cybergate | c9f3a9caa9b0a67bca48ff6de615351465d0548ca32d7fdaf87dc19a011ff4f7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/12/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
Size

528KB
MD5

fc0eed6b92b5874b37367f08538de1d1
SHA1

7c0d33e53b16c3a6803122e3fa6561d787041210
SHA256

c9f3a9caa9b0a67bca48ff6de615351465d0548ca32d7fdaf87dc19a011ff4f7
SHA512

1356e7f9c060d537f62cf3bb2b75c5ad3ab08b049d5ddd0059a5f405ebbfd0a0ecf40558799d05e2dcedaf99d566c451487d7de3135e7b561bf8bfb1d0915913
SSDEEP

12288:xjLgk4QdQLUq0JhMOuWqyEiPjF7OomtZkga:AEQIvJhMWxZVOomjk

Score

10^/10

cybergate microsoft discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Microsoft

dicube.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
utohcamoh

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe

Executes dropped EXE 5 IoCs

pid	Process
1956	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
1408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
2296	Windows Update.exe
5040	Windows Update.exe
436	Windows Update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\Windows Update.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3408 set thread context of 1956	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	83
PID 3408 set thread context of 1408	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	84
PID 2296 set thread context of 5040	2296	Windows Update.exe	90
PID 2296 set thread context of 436	2296	Windows Update.exe	91
PID 2296 set thread context of 1852	2296	Windows Update.exe	92

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1956-22-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1408-44-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1408-39-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1408-35-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1956-29-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1956-25-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/5040-86-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1408-87-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1956-117-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1956-135-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/436-138-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Update.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4308	msedge.exe
4308	msedge.exe
1852	msedge.exe
1852	msedge.exe
4604	identity_helper.exe
4604	identity_helper.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe
Token: SeDebugPrivilege	436	Windows Update.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
1956	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
1408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
2296	Windows Update.exe
5040	Windows Update.exe
436	Windows Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 1956	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	83
PID 3408 wrote to memory of 1956	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	83
PID 3408 wrote to memory of 1956	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	83
PID 3408 wrote to memory of 1956	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	83
PID 3408 wrote to memory of 1956	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	83
PID 3408 wrote to memory of 1956	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	83
PID 3408 wrote to memory of 1956	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	83
PID 3408 wrote to memory of 1956	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	83
PID 3408 wrote to memory of 1408	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	84
PID 3408 wrote to memory of 1408	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	84
PID 3408 wrote to memory of 1408	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	84
PID 3408 wrote to memory of 1408	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	84
PID 3408 wrote to memory of 1408	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	84
PID 3408 wrote to memory of 1408	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	84
PID 3408 wrote to memory of 1408	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	84
PID 3408 wrote to memory of 1408	3408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	84
PID 1408 wrote to memory of 2732	1408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	85
PID 1408 wrote to memory of 2732	1408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	85
PID 1408 wrote to memory of 2732	1408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	85
PID 2732 wrote to memory of 760	2732	cmd.exe	88
PID 2732 wrote to memory of 760	2732	cmd.exe	88
PID 2732 wrote to memory of 760	2732	cmd.exe	88
PID 1408 wrote to memory of 2296	1408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	89
PID 1408 wrote to memory of 2296	1408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	89
PID 1408 wrote to memory of 2296	1408	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	89
PID 2296 wrote to memory of 5040	2296	Windows Update.exe	90
PID 2296 wrote to memory of 5040	2296	Windows Update.exe	90
PID 2296 wrote to memory of 5040	2296	Windows Update.exe	90
PID 2296 wrote to memory of 5040	2296	Windows Update.exe	90
PID 2296 wrote to memory of 5040	2296	Windows Update.exe	90
PID 2296 wrote to memory of 5040	2296	Windows Update.exe	90
PID 2296 wrote to memory of 5040	2296	Windows Update.exe	90
PID 2296 wrote to memory of 5040	2296	Windows Update.exe	90
PID 2296 wrote to memory of 436	2296	Windows Update.exe	91
PID 2296 wrote to memory of 436	2296	Windows Update.exe	91
PID 2296 wrote to memory of 436	2296	Windows Update.exe	91
PID 2296 wrote to memory of 436	2296	Windows Update.exe	91
PID 2296 wrote to memory of 436	2296	Windows Update.exe	91
PID 2296 wrote to memory of 436	2296	Windows Update.exe	91
PID 2296 wrote to memory of 436	2296	Windows Update.exe	91
PID 2296 wrote to memory of 436	2296	Windows Update.exe	91
PID 2296 wrote to memory of 1852	2296	Windows Update.exe	92
PID 2296 wrote to memory of 1852	2296	Windows Update.exe	92
PID 2296 wrote to memory of 1852	2296	Windows Update.exe	92
PID 2296 wrote to memory of 1852	2296	Windows Update.exe	92
PID 2296 wrote to memory of 1852	2296	Windows Update.exe	92
PID 2296 wrote to memory of 1852	2296	Windows Update.exe	92
PID 2296 wrote to memory of 1852	2296	Windows Update.exe	92
PID 2296 wrote to memory of 1852	2296	Windows Update.exe	92
PID 2296 wrote to memory of 1852	2296	Windows Update.exe	92
PID 2296 wrote to memory of 1852	2296	Windows Update.exe	92
PID 2296 wrote to memory of 1852	2296	Windows Update.exe	92
PID 1852 wrote to memory of 4976	1852	msedge.exe	93
PID 1852 wrote to memory of 4976	1852	msedge.exe	93
PID 1852 wrote to memory of 2628	1852	msedge.exe	94
PID 1852 wrote to memory of 2628	1852	msedge.exe	94
PID 1852 wrote to memory of 2628	1852	msedge.exe	94
PID 1852 wrote to memory of 2628	1852	msedge.exe	94
PID 1852 wrote to memory of 2628	1852	msedge.exe	94
PID 1852 wrote to memory of 2628	1852	msedge.exe	94
PID 1852 wrote to memory of 2628	1852	msedge.exe	94
PID 1852 wrote to memory of 2628	1852	msedge.exe	94
PID 1852 wrote to memory of 2628	1852	msedge.exe	94
PID 1852 wrote to memory of 2628	1852	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKSKT.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:760
- - C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe
    "C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5040
  - - C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc5f3146f8,0x7ffc5f314708,0x7ffc5f314718
        5⤵
        
