Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 09:53
Static task
static1
Behavioral task
behavioral1
Sample
e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe
-
Size
530KB
-
MD5
e4a57182974c869d65c629087783dfd4
-
SHA1
18f6a8c5fb5966d8d674710cd1ec92cf7a9983d0
-
SHA256
95f29fcaa074f4542eabf71d333d0584017b0e7fef8c54c7df703e57da3f8457
-
SHA512
7f43ada5fabfc717a7803cff8467192fc300762ea9b5263d91e233eb52a6e4f0a1242b6d1346eb75f49bded3a4ea831a40b4fb90248be99a70100f9f20c635c8
-
SSDEEP
12288:jHjaJDrU+Dv4ODNFXUpqbfv0HW3XY5KUvJRCESGK:7ja3UGgyNFXUpYf5I5KUxRmL
Malware Config
Extracted
cybergate
v1.07.5
remote
vittimareturn11.no-ip.org:81
1624AF8NC22YH6
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
firefox
-
install_file
firefox.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
non sei abbilitato a questa esecuzione
-
message_box_title
sistem
-
password
cybergate
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
xgh2E05.tmpxgh2E05.tmppid process 5076 xgh2E05.tmp 1404 xgh2E05.tmp -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 896 5076 WerFault.exe xgh2E05.tmp 4456 5076 WerFault.exe xgh2E05.tmp -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e4a57182974c869d65c629087783dfd4_JaffaCakes118.exexgh2E05.tmpdescription pid process target process PID 3320 wrote to memory of 5076 3320 e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe xgh2E05.tmp PID 3320 wrote to memory of 5076 3320 e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe xgh2E05.tmp PID 3320 wrote to memory of 5076 3320 e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe xgh2E05.tmp PID 5076 wrote to memory of 1404 5076 xgh2E05.tmp xgh2E05.tmp PID 5076 wrote to memory of 1404 5076 xgh2E05.tmp xgh2E05.tmp PID 5076 wrote to memory of 1404 5076 xgh2E05.tmp xgh2E05.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xgh2E05.tmpC:\Users\Admin\AppData\Local\Temp\xgh2E05.tmp2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xgh2E05.tmpC:\Users\Admin\AppData\Local\Temp\xgh2E05.tmp3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 5883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 5963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5076 -ip 50761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5076 -ip 50761⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xgh2E05.tmpFilesize
85KB
MD505f8aea11bfe4af17976c4474327827a
SHA1773e17e493e3b7e1882ee2d93f2e45beb81b3d6d
SHA256be44bfaefe3cadc61dec4cb85f61af82a528fb048da85bbb92a684e4b89d2738
SHA5120b73ad68f9bfdeaf4dd6e36cc71355e640bff09a9e462e38b33523ac471f536f0f3058f2ea8b4050bde126e2a72a4dfc8b8e7ed55c335fcd3d46ed6156116ad1
-
memory/5076-2-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/5076-3-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/5076-4-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB