cybergate | 15719cbcea92389bc979dbd679015c5c5c90b9d2c056dd66a6298eeb7820adf4

Analysis

max time kernel
150s
max time network
106s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Size

460KB
MD5

ee75c900a53c9f6fc2f20d3fcf3d7dbf
SHA1

0b6c81e3fa50f65576fd61bfa0184c0009fe7cc7
SHA256

15719cbcea92389bc979dbd679015c5c5c90b9d2c056dd66a6298eeb7820adf4
SHA512

8bd8dab60c0f71f5565148e7ad10ef8cf76c49a2439f6f781fa88431d4caea3b7417df557895eae81c9c6dbb42c81a3c4da8d03b489e16ad54db7a1beaf6136e
SSDEEP

6144:E6Mmkxv1C/EAU0tUKjLIxdIqWI7yFH5VCYhFN/BIbinx/0OyZuS4r3c/SyYPpr4f:Bav1C/EA/mjO0Z6/0LZV43ypCns

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

Cyber

testingman123.zapto.org:400

Mutex

66342XR86Q27N5

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
csrss.exe
install_dir
Java
install_file
java.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
hahaha
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Java\\java.exe"	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Java\\java.exe"	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Executes dropped EXE 3 IoCs

pid	Process
2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2808	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2112	java.exe

Loads dropped DLL 7 IoCs

pid	Process
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2808	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2808	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java\\java.exe"	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java\\java.exe"	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2944-40-0x0000000024080000-0x00000000240E1000-memory.dmp	upx
behavioral1/memory/2944-37-0x0000000024010000-0x0000000024071000-memory.dmp	upx
behavioral1/memory/2944-36-0x0000000024010000-0x0000000024071000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\java.exe	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
File opened for modification	C:\Program Files (x86)\Java\java.exe	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
File opened for modification	C:\Program Files (x86)\Java\java.exe	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
File opened for modification	C:\Program Files (x86)\Java\	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2808	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Token: SeDebugPrivilege	2808	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Token: SeDebugPrivilege	2808	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2112	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2824 wrote to memory of 2944	2824	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	29
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31
PID 2944 wrote to memory of 2728	2944	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
  C:\Users\Admin\AppData\Roaming\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2728
- - C:\Users\Admin\AppData\Roaming\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
    "C:\Users\Admin\AppData\Roaming\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
  - - C:\Program Files (x86)\Java\java.exe
      "C:\Program Files (x86)\Java\java.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
221KB

MD5
355ee876c7d5656b5edeca118ba2ad96

SHA1
2a6a77ebea22d63d8d4fce9c909214eeb33c5ee2

SHA256
9c3345d9b61434ce79d5639cab5da5028c67764b8f1df76d0eaff7ba765a2047

SHA512
f98342e038b9d5629d99d756847abd4a9d01b12e8663fe90418d15542f108a640add8e80704b8e647738fbf97f7f28c1a46b127b25fb86fcb3ef77e2fa237910

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
301a5498c046aa440af392f36a6fcba7

SHA1
acf6839d7a91a72de0c6ff941e1de62952039f34

SHA256
b618a3703ce8f99f3f9b7bae6d32776d021d88a248ad1ba3791eaa692e4ae68e

SHA512
b83a8dd768e2286070ccd1ecde9bfaa292a0299c6d38ee1cf5a3921b642288c8658362dd226e98eb81cf00192fdfa41e8f9a1e96f4dea133d0d17ee63aa13e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
63d686bdc10234cffe8b6cb5814598ca

SHA1
224feea455eb4e82b2a1f4903b1a3757e0e82b7e

SHA256
438b5a03db5d3a7fb96185c28726b3a347c908a0fd57448bf7efa9274b160d85

SHA512
f39a9aa41d117f1ae7edfb33b762daa9286590c0c12b66a2e9e1ad0a8e569a217bc6ce16cc99808f1eef21b313b12e5af4cbe78f4d64c697992acf3e2ccbacc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eb9c871a5e942a4180e992cc178d5065

SHA1
37fe2ef55e2996bdc61c1d4c8dbadc4b2b838b0f

SHA256
1a031c4837b78a8fef75314be6a37900ab972ac82d17977a0af2c09558032983

SHA512
d0294c98aefc0ba985d746fd1a5991b1ab241663548c7cad0d91fb4f9c28cd9387307f6a0e484c7a90aa1f59ecd234b48962f245217efb9220418d7390e4d20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ce15e010f8d41f9e5a1c5ae0df073f84

SHA1
64c81c75e01fcb6b1536a2fbcd78bc8b0e4bc089

SHA256
222d8d9230eb69d96ddceea9b0aa6875287e241fd405ef4352092cfa4eb2196e

SHA512
4df6414a21362002400fb438b5961389c879531c42c9f073023c617036098c9814e313128aeffb4f688ad4b3d4e18cc14ac59ae5bdb81496ea8a1464043c0a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d5dc6885ea6a7b2b882aaec04309596c

SHA1
a8925a431d34fdb4cd2c005b547238d67efecb73

SHA256
408c440471c16f93c7f7fe38136908d88a2f07988714da9ee06bf1750e81bb22

SHA512
2f0cdfbc49543013811eaa834b2e73849640a566e3bc177f55c23d26d65f5b18164ca006b3ae9ce6bf1cc121d6ed7624a78f397d0f437d48e7e1af4951bd0a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1571dce68baeff4ca6e46861d6615d24

SHA1
07ee96061406d44e5db5cbfa64ba4a437c406a6a

SHA256
a4ffaa701e95732cfc58a06f898aa73b8ddad37a83eb5abd52c5fedaef6661b6

SHA512
82afbdb5e0c8c7afc38d052a2a1f3649f3f12050ac9b303d177aff1ffb9fbf3a84161a357a44695b4551589d86cf5b7033d72fc8b3c3b0da5aaaf38850b13bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4f8a3801bdcaf599993ed39ceb50e970

SHA1
7f31fd13e211fb2360faec6d88d5f31d717b1ee4

SHA256
5c7ddf6c4bbafe73185ab14e48be40bebf003ef4a1f5e8ca3cfd4ab18309cca4

SHA512
f1b3c2b7f4b102fc0439c97707ad040dcc3ec6e83145bda619999fc9b5c319ae9426c75563eb6b620b9f5d408b99fe3d4aa37d55939eab81b47d23aff3b7f8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
55a9836393dce9928a29ca2579cb28f5

SHA1
c597cef445ca4ba7edb124a598397c6d66904cfc

SHA256
7cf5762f1afd412285d76e177c1ccde153a11103dd4cdcb451e20f1bb317ac66

SHA512
ec38dd5961784365d0520874fea7204b4c701b60482139d53049e1f90fef53507df3fdbf5bf041391f8ef7de873142158e410df0b590be42eccb1c10635b7bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
22122c95feb030b0e8508b44da4966d2

SHA1
54bd51e1fc3d6bac2209655098a8d85525ff9425

SHA256
184b8db851528782078e8c0c1dad29e041c8bd2f8c70af65e7909fd2aedfb422

SHA512
eab0d7e3e1f009fb7619b649a88f1133b3d80b09fbc304862cb6447ae8ed9234b28b1e21486717a56c61fb5fa31a843310fa7cbdd872959a25c81a5662ef55e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
333b144978598a8c33030bd608ece3d7

SHA1
eaa10b3afc96abab9a4e0d8b7abf40ac43896323

SHA256
94a85b961aa3956eb9904660545a9c77b000ae1d4516169e1536410dbc72715d

SHA512
cdf38c39234286a63c022d7ae134331210c5ba784ae159313404c0e84a39b637b1ec2b12d30ddf5d03483b82bc706ae1d2a933b17ef6c790bfde5e312e7f4b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
19ba20593b775872e6b329ba1b9e7c27

SHA1
536a7c907026488a972c9291134bda8f5265ff24

SHA256
b0d01922e58536e0ac16b961b60b64d314372fc25e49c63103b596f2a7654aab

SHA512
09d5350ac46bf44c78d0cb8fdac29ac3882699db5bc331f46ab5cfa9e5b444f91a493277d2aaaa803a296bf352f679099ec4069ba0f5161fdd1bafaf257a9b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1d949e83478ed0b732d8590764a1f4af

SHA1
548185a2cbd95adc00d9032a1bfc2a4955b90e20

SHA256
029d198d201c097874f010c7e79fd45005f325dd19017de5e43beb689b31eeb5

SHA512
c8cbfcd71521ccbef23d192a57fdfc6a0ef56071c5fb705f07dc85d9b775b4dd109bce6d34c3c4cceb7d3f0291c503e3304400047b65b87fae8f7fcd0250543d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ad7e826dc3579b106e3b37ef70c0be3f