        PID:4976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        5⤵
        
        PID:2628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
        5⤵
        
        PID:4420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        
        PID:3168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        5⤵
        
        PID:3412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
        5⤵
        
        PID:3548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
        5⤵
        
        PID:3908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
        5⤵
        
        PID:1548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
        5⤵
        
        PID:868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
        5⤵
        
        PID:2224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
        5⤵
        
        PID:1840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15547686494691762825,8503085174402810651,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3156 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
efd21bd7c0f2184d83bf440349dae423

SHA1
a1912677821d8e7801c60ba631467b18ca1e59e7

SHA256
0b365b7d94fdbdd981ce36bc48776bb27ab93b2afb4b53165b6154676f32d436

SHA512
572b1e508d6f5f216413fd9f820a10792e4779da87ef0a30526bc4fce9a7ac9ea5302c28fd49bc223afe5b3445f8abbf2ff4868cc2847c8eca98c811baadb69f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f0250013-ab98-438f-ae7a-cb2771b0c29c.tmp

Filesize
5KB

MD5
8717586affcd656fb08183eb2b567f01

SHA1
4fa1726e291a13a6326966b5b606928f8076ee23

SHA256
3ba65b3c280a5a7cbf6b9a559a2796b9b61db94a9ad8e137381ef766d4306b61

SHA512
b257907c61ae8ab13a7443c38551c4196143616c987aae55464859de45804fd0d785c9ffd0473094c08378f0c26c32093e9b2a79b65843f0d4ba632c37d68f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
862130d229e5b95663543d45ba54f4ce

SHA1
f2868eb6ecc04a9c175c7a3cecc289fedf213020

SHA256
3edb78ba3cf7059f615dc6215fff5fb6e0789b6dbf33f21472dddd1fd157e2bc

SHA512
aa7d043bc43a3b7254115e6543ed94c97bef0a78b518ceeeb378cb5ba46aca8474c2d32c03a0f9adb857b68c4fc33052c47e714ff633f26bd2203eb43f803a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKSKT.txt

Filesize
165B

MD5
55078117cf471e8a8121dbc8f6d159bb

SHA1
5b19af55ad6ac1d5f7a9d6fd972d2785266f5e63

SHA256
f62c2d6aa9e97285e74642e8d7b97dcb01221f73d93e829f220e116616034c6e

SHA512
8a4950bf5162a1620246772a4a37632feb22748077702c9f8ee2e510d501be4ad3789f1d90f780d6d34525ec1ba51bf32d64ff4babd7e067cde55c4c690783d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe

Filesize
528KB

MD5
fc0eed6b92b5874b37367f08538de1d1

SHA1
7c0d33e53b16c3a6803122e3fa6561d787041210

SHA256
c9f3a9caa9b0a67bca48ff6de615351465d0548ca32d7fdaf87dc19a011ff4f7

SHA512
1356e7f9c060d537f62cf3bb2b75c5ad3ab08b049d5ddd0059a5f405ebbfd0a0ecf40558799d05e2dcedaf99d566c451487d7de3135e7b561bf8bfb1d0915913

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe

Filesize
528KB

MD5
494e2f974787e8e592d300f243829cca

SHA1
24e9a168a1e28ba361a78cf6b7f4c2ce28983d13

SHA256
63eadfd2c93ed7b4cc3b0e667a9ceac681d6e845142d9c2e816d5e33d8c4a5d2

SHA512
d9db9457f148a8d218f2c49fac501d95bda589689b433224b24e867eb04c519f2fa3be3780a39376eec12aa145d7529a1d99e4a8d98d97dd0601fffab4224408

Download Submit
memory/436-138-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1408-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1408-87-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1408-35-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1408-44-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1852-81-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1956-22-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1956-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1956-117-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1956-25-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1956-29-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3408-31-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/3408-15-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3408-14-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/3408-43-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/3408-2-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3408-20-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/3408-34-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/3408-33-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/3408-32-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/3408-13-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3408-30-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/3408-21-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/3408-28-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/3408-27-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3408-10-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3408-37-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3408-16-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3408-12-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3408-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3408-8-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/3408-17-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/3408-19-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/3408-18-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/3408-7-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/3408-9-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/3408-6-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3408-11-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/3408-3-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3408-4-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/5040-86-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download