Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 09:53
Static task
static1
Behavioral task
behavioral1
Sample
e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe
-
Size
530KB
-
MD5
e4a57182974c869d65c629087783dfd4
-
SHA1
18f6a8c5fb5966d8d674710cd1ec92cf7a9983d0
-
SHA256
95f29fcaa074f4542eabf71d333d0584017b0e7fef8c54c7df703e57da3f8457
-
SHA512
7f43ada5fabfc717a7803cff8467192fc300762ea9b5263d91e233eb52a6e4f0a1242b6d1346eb75f49bded3a4ea831a40b4fb90248be99a70100f9f20c635c8
-
SSDEEP
12288:jHjaJDrU+Dv4ODNFXUpqbfv0HW3XY5KUvJRCESGK:7ja3UGgyNFXUpYf5I5KUxRmL
Malware Config
Extracted
cybergate
v1.07.5
remote
vittimareturn11.no-ip.org:81
1624AF8NC22YH6
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
firefox
-
install_file
firefox.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
non sei abbilitato a questa esecuzione
-
message_box_title
sistem
-
password
cybergate
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
xgh44DD.tmpxgh44DD.tmppid process 2164 xgh44DD.tmp 2504 xgh44DD.tmp -
Loads dropped DLL 2 IoCs
Processes:
e4a57182974c869d65c629087783dfd4_JaffaCakes118.exexgh44DD.tmppid process 2084 e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe 2164 xgh44DD.tmp -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e4a57182974c869d65c629087783dfd4_JaffaCakes118.exexgh44DD.tmpdescription pid process target process PID 2084 wrote to memory of 2164 2084 e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe xgh44DD.tmp PID 2084 wrote to memory of 2164 2084 e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe xgh44DD.tmp PID 2084 wrote to memory of 2164 2084 e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe xgh44DD.tmp PID 2084 wrote to memory of 2164 2084 e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe xgh44DD.tmp PID 2164 wrote to memory of 2504 2164 xgh44DD.tmp xgh44DD.tmp PID 2164 wrote to memory of 2504 2164 xgh44DD.tmp xgh44DD.tmp PID 2164 wrote to memory of 2504 2164 xgh44DD.tmp xgh44DD.tmp PID 2164 wrote to memory of 2504 2164 xgh44DD.tmp xgh44DD.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xgh44DD.tmpC:\Users\Admin\AppData\Local\Temp\xgh44DD.tmp2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xgh44DD.tmpC:\Users\Admin\AppData\Local\Temp\xgh44DD.tmp3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\xgh44DD.tmpFilesize
85KB
MD505f8aea11bfe4af17976c4474327827a
SHA1773e17e493e3b7e1882ee2d93f2e45beb81b3d6d
SHA256be44bfaefe3cadc61dec4cb85f61af82a528fb048da85bbb92a684e4b89d2738
SHA5120b73ad68f9bfdeaf4dd6e36cc71355e640bff09a9e462e38b33523ac471f536f0f3058f2ea8b4050bde126e2a72a4dfc8b8e7ed55c335fcd3d46ed6156116ad1
-
memory/2164-4-0x0000000000100000-0x000000000014F000-memory.dmpFilesize
316KB
-
memory/2164-5-0x0000000000100000-0x000000000014F000-memory.dmpFilesize
316KB
-
memory/2164-6-0x0000000000100000-0x000000000014F000-memory.dmpFilesize
316KB