SHA1
7340d448c9fbeb4228efcf4acba0ff513c0f96eb

SHA256
900cd066d6c3021f2cb17f39d1df1ec0461866c4a3e1921b90e4171b7fbbcc19

SHA512
4eea5a6b97c378b40fdde7b17a0c637cf8a116ea2022ebd0a94b9b0b850cf4d39d433eb3e7d077cc3551830a199106f3f9ca9306e87c022ceaf189be725c2c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eb45335cdd8ca96c9da6c577dc3baaea

SHA1
e706336ad75dfcf2cd91bce2b0b30f14f9393d73

SHA256
56ad6a774786b0e474109d54bdafe8cdacbc0017c943f404fd288f53c254c94b

SHA512
5147286ba336b948b76c2d9f34c969b2bd13c89ad832c5bb8a2f0b8dfcc9da55a2332a26357f545768edc477e9f9283160bf4c9e2a35616c7caa0071f060bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1539f0fba29dfdc1cad2119eed959ffe

SHA1
7a40282bc3aa7c18d1562fdc0b43bfc99de5f506

SHA256
0c18096ddc7ddf1b3cd8db7824fbc51da0f821da6a19158d8ada55cd0537ba78

SHA512
7267647f18454533ba90c8f135c2478a8a4cdcf0a30fc91a1fcd42e32bf8aa1f23c9a5b3f54d0ec00c57433f468912cf6678f50ba52bbefa2176e61f3af0fa3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
729707b0209bf9963bc4cdcae7250310

SHA1
7fa6d6f588608f68a479a8507d0b9735da9b521c

SHA256
755006ffd2d406a41c03036d67730c6b41bf7c10d132cd87ed0b7b5ebb924292

SHA512
806ef2e9927f1e8b33cbffcc27a5c6b31fca95f9a4e425d4b56a70f5169d210e34e0b08fcda5767624c973bf4d9a93517382bdbd105894569f46546fe39f457d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4cd1dfa8e3410c301f92f123678a3914

SHA1
01b1c752a5a2ee6d0281033320fdde5c5232610b

SHA256
a10d1cf2640838b82bf856a28ec22240318454dc83a791cc3615fbf14f8e8848

SHA512
922cddb1db8645731dda07971d39d21086a618b17cc01dfb1454cdc1ce6bd1f7069a1c4095ff42448ddaeaf3fa47a43f1ad3ee721130e42f105b84c36fdf1414

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7e7a6dae229615647aef1fb58388e731

SHA1
30272b4e355e1fc1656339f488959c74fdc4da1e

SHA256
7c3bcfec0e6bd58f20115c2672e4dbd7dcd45e9906fc719b8df6d9a0ecbd21f9

SHA512
7c4b5e64dbaa8ea2a39bd90966e08eaeb7e1e7063fea39c4e1addf517f8b21ff1ba63106ccf3f254071d557619ff2934f45018da77183ca1c6480e5974423a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5698853442c58fe9b735f28eb66d24b4

SHA1
21ce9523ff768599695be05ded085d3e1fdb651e

SHA256
27a8abb7827d3d1191f99d476670e6ce5958dab8d8ab6f9b6e999cd4c2e701e7

SHA512
a9e746f14cb8ddfee820e8d1937640aa84ac86f70e958b25c8be3ae21c80e59324820782dd48e3dfd6279f9cf481cc7d0706167844eb1f7c9ec4c10742b84738

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
256b4238852cb9c23a20f5a35a6fed8c

SHA1
fa82b97dc388bdc931c2f85eca2889c9437f123e

SHA256
3f9c09f95d5ebdc091be507e9983f7fbbf5a6b70da294bd60c29b33df38ece5f

SHA512
d17f2c35a548603eab6d4f44537f5d854821da92cc50c59c0ec345f068ab34f30dfa84c31b0b22b0bd056c56286bcd238b52ddf566165a50f1055d48cd04f149

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
15776819ecbeec88ad3a844800eb51fe

SHA1
b2edc1492da5717cf2996d8f919444eb61f01dd6

SHA256
37904bdcb40ea470220176846ca24014b146353f51a0a4df8d69e40cafa92e0f

SHA512
2798cd85833d5edcfc9825bce0b940186b507a3d0751843a6a70925301dc3a86bf7d7b87b5f4ff11b42567f4dea63e176eb2ad30a105f6eba3eebbc1caa978cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7c379b935122da7e728a48ed341152d7

