6a348b72ac35a8fff4a2519e08c8e89b02a1e05b2a25593a820ca4a1bd0dc60535a377970c3d71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
f097cef6ac6096bac70f7b19922e958a

SHA1
7d9459d105b2722d76f5df9afcd16a7fcb856900

SHA256
2df77c4f7876dbb2054b309f2f34317489bd3f7e7c9e34d74655e5ad52e7efaa

SHA512
758264078f17fa1c790a873c2c105b49b806bfdfffbf7645ae54af765f70d4c74e080e25fd0030534980d80c806bab5146f2e34fe3c8c7ae42588abe5baf7a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\epv_rl2c.exe

Filesize
1.1MB

MD5
914926b5e35390083ae6c8018aa546af

SHA1
cd40784beb4dd2e6f0b6e38601cfa75f4cc9578e

SHA256
83e75938fd4c4b5014c7e80591005c7fafffb44f475d04746d27b5184606c473

SHA512
d308d9ebd8347b97bb5f55d4de428ac3415c68078ae16cd4c9d2907698f2680d73ca68376a53b5395e05d822b96536850d2c0f211fe233d4c7ca2bf00743abaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rat.exe

Filesize
704KB

MD5
5b5ec13b693ff8ee9a8501d29c0ed8e6

SHA1
2c4fd0f302bdfb5b67cbf92bf0762fa9d9da4651

SHA256
e21bc4e1a449c8c0d10a06599f8bea521445426d9241d62213a7bae44beee42a

SHA512
42a60bc17bca178b1c36f423e9dcdb2c73e218469d66cbb69ae6076666622e89976155e3264cd7416d4d5a98689dc3c7c2c996f5b49fe7d2d14beb12139dab93

Download Submit
C:\Windows\SysWOW64\install\sys128.exe

Filesize
30KB

MD5
0bd6e68f3ea0dd62cd86283d86895381

SHA1
e207de5c580279ad40c89bf6f2c2d47c77efd626

SHA256
a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b

SHA512
26504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4

Download Submit
memory/1152-55-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/1752-22-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/1752-2-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/1752-1-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/1752-0-0x000007FEF5E7E000-0x000007FEF5E7F000-memory.dmp

Filesize
4KB

Download
memory/1752-3-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-38-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2012-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2012-29-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2012-48-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2012-34-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2012-42-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2012-46-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2012-54-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/2012-51-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2012-27-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2012-31-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2284-26-0x0000000002010000-0x0000000002050000-memory.dmp

Filesize
256KB

Download
memory/2816-8857-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-24-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-25-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-23-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download