cybergate | a5789ea0dda529deb0164fdbcb04ef1c9c12239221c0063c19936b7c49bc5c98

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6915993093db1d2e90438049a5992c89.exe
Size

442KB
MD5

6915993093db1d2e90438049a5992c89
SHA1

9d162532907d6c39262f0e4035f82e1cb41fb672
SHA256

a5789ea0dda529deb0164fdbcb04ef1c9c12239221c0063c19936b7c49bc5c98
SHA512

c2b5b350f8b0e953b3ce8b87bb5580aface2f147ee2b5d83eb5fd3781e725df2b4f4ce8aa4ebdbaff253d1225577d85e8a2871391b9ea0084a2c5e9438db5056
SSDEEP

6144:1nLFuTL49qO9gG1bW6dK5wBT9myTpCaDJ0IlrFspzZIMWGX98gWNlPTGQQm6agrt:1UM9qO9gGrKwIaN0+spNIc2NtTird2A

Score

10^/10

cybergate revolution bootkit discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ReVoLuTiOn

www.facebook-upload.co.cc:288

Mutex

random

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
i8e6
install_file
system.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
NTLDR is missing
message_box_title
ERROR
password
abcd1234
regkey_hkcu
forrev
regkey_hklm
revdev

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\army = "C:\\Windows\\system32\\i8e6\\system.exe"	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\army = "C:\\Windows\\system32\\i8e6\\system.exe"	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{HNIK1MH5-HO6S-35TT-0651-71124UH8K706}	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{HNIK1MH5-HO6S-35TT-0651-71124UH8K706}\StubPath = "C:\\Windows\\system32\\i8e6\\system.exe Restart"	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{HNIK1MH5-HO6S-35TT-0651-71124UH8K706}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{HNIK1MH5-HO6S-35TT-0651-71124UH8K706}\StubPath = "C:\\Windows\\system32\\i8e6\\system.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	system.exe
3208	system.EXE

Loads dropped DLL 1 IoCs

pid	Process
1060	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\revdev = "C:\\Windows\\system32\\i8e6\\system.exe"	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\forrev = "C:\\Windows\\system32\\i8e6\\system.exe"	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe
File opened for modification	\??\PhysicalDrive0	system.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\i8e6\system.exe	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
File opened for modification	C:\Windows\SysWOW64\i8e6\system.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\i8e6\	explorer.exe
File created	C:\Windows\SysWOW64\i8e6\system.exe	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 2696 set thread context of 3208	2696	system.exe	33

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/408-578-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/408-3527-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1060	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	explorer.exe
Token: SeDebugPrivilege	1060	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
1060	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1060	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe
2696	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 1048 wrote to memory of 2212	1048	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	28
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21
PID 2212 wrote to memory of 1216	2212	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	21

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:392
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1496
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:2876
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:4224
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:5152
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:744
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1176
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:844
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:4176
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:108
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1004
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1064
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1108
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:856
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:792
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:496
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:504

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6915993093db1d2e90438049a5992c89.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6915993093db1d2e90438049a5992c89.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:408
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Loads dropped DLL
      Drops desktop.ini file(s)
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1060
    - - C:\Windows\SysWOW64\i8e6\system.exe
        
        "C:\Windows\system32\i8e6\system.exe"
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2696
      - C:\Windows\SysWOW64\i8e6\system.EXE
        
        "C:\Windows\SysWOW64\i8e6\system.EXE"
        6⤵
        Executes dropped EXE
        
        PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
225fc7da8d48f8d00e3d02b6af9841ef

SHA1
758bac6e8c59396face776f7e33176bf6885703b

SHA256
bc4b2d6c9ad353e31ce0d3d96ab5765c2d0403750afe0690127dedbe8d3309ad

SHA512
92d090de52542dc73a983d0141b8091a41760eea59eb822e8942dff5281f8a0fafae453b895b99f54a6bfcbd6216c8a8330c234564e87d09306978ae84e20871

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
edca357e821ddc329532f5e9ee6c683b

SHA1
c64aa1cb04758afddb344b39a947b3df77e78a00

SHA256
eee2bf70c7ff72ec189427b569653ab78aff4e6de07f5a38b638389c26a3adae

SHA512
996f09a86e15521d03090ca1bb20f2c6ef17bec2919ff19d1b643eaa205de43511f232c20f63a864a28f2074bf4b985e84c3746dd36c277fea743a0143039620

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e507cbe84b4608e139260cc13fdadf0

