cybergate | a5789ea0dda529deb0164fdbcb04ef1c9c12239221c0063c19936b7c49bc5c98

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6915993093db1d2e90438049a5992c89.exe
Size

442KB
MD5

6915993093db1d2e90438049a5992c89
SHA1

9d162532907d6c39262f0e4035f82e1cb41fb672
SHA256

a5789ea0dda529deb0164fdbcb04ef1c9c12239221c0063c19936b7c49bc5c98
SHA512

c2b5b350f8b0e953b3ce8b87bb5580aface2f147ee2b5d83eb5fd3781e725df2b4f4ce8aa4ebdbaff253d1225577d85e8a2871391b9ea0084a2c5e9438db5056
SSDEEP

6144:1nLFuTL49qO9gG1bW6dK5wBT9myTpCaDJ0IlrFspzZIMWGX98gWNlPTGQQm6agrt:1UM9qO9gGrKwIaN0+spNIc2NtTird2A

Score

10^/10

cybergate revolution discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ReVoLuTiOn

www.facebook-upload.co.cc:288

Mutex

random

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
i8e6
install_file
system.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
NTLDR is missing
message_box_title
ERROR
password
abcd1234
regkey_hkcu
forrev
regkey_hklm
revdev

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\army = "C:\\Windows\\system32\\i8e6\\system.exe"	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\army = "C:\\Windows\\system32\\i8e6\\system.exe"	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{HNIK1MH5-HO6S-35TT-0651-71124UH8K706}	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{HNIK1MH5-HO6S-35TT-0651-71124UH8K706}\StubPath = "C:\\Windows\\system32\\i8e6\\system.exe Restart"	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{HNIK1MH5-HO6S-35TT-0651-71124UH8K706}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{HNIK1MH5-HO6S-35TT-0651-71124UH8K706}\StubPath = "C:\\Windows\\system32\\i8e6\\system.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2380	system.exe
2204	system.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\revdev = "C:\\Windows\\system32\\i8e6\\system.exe"	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\forrev = "C:\\Windows\\system32\\i8e6\\system.exe"	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\i8e6\system.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\i8e6\	explorer.exe
File created	C:\Windows\SysWOW64\i8e6\system.exe	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
File opened for modification	C:\Windows\SysWOW64\i8e6\system.exe	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 2380 set thread context of 2204	2380	system.exe	99

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5040-35-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/5040-36-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/5040-39-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4748-102-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4748-558-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1060	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	explorer.exe
Token: SeDebugPrivilege	1060	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe
2380	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 4736 wrote to memory of 5040	4736	JaffaCakes118_6915993093db1d2e90438049a5992c89.exe	84
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56
PID 5040 wrote to memory of 3440	5040	JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:776
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:676
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3740
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3832
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3896
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3984
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3992
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:3516
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:620
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1432
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3168
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4044
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:3944
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2012
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2876
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:4704
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:1976
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2504

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1200
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1468
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1968

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2788

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3316

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6915993093db1d2e90438049a5992c89.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6915993093db1d2e90438049a5992c89.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6915993093db1d2e90438049a5992c89.EXE"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:4748
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1060
    - - C:\Windows\SysWOW64\i8e6\system.exe
        
        "C:\Windows\system32\i8e6\system.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2380
      - C:\Windows\SysWOW64\i8e6\system.EXE
        
        "C:\Windows\SysWOW64\i8e6\system.EXE"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4272

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:116

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 4489cc572711adf8f8f9a9b0c3fc7447 DwPf/Qey2ECidV5syp2i/w.0.1.0.0.0
1⤵
PID:548
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4960

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
225fc7da8d48f8d00e3d02b6af9841ef

SHA1
758bac6e8c59396face776f7e33176bf6885703b

SHA256
bc4b2d6c9ad353e31ce0d3d96ab5765c2d0403750afe0690127dedbe8d3309ad

SHA512
92d090de52542dc73a983d0141b8091a41760eea59eb822e8942dff5281f8a0fafae453b895b99f54a6bfcbd6216c8a8330c234564e87d09306978ae84e20871

