cybergate | ecf1230d0c35e08e63cdae814bca3d67a6e8527b72eb066a4c2ebbf479d28e05

Analysis

max time kernel
150s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
Size

338KB
MD5

acb89308b319dee6e346d622a73b4b2b
SHA1

7ef85cfd629767d9dc06bd7d1ddbe88726f8c638
SHA256

ecf1230d0c35e08e63cdae814bca3d67a6e8527b72eb066a4c2ebbf479d28e05
SHA512

a95566ce8c5242f0154c488e617eebbbee2ef1548d8931c30261930fd4bba9faa0fca768e684bd374684618633ed43bc3c373057f03915a020767813ab4e417e
SSDEEP

6144:B5/G0N63UDkn8uszQAzrUnYkxe81AN9PShCpD6vvBnB1Hxb9IWLG:Tx6eusyn3oeAN5CvBTH

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.00.1

Botnet

remote

127.0.0.1:999

matrix-zloy.no-ip.biz:81

matrix-zloy.no-ip.biz:1435

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
system.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
280485

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\system.exe"	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\system.exe"	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
Key created	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F58G2B68-503P-7UTQ-6BA3-45L1231N5Y1Q}	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F58G2B68-503P-7UTQ-6BA3-45L1231N5Y1Q}\StubPath = "C:\\Windows\\install\\system.exe Restart"	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F58G2B68-503P-7UTQ-6BA3-45L1231N5Y1Q}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F58G2B68-503P-7UTQ-6BA3-45L1231N5Y1Q}\StubPath = "C:\\Windows\\install\\system.exe"	explorer.exe

Executes dropped EXE 29 IoCs

pid	Process
4984	system.exe
3424	system.exe
4916	system.exe
5496	system.exe
2212	system.exe
3492	system.exe
3740	system.exe
3240	system.exe
4612	system.exe
4712	system.exe
4820	system.exe
4692	system.exe
4976	system.exe
4684	system.exe
4152	system.exe
6136	system.exe
3000	system.exe
4980	system.exe
5108	system.exe
724	system.exe
5076	system.exe
3308	system.exe
4468	system.exe
3960	system.exe
1612	system.exe
4216	system.exe
5224	system.exe
6088	system.exe
232	system.exe

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2436-0-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2436-3-0x0000000024010000-0x0000000024070000-memory.dmp	upx
behavioral1/memory/2436-7-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral1/memory/2436-22-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2436-65-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral1/memory/876-69-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral1/files/0x000800000002425c-72.dat	upx
behavioral1/memory/876-75-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral1/memory/4984-79-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/5496-85-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3424-84-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4916-89-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/5496-93-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2212-97-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3492-101-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3240-102-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3740-106-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3240-109-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4612-113-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4712-117-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4820-121-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4692-125-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4976-129-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4684-133-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3000-139-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4152-138-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/6136-142-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3000-146-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4980-150-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/724-152-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/5108-156-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/724-160-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4468-165-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/5076-164-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3308-169-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4468-172-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1612-174-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4216-179-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3960-178-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1612-183-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/4216-187-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/232-192-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/5224-191-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File created	C:\Windows\install\system.exe	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe
File opened for modification	C:\Windows\install\system.exe	system.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
4984	system.exe
4984	system.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
4984	system.exe
4984	system.exe
4984	system.exe
4984	system.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56
PID 2436 wrote to memory of 3568	2436	JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acb89308b319dee6e346d622a73b4b2b.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:876
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4984
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3424
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4916
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5496
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2212
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3492
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3740
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3240
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4612
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4712
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4820
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4692
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4976
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4684
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4152
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:6136
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3000
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4980
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5108
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:724
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5076
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3308
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4468
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3960
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1612
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4216
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5224
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:6088
  - - C:\Windows\install\system.exe
      "C:\Windows\install\system.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:232

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
6f4bcccecd140b409243853d08df898f

SHA1
5672580572810563cfade18548fb16119f45e625

SHA256
7047efbb6d28fdea57d7f6f659049469df3e30afa4e81c1013e35e5b28b7c2d5

SHA512
92a8a9c90e4b8b9c346e6d026282cb36856b72ed15ce56adfe9e31911f80963c56c631cc465ec55dd6efc2830906f43f714f1271e80acbb80b1337252c94fa3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
9fc1bbe995ebfdaf9ae8a4d47ca77258

SHA1
375764fa4fa29e9d1ae6adea688826b191728685

SHA256
18147fe726ce1c0d51904ab5bc662d95c0b3bdf43506c8a8af21d04cf8aab550

SHA512
db6f0fdc6c9ce863d98fc83dc0a8433656f7ff9fb6d61215a15a15922f94940162dc9ba3c185894d79ce292f22f4ad516e2c39d644f05d2dc1dc52df468f339c

Download Submit
C:\Windows\install\system.exe

Filesize
338KB

MD5
acb89308b319dee6e346d622a73b4b2b

SHA1
7ef85cfd629767d9dc06bd7d1ddbe88726f8c638

SHA256
ecf1230d0c35e08e63cdae814bca3d67a6e8527b72eb066a4c2ebbf479d28e05

SHA512
a95566ce8c5242f0154c488e617eebbbee2ef1548d8931c30261930fd4bba9faa0fca768e684bd374684618633ed43bc3c373057f03915a020767813ab4e417e

Download Submit
memory/232-192-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/724-160-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/724-152-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/876-69-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/876-8-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/876-75-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/876-9-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/1612-183-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1612-174-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2212-97-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2436-65-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/2436-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2436-7-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/2436-3-0x0000000024010000-0x0000000024070000-memory.dmp

Filesize
384KB

Download
memory/2436-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3000-139-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3000-146-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3240-102-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3240-109-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3308-169-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3424-84-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3492-101-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3740-106-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3960-178-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4152-138-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4216-179-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4216-187-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4468-172-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4468-165-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4612-113-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4684-133-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4692-125-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4712-117-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4820-121-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4916-89-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4976-129-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4980-150-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4984-79-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5076-164-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5108-156-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5224-191-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5496-93-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5496-85-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6136-142-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download