SHA1
e80d1c879e2553285b7e69c673ce6965ac9e1413

SHA256
af67ce913b1bb496304fc3e9ac2239a0ca2af2a179196982aabdac21618800ec

SHA512
6f23cf02fe307aaa5ab4d623637ed050c0d199e201da3fc05575ed61f5d8ae0a827c383efeb2a3931a62c24ca9d2a6da907c607c4a7195181992c3ab77309278

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6a6da8b3b8e9e2ea430492ec0e0077b2

SHA1
c44943f0245ccc527dc2210171367e1dcc332f5e

SHA256
ef29a90e0da26459be66d4403254e2023fdcab1b65ee080c8ad7d4617c09203f

SHA512
67a0172a33d69b6140b2a443b8db3394e9424d86c90b2f820558af7202f695c0f49ad0482f7cd4d16fbcc7c050bf638487a25dd7013a6e2656d360af2b3d3e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2230618336f5646f0bee36eaa1b8366d

SHA1
df64479221f751c0642925be731bbebce6750f3d

SHA256
eb18af84ba8cb26da3e64212f95e8dd85f04d7ce3fe3273cdc0ece685fafb39f

SHA512
d28e727a0e7753065f69f62faa84a7fa3eceb25cb407cc3578c79536ce685e34aa0d4b243ce561ddaa46b6d761fdd6faf58a30d42253c73415aedc2d2fb2571e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c16eaee8435d874cd0e9325868ae3879

SHA1
3d8b502bb70813f727e04d516a9624315df518fb

SHA256
a1d96ffd631a979f843e7a97c1b988d831f7f1aa76e4aee24baaabf64b7bd7bb

SHA512
536cbe3e8b0da769cd018016297938933f2ec8d7c6a70dd577514104ee94d7c0c8d8a0fafe0cb01a01505e0d2e3bb1ac1ea5f5d9044d76a5e2b3dcdcecb92a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
725fa3507e38501e29507402fefc625e

SHA1
b9ef4590751f8d334df3700716f13fa174679d19

SHA256
9774370689e9d4de13e0431b2dd1d68da64cce5fb12a141396e49939cdaafda5

SHA512
b27d7455f9666d99e16b742a3757d90814b9d12adc23a7b660844f86373987f7d40d4dcbee825328870e7f98ccf7fd9e724b705434f5c13ff09ffd154587b890

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a83b6056c6dc0c8a9000cf0101a62626

SHA1
afe6a845b9219d049b1e59e4c93051ba8eba0631

SHA256
ef751a8d72a3a5d42667563156c494bfae1d5ba5f76c5118c600ad2945712a38

SHA512
3f60ce96d037b1eefb0d4f95466dcba65eeeff205ca1397675cbaaa0dd2aa220c2fce577fd0e32db6d478a1bfcc8e005ef64484b3794affaba2dd19d47234422

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef38ed715bb02a53924f3ffd201a2446

SHA1
3b88edb1cecf713ade6b5e5ab915af4328847ac4

SHA256
1b9e9dee5479e3edc98963faca71ae729dda1a66135a56a248a1dd5831a52fdf

SHA512
d092b8689990c9c801a05dba4607caee4f30865396e4448636bbe433ad259db67462625d4d3bc5b8485592d2cbe3d1331425d786d06da37605f35950f9046968

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
afae09a3761b8727af0dfb0599e1df2f

SHA1
aae68ba93037f5871bd0d467229a891e856099e6

SHA256
9bdbea8d3ffd8a0d38576dd7e71e52baec6aa8d8d066d4531c4411664a5e3b0d

SHA512
a61324910a8df7cfdcf7d8965b47bc908941772f06bfc77f9c6185946e6eee52da37c85968735197ed58d187bde78493edc7b4944aabdd9e2e7a4ebbd73be542

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f92128a3e595fd08b299ddac007efbaf

SHA1
fcf5878b53e6b501b0a3db17a8311a6b95db71ae

SHA256
a16957b466c3128018eddd3eec27cf920f344d882528f5f22768dab12ee70cf6

SHA512
35b95fddd1805065368b5faac556e29ccdac38b02281104c8ce9d21746497622fd414dc00246ac5d90e0970bf080750eef0e0ddf6bfac0e8b1a5bc226a9660ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
655bd2282b2fcb4cbaf1b9d5db92c73e

