cybergate | 110cda2677c1e22cb1d0c989f0e98b1d1e2194874356b74c5660a31a1b05448e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
Size

437KB
MD5

02c92a0d1d31087dc181020969e5b1f3
SHA1

274977e3f1cebbd7b90ae450652b5cf9d22313d2
SHA256

110cda2677c1e22cb1d0c989f0e98b1d1e2194874356b74c5660a31a1b05448e
SHA512

8c2849a1029da3c4a74a83ac70aabea0c0dcf6c11e4435020c724104eb5f468b88880692b4f6f46f8064fbda6ff79a144ef22a76fd384f148df6ef9d4314e0df
SSDEEP

6144:o7yqzqTobmMXWkypkwlciR+9V8rh0U2MpafHvRF7A2bK3/szcBGWw/hDIcqn0:o7yMqTozXeaZw+I9y/vXAfkwoDhscR

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

vítima

lecoa286.no-ip.org:81

192.168.254.1:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\server.exe"	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\server.exe"	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3232-8-0x0000000024010000-0x0000000024052000-memory.dmp	upx
behavioral2/memory/3232-12-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral2/memory/3232-9-0x0000000024010000-0x0000000024052000-memory.dmp	upx
behavioral2/memory/2320-66-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral2/memory/3232-62-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral2/memory/2320-71-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral2/memory/2320-72-0x0000000024060000-0x00000000240A2000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
Token: SeDebugPrivilege	2320	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 1720 wrote to memory of 3232	1720	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	83
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84
PID 3232 wrote to memory of 752	3232	JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe	84

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:768
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:656

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:784
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3112
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3864
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3960
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4060
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:2784
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4032
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:3688
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3624
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1668
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4464
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4700
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3548
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:1776
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1436
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3660
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:5104
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2296
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:1924
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:932
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2392
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:4424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1108
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1348
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2748

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3440

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:752
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02c92a0d1d31087dc181020969e5b1f3.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3636

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2312

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e6aa8f1f4553ffda4f41662db724afde sefkjDbGlEec9S0HyMnvdQ.0.1.0.0.0
1⤵
PID:4956
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4656

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
200KB

MD5
08a8d98488ac6f78c6e76f21d79c0879

SHA1
fdfd84a9fe6bf5657c631eaee1ad22746292f68c

SHA256
2295e27e006281c5ef7ea137c0e298009295b7be6a2141945b4d73c31ad21848

SHA512
4a210bb393682ccce390fc29714eeb621f62fa367c1db5f54433c9d08ef9683596bee96be1cc728cce77bb371c1f3cfa0ef5946ae8dd5eb2627e136d06a2abb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
88106a529f280dffd80179f6939739fc

SHA1
db7505d045e1d9b9c45e032166089e75415a93b9

SHA256
874f400acc18c8f9766eb4eb03d2872ac74d187bc6788006b4c32791bbfc565a

SHA512
776963e2da6c3cfc2c2ac82876099d06b28796643d81eaff91e7008cf51f5c445fff3aeca73a5a4ec7465d3377509645d66589906eda29f790b3f8bef9c1d875

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
4362e21af8686f5ebba224768d292a5b

SHA1
504510a4d10e230dcd1605ab3342525b38a10933

SHA256
b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3

SHA512
f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850

Download Submit
memory/2320-65-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/2320-72-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/2320-71-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/2320-14-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2320-13-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2320-66-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/2320-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3232-30-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3232-2-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3232-9-0x0000000024010000-0x0000000024052000-memory.dmp

Filesize
264KB

Download
memory/3232-69-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3232-12-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/3232-62-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/3232-8-0x0000000024010000-0x0000000024052000-memory.dmp

Filesize
264KB

Download
memory/3232-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3232-4-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3232-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download