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a99e4da06b7f662e49e997ac76248cb9

SHA1
648bd72b02fdbe1a2f6caad2199b7a8347acbaac

SHA256
3178c0491aefda62b5275e3a494c0718838ef20014c8edba516cd430d0c0f7fc

SHA512
b5bb443155b88392d2e3f59dc135e167e5afa5e49e6be6c66853487f8f152c9db0a42b1400ad32279138a158c430453d9803639f3b4d538f9b7aa6fef9cc934b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
edca357e821ddc329532f5e9ee6c683b

SHA1
c64aa1cb04758afddb344b39a947b3df77e78a00

SHA256
eee2bf70c7ff72ec189427b569653ab78aff4e6de07f5a38b638389c26a3adae

SHA512
996f09a86e15521d03090ca1bb20f2c6ef17bec2919ff19d1b643eaa205de43511f232c20f63a864a28f2074bf4b985e84c3746dd36c277fea743a0143039620

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2741133a0900d223920f34b86c01cd64

SHA1
4ded449aa0d600da7f530874610d773cf7e9d56f

SHA256
465dd5d097acdb3d8962b1f64a251b7a347dcb3772e8bca05f208078ca80c7bb

SHA512
c6f20e74114a9640f1624a4e6416f7d90e26b9bf0d1413cd681dc4de2efc7de9ba0ea4ac0ed4f4a8e0cdd7b06a5afdf9650e064bbfee8ac15acf2be822bd0058

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e507cbe84b4608e139260cc13fdadf0

SHA1
9304f9c57b09df80cd01130d45ddaf23e31898b2

SHA256
6c71809a9ec0a081f16ca51953cb656bda6a75c0f4f4d7973f39aff3dbef1f90

SHA512
2c71a981fc02fc8b634455dac4f648914f23680acf5a983c3eadc06e993cf76d5c68081dd2e26331a5525a5050bf6227aa7d519700a49e23c86ed27d7888a7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8732ed870c0c781c3773ad4f4d48a29b

SHA1
12badb3cf5c98b83f07dc15e2d9ea3b44469329a

SHA256
458237c334ac270f0f898240a7eefc7c5a2c043024c4dad39756da527a8ad938

SHA512
ca13307baac107c225e3da49779abf0b86b718100c60d88ab149e9c3ee920cddafee53f2783cfcd3fa8d5c1250eafa638d4937332f244ba8d7260c68caf1caa7

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\i8e6\system.exe

Filesize
442KB

MD5
6915993093db1d2e90438049a5992c89

SHA1
9d162532907d6c39262f0e4035f82e1cb41fb672

SHA256
a5789ea0dda529deb0164fdbcb04ef1c9c12239221c0063c19936b7c49bc5c98

SHA512
c2b5b350f8b0e953b3ce8b87bb5580aface2f147ee2b5d83eb5fd3781e725df2b4f4ce8aa4ebdbaff253d1225577d85e8a2871391b9ea0084a2c5e9438db5056

Download Submit
memory/2380-568-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4736-7-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/4736-24-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/4736-5-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/4736-4-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4736-3-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4736-14-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/4736-15-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/4736-21-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4736-22-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/4736-20-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/4736-19-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/4736-18-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/4736-23-0x0000000002340000-0x0000000002383000-memory.dmp

Filesize
268KB

Download
memory/4736-6-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4736-25-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/4736-2-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/4736-0-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4736-10-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/4736-30-0x0000000002340000-0x0000000002383000-memory.dmp

Filesize
268KB

Download
memory/4736-31-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4736-11-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/4736-13-0x0000000002C90000-0x0000000002C92000-memory.dmp

Filesize
8KB

Download
memory/4736-12-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/4736-8-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4736-9-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/4736-1-0x0000000002340000-0x0000000002383000-memory.dmp

Filesize
268KB

Download
memory/4748-102-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4748-40-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4748-41-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4748-558-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/5040-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5040-169-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5040-39-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/5040-36-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/5040-35-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/5040-32-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5040-28-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5040-27-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5040-26-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download