SHA1
9304f9c57b09df80cd01130d45ddaf23e31898b2

SHA256
6c71809a9ec0a081f16ca51953cb656bda6a75c0f4f4d7973f39aff3dbef1f90

SHA512
2c71a981fc02fc8b634455dac4f648914f23680acf5a983c3eadc06e993cf76d5c68081dd2e26331a5525a5050bf6227aa7d519700a49e23c86ed27d7888a7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2741133a0900d223920f34b86c01cd64

SHA1
4ded449aa0d600da7f530874610d773cf7e9d56f

SHA256
465dd5d097acdb3d8962b1f64a251b7a347dcb3772e8bca05f208078ca80c7bb

SHA512
c6f20e74114a9640f1624a4e6416f7d90e26b9bf0d1413cd681dc4de2efc7de9ba0ea4ac0ed4f4a8e0cdd7b06a5afdf9650e064bbfee8ac15acf2be822bd0058

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8732ed870c0c781c3773ad4f4d48a29b

SHA1
12badb3cf5c98b83f07dc15e2d9ea3b44469329a

SHA256
458237c334ac270f0f898240a7eefc7c5a2c043024c4dad39756da527a8ad938

SHA512
ca13307baac107c225e3da49779abf0b86b718100c60d88ab149e9c3ee920cddafee53f2783cfcd3fa8d5c1250eafa638d4937332f244ba8d7260c68caf1caa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a99e4da06b7f662e49e997ac76248cb9

SHA1
648bd72b02fdbe1a2f6caad2199b7a8347acbaac

SHA256
3178c0491aefda62b5275e3a494c0718838ef20014c8edba516cd430d0c0f7fc

SHA512
b5bb443155b88392d2e3f59dc135e167e5afa5e49e6be6c66853487f8f152c9db0a42b1400ad32279138a158c430453d9803639f3b4d538f9b7aa6fef9cc934b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a300cc1a4a7ab2ea96c157eaf785c624

SHA1
d40e5236e3982cbe12de9cf5c65ef10ba710a57a

SHA256
dc86d2af2483f0be11591bd770226324330eb4c59f168979565125390cf73a86

SHA512
1c0951c22793d3f2c47eaa2d3627173a4dfac9977ad82d62ef9a1e4e38eeb76afd137be96d36b8acad1f490b16dd351edfe18a6b06274c50b753383aa50c76c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d9aca1082bccb957bfc51de8a5fb1e1e

SHA1
0a1391040ab58b0e9726677be5d46fbb3215867c

SHA256
d4d2d70ce0199de7415b1631e20615c6a53106b85a886c49abee4835d528f0b3

SHA512
ca57b443d1544d7f03963b2607e6981e022c53984d15188180150ef789786d5a7cce4fd8c753f526c0c4222e4c395ea723d61d5dbfeaae34133ef3191b53f91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b132aff431971921765198c50a82a64d

SHA1
2b3e03fefba9796f311211bd37ec41eac5901c7e

SHA256
1a7b2c758c4312f66f991412fc6adc5d4b01bcbf249d6b572fdf325be44f123a

SHA512
5b8704513a34e5b50a91e3303b4bd9f0b6379da776ed6abf650752a0c9b1806c21861d7848f91ec2777eb359c0676d556dc9fd9f73333c9fa65413df0b4f819b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e42167fd0cdba1320ba1faf12d5f611

SHA1
81802122a1230579027f1bc6afb3536e6cc6497a

SHA256
fd5c547834acc91eacd2802193b6adc51d8f40441a5e7aef931f5da8dbe2060a

SHA512
93dc68eb4e9530fbd40f37b80b48d8738767270c5f619659974290385d1103617a906724f7964267ae8b5e35b50ab5fcaee8fde847a0395ebc4a63d96363a7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c15bfe33a742dadaaf68311fd2cd759e

SHA1
6e11e24cc3d81bbd126f14eb5acb2b7b332833e5

SHA256
371e48a854f0f33e3cc56778328759d77e1214d75eadaedeae849504f69d2b52

SHA512
190c839644646a64671ff2d8fb7f5488c9620a6737985d4ef36d9293a279a7869fb9c813d65c4db71ef40c5beb78c24e5567690749ea4d894972077b2bb5fe95

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
570d6d304d01ee66e864c1a84c421541

SHA1
d974026384522db945a627097205ddedd6cec64f

SHA256
abcd9467c402923afcd47ae845c32c4a7b4c55e235eba3c1df908e94d99d22f7

SHA512
2f2f605e49b9c8533e026ebddda8a6ba1ab956887c8c6fff23036e50b5fb4c76bf214e5105278a1ce240d999d61cee28dabe8b29b039119f05f2130a9cf47836

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9d83f89f9d9b8e2536b3a47301944464

