Overview

overview

10

Static

static

3

f54df120c8...18.exe

windows7-x64

10

f54df120c8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    4s
  • max time network
    4s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f54df120c83f5fa1a01919b5b77d04ab_JaffaCakes118.exe

  • Size

    428KB

  • MD5

    f54df120c83f5fa1a01919b5b77d04ab

  • SHA1

    b411b648acd09b8abe0ed1cf2e65d8c11b77763b

  • SHA256

    dd659658316502fac8b34df964117d175bf277b2dc92e93cc7b9b09d9c512453

  • SHA512

    32f80f50b4407501114a04d4fe341786d1ed535ed27594e58ff5dda0c0debccad4a55058d433aa729f9a813dbc2419fbf9b4b4a2efb4f4e13dc94b87b424d3fd

  • SSDEEP

    12288:wmMDB2MiDXWt6bJ8DjFreYkkHeGtOsd/EE4Ej:wmYli7WkFQxeYR+GtOsdMOj

Score
10/10
cybergatemicrosoftpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

microsoft

C2

loveerrorrr.no-ip.biz:85

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    System23

  • install_file

    Microsoft.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Missing files

  • message_box_title

    Error!

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3416
      • C:\Users\Admin\AppData\Local\Temp\f54df120c83f5fa1a01919b5b77d04ab_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f54df120c83f5fa1a01919b5b77d04ab_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Users\Admin\Documents\f54df120c83f5fa1a01919b5b77d04ab_JaffaCakes118.exe
          "C:\Users\Admin\Documents\f54df120c83f5fa1a01919b5b77d04ab_JaffaCakes118.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            4⤵
            • Adds policy Run key to start application
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:4408
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              5⤵
                PID:3464
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                  PID:4996
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
                  5⤵
                    PID:536

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Scripting

          1
          T1064

          Persistence

          Boot or Logon Autostart Execution

          3
          T1547

          Registry Run Keys / Startup Folder

          3
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          3
          T1547

          Registry Run Keys / Startup Folder

          3
          T1547.001

          Defense Evasion

          Modify Registry

          3
          T1112

          Scripting

          1
          T1064

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\f54df120c83f5fa1a01919b5b77d04ab_JaffaCakes118.exe.log
            Filesize

            319B

            MD5

            600936e187ce94453648a9245b2b42a5

            SHA1

            3349e5da3f713259244a2cbcb4a9dca777f637ed

            SHA256

            1493eb1dc75a64eb2eb06bc9eb2c864b78fc4a2c674108d5183ac7824013ff2d

            SHA512

            d41203f93ed77430dc570e82dc713f09d21942d75d1f9c3c84135421550ac2fa3845b7e46df70d2c57fe97d3a88e43c672771bb8b6433c44584c4e64646c1964

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
            Filesize

            240KB

            MD5

            c0b830a9da3bbe801f19410a092a907e

            SHA1

            61e2dd83561b564de0f862fe8d82e0fdd4a27ddf

            SHA256

            3523bbd97e6be532ae2eab1e44da529a233c5b0f233bc6d6d88d1e6290ba8188

            SHA512

            9fa63753a60005d75cc6f656fe31b498ca4b6ef213fcadbad8aed5d3238c67e03dd8b98d438caad55d3cc61b99cdb9182f5120991dfae919bbec40a3183760b0

            Download Submit
          • C:\Users\Admin\Documents\aclui.dll
            Filesize

            17KB

            MD5

            e99f74ae594c1b373fa0d34193dce208

            SHA1

            3933f949724a6702e0038295287a39c53592b11e

            SHA256

            1dbb3b418bd78abb49d583f2b9cea6b20fe9fece0a59c118ddf104a672e29ebd

            SHA512

            355a2a3955e0f50b0c41a24589b9283892689faa61aea6360a1b762f5f2f58166c579b37dc0b003e716c1dc760f1931b73faf6fa3e2b21f8571dbdf5ee37c030

            Download Submit
          • C:\Users\Admin\Documents\f54df120c83f5fa1a01919b5b77d04ab_JaffaCakes118.exe
            Filesize

            428KB

            MD5

            f54df120c83f5fa1a01919b5b77d04ab

            SHA1

            b411b648acd09b8abe0ed1cf2e65d8c11b77763b

            SHA256

            dd659658316502fac8b34df964117d175bf277b2dc92e93cc7b9b09d9c512453

            SHA512

            32f80f50b4407501114a04d4fe341786d1ed535ed27594e58ff5dda0c0debccad4a55058d433aa729f9a813dbc2419fbf9b4b4a2efb4f4e13dc94b87b424d3fd

            Download Submit
          • C:\Windows\SysWOW64\System23\Microsoft.exe
            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

            Download Submit
          • memory/1192-17-0x0000000075350000-0x0000000075901000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1192-2-0x0000000000A00000-0x0000000000A10000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1192-0-0x0000000075350000-0x0000000075901000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1192-1-0x0000000075350000-0x0000000075901000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/3016-18-0x0000000075350000-0x0000000075901000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/3016-19-0x0000000001190000-0x00000000011A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3016-30-0x0000000075350000-0x0000000075901000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/3016-41-0x0000000075350000-0x0000000075901000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/3464-53-0x0000000000950000-0x0000000000951000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3464-114-0x0000000024080000-0x00000000240E2000-memory.dmp
            Filesize

            392KB

            Download
          • memory/3464-54-0x0000000000C10000-0x0000000000C11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4408-39-0x0000000000400000-0x0000000000459000-memory.dmp
            Filesize

            356KB

            Download
          • memory/4408-49-0x0000000024010000-0x0000000024072000-memory.dmp
            Filesize

            392KB

            Download
          • memory/4408-109-0x0000000024080000-0x00000000240E2000-memory.dmp
            Filesize

            392KB

            Download
          • memory/4408-45-0x0000000000400000-0x0000000000459000-memory.dmp
            Filesize

            356KB

            Download
          • memory/4408-44-0x0000000000400000-0x0000000000459000-memory.dmp
            Filesize

            356KB

            Download
          • memory/4408-43-0x0000000000400000-0x0000000000459000-memory.dmp
            Filesize

            356KB

            Download