SHA1
4198f693466a428ecb70d25d3d468166ca43b436

SHA256
83aaf4abcf131df610c4eb522270b2515e56293fec8bfe1d38ea330c2ab6c201

SHA512
13a4257e157a5f88e212f4d36f3ceb921b7220b7a86550b963fdb46f280d820069ab5a7b5010cd3ad67b58da48f961b61eb81963b79c131d1d18c1f4633e6af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
176bf8c20538c98848157a3e209d99ea

SHA1
b0a91347fb7b535d2355b011e4fb837d9822e8db

SHA256
2f7d9ccb443f19030fb8720d122a36a022ee1d907262f8b380db6f8e6e0c22da

SHA512
a9f922fcef3234d581f05fadabf33d4913e4f3517f7aa589ed0aa764d9f8cbf4bf1b7b6563bec5bec2cc5e8339e5411d661270616ba0ef3abe4e73552838bc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
93a4fbb749d5637e596ba132b7aeb556

SHA1
4e5c7526d39332bf25151709ce5491e973f1cefe

SHA256
51c467c27f75dad7d8b13ee54d3651361a18a945aa6a47ce174159f9379fd14e

SHA512
eaa3eeff8526de7049ad8e4253b5ca958744297249a7dfc6f63e6889ccf088e108a2af2cb02f973be8f38eff55f50587fe4ea1b241e6237f700790fcc726ae72

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7532b5f0d9b93c3bc0f4e0bdc173507c

SHA1
ce61e61eeb287466fd73163a6b8994b04a968e43

SHA256
7e96dbaed2aa2280ebe5c8622b5df0a8c483c8dabe9e3861ff808d34e39c0f1b

SHA512
693c9ad57726d294420160f70c7ebb3b3d18c58d631d60bd84abcdfe738703d10bdbd89d1fa3b73865be017c116ff8a7f81f1f0fc4039a98d225a41f0403f0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1444ebde9beba437069bbe472a7aea05

SHA1
fc961c49295189a275747bccf85b43b3c9016e1a

SHA256
a47f47bcb4ad16e5f9228525212414e28bd83a4178a07a66e928f701da571fd0

SHA512
229845ffa758e7f0ef51ad2692f6bc78408886ae2871827877fdcc3614c808dbe2b1982ebaae901236ee96f0fff1e5a96f799e9b019a5cb693b1007991b38995

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
871c45420c0c10f72904ab8affca972d

SHA1
130fed1aec20bef4ba6f2467740163a8f70634f5

SHA256
49bc81d6b54c7d01a275190f406d3925bd6b7307a421fe96e5458025debcf7bc

SHA512
78066c9b262412093702b977847b54707da1fc718cb636767096cc6945c51310c239d71070396247d0a213625b44bc195a7b7a6a1d6faa3942a51b8bce85aaca

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\Users\Admin\AppData\Local\Temp\GetProcAddress.dll

Filesize
13KB

MD5
d0c1a1acb3c657b797fce8cffc9b5f63

SHA1
005f864733bb63d5088353b19caa32dd866ecd14

SHA256
56be4e8a1c29a65357c5605086846d509c8334e98e222e9bd2c67c8f9b366a77

SHA512
dcdd37665d67e5df572c769c6ff5b9b398ba09edbb72d6760fdd9a1ad20602f458bb087cc8ebb34c1ebe197c9c0108ee9bc3f2a46de6848f163e8d414b12632a

Download Submit
\Users\Admin\AppData\Roaming\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Filesize
16KB

MD5
fc22d7b35bedf3c3e772f34e8adf3065

SHA1
2c7bb20b5801ad806fd9c71a46984e8d39a9e22e

SHA256
811d3f67e5086db6a77a37df881d6199c5a601848c87713f41eed373738010aa

SHA512
85dc6e7147968f843540af667f7ccdf815d0b192a1670879cccc74a6fbc3a3e5f32724267b455f0688f912528c1296a8d79ce357645401783478b043ad4e826d

Download Submit
memory/2808-41-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2808-44-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2808-56-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2808-53-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2824-113-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-112-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-2-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-1-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-0-0x00000000744B1000-0x00000000744B2000-memory.dmp

Filesize
4KB

Download
memory/2944-19-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2944-24-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-20-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-25-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-31-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-32-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-30-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-28-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-23-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-22-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-21-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-37-0x0000000024010000-0x0000000024071000-memory.dmp

Filesize
388KB

Download
memory/2944-40-0x0000000024080000-0x00000000240E1000-memory.dmp

Filesize
388KB

Download
memory/2944-342-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-36-0x0000000024010000-0x0000000024071000-memory.dmp

Filesize
388KB

Download