SHA1
5dc01926227a3f27a93db4eb1691915e5ed25f2c

SHA256
a650ae69c39592ee703a278a405ff34ec1c55a5cd0b94e1a3af236b2fe4eadfb

SHA512
65956c62839d6c0165a0afc92c15aca03b123693fa66f98b934bcaedce471e42f6a512dbf4a05e1503cd93f3e721f813f0114a03e2ff185222939f5c99744652

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
817d9af6297fe2bac4f0c8375b7a88e8

SHA1
f376320546eaa1bf5b37aedfd4574bd669fbfe91

SHA256
0b9dc18d29c2108b769366b28f1f4565f8c708225caf2ad1af0e38bf87d87cb5

SHA512
7f5315e4cf4bb01abd3b4001733cb92bdc963455139452929613a1f1349c9aa467a33cbe524805701afb48aac95f44eea9ffafac8d46046ecb0b2f626e2b96de

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
88f273de2976dfeed5d005dd98830962

SHA1
33597517975b30226d70c0aadec38ec7928cc305

SHA256
994f151e09f7b7702543a3bf69da2e52788cc44f15dd05d45f213b91cef9bd8b

SHA512
87133c8dfab0793f4efbbd1e9f0215ed10e1caa0dd6a77dc858249bd36664a7f9f1a60434d78f3abcc9384f7f0f655f4abc15ab75e5a4da59a2ab20ec522eb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
06d4ec3b5bad32f547b2d68151d0af2e

SHA1
58e4f262b85da9636bf7d89246306a245173a169

SHA256
a7101d988d759f6dda4d7f5621adc2a5a5dddca1ef121af7eb2e4d7a62abc660

SHA512
c7c7a6ef422e4877eab99150c07a8b338c6787a834fa98a28b4b39df95d1ac59a35819e4b3c044633c3e614282c94cbf9200b933c3938a601a62aa22cdb73229

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
777114f447f3285edd1bcb436da69aa2

SHA1
81bf3a97aac9ce243ca83a0e4f6955b332858d18

SHA256
e015e55fe5047b400f76fe20eb3256b2f41eb575819c848abf8fa58c2f1f163f

SHA512
7c0b51e3ee5c13f75ca823c6fb35b9e26ad6583aa0058d538b63736bb42d9a49338e8efcd9270a7e65ff5f370ea1d4f857c65d545cc6b2390a73aa7b567bb25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
53acc27c4ce27cd18d5647e9a0dabb0e

SHA1
4e24d81fab403a8dd64036612359ae2b36097cab

SHA256
754cb9ba3dbe95c1e2c9ba963cdcd96ece3f76ecbe8c3c99fc9a1bdb37c15ecd

SHA512
50b08f56f3dbb7ee752bd99c44c5e0a215a730a171b2d256b6e4cdc08719ac5b552c170c733e3fa766594f44a24f3caba96b80ff611b92a1997da78bf6aaa24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
50b80d4149b244ca54955e824a0bdeb1

SHA1
8cf5386a794ed7f01d988b093daeeffc4af1c8fc

SHA256
077448f24d4acfad4f3f7ec98f78b1a54635ab6933fa9001bb390c9a2b8df3c1

SHA512
7dadb1226447987fd42a670afa1e1d82ff3c3e5bd3a60509a747cb6ea7f2ca571ea2c5b644a9c5d35287f9f470a2db70ac893f3f5f4af6a483c1f8b21466416c

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\i8e6\system.exe

Filesize
442KB

MD5
6915993093db1d2e90438049a5992c89

SHA1
9d162532907d6c39262f0e4035f82e1cb41fb672

SHA256
a5789ea0dda529deb0164fdbcb04ef1c9c12239221c0063c19936b7c49bc5c98

SHA512
c2b5b350f8b0e953b3ce8b87bb5580aface2f147ee2b5d83eb5fd3781e725df2b4f4ce8aa4ebdbaff253d1225577d85e8a2871391b9ea0084a2c5e9438db5056

Download Submit
memory/408-3527-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/408-280-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/408-578-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/408-282-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1048-11-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1048-20-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1048-30-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1048-31-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1048-0-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1048-9-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1048-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1048-7-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1048-26-0x0000000002F20000-0x000000000307C000-memory.dmp

Filesize
1.4MB

Download
memory/1048-24-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1048-25-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1048-23-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1048-6-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1048-5-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1048-22-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1048-19-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1048-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1048-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1048-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1048-18-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1048-1-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1048-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-13-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1048-15-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1048-16-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1048-14-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/1048-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1216-37-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/2212-28-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2212-907-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2212-581-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2212-27-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2212-32-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2212-33-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2696-3537-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download