Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 17:35

General

  • Target

    f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe

  • Size

    530KB

  • MD5

    f6502fe2f8d492436051cff7a249b961

  • SHA1

    7d0ef66098f863ce44e277348e64938c5bbfefd6

  • SHA256

    5623a900a9d242177a0b737deb794982eb2c37d09dc1c4c9f0af76b20a0657b9

  • SHA512

    e9b2bf646f325a57f5d5ab026765b481baf56013f4591581d1d88bfd9dba709f128f80af07b276e42c87d0fb470627631a02350e42e117a40ba424b8f4b41c44

  • SSDEEP

    12288:9X8PGfk+V8Lr47O8kZD3HTVARkgt0tAsCQLWGYLL:ZSj+W4hgLBARkgOCQML

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

proxpn12345.no-ip.org:81

Mutex

VUSR8B1F522210

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1176
      • C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Users\Admin\AppData\Local\Temp\Testing.exe
          "C:\Users\Admin\AppData\Local\Temp\Testing.exe"
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            • Suspicious use of AdjustPrivilegeToken
            PID:2944
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2956
            • C:\Users\Admin\AppData\Local\Temp\Testing.exe
              "C:\Users\Admin\AppData\Local\Temp\Testing.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:980
              • C:\Windows\SysWOW64\install\server.exe
                "C:\Windows\system32\install\server.exe"
                5⤵
                • Executes dropped EXE
                PID:3004

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      3
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      3
      T1547.001

      Defense Evasion

      Modify Registry

      3
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        246a200ee8db2230455750e6becb3f2a

        SHA1

        547ef76d3eeef614a8a37baf03e462af21129fe6

        SHA256

        d719faea7ed8f1680e914b1ba2c5ed22962523ab3053f0bdc7a087d04c04d16d

        SHA512

        70f3b7b4536fbfa5d40c904ebe40ac52ffad918301c0303afd5757d98a3c0a8133d36733136e6e883113cd3d10b75f536261368cc930ed62e2e05c19ff624136

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a932e66a9e3b430908bea627fa69d8a3

        SHA1

        415fb98f398d7f8d2fd2283a91aee6054c3aed30

        SHA256

        4e21765d18aab245aef29236c7b6e3a9e31a5d6aaa4864b033e97926669b610e

        SHA512

        1be493d84bcc733fc91b20924ae62a75bebf6b12c572e1b45bceed0692514239d7527a802072947c57967d22274b779da481cbe922f4582abbf10fe2218805c4

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        60e6b3d9586d7295b89e7e61c57d0497

        SHA1

        3b6bbf6db8a56fc9c51596a1a51cab95cb086782

        SHA256

        4632860f639e9d4dc91c0555b5a0d0106e911a35ad10e36c3bc21ac9e5c1130a

        SHA512

        8320ed70c399478cdab465677ec02566460e868219da0c1e2c27f7c4d344be6711770fa32481afef32682a63a3af69fc8eb519fc8e767a8e73b77515288b15c3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        40eaf928d0369e0f29092423510c29a9

        SHA1

        6d9e259b8f1c7b92a24ec24b1ee884fb53493019

        SHA256

        b1af80668cd7aebc9bed8dbe590232fc7c89f733b0b73e8c62b4810de9e63663

        SHA512

        d90f64dea676f994498ad9054539d3e3ce6ba49951f139cc4e245a44f403202af66b43cb8fcb9e5fc6120eb4376b41a6d13aa63f46c2c90da382b21271e3115f

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        ee0cc6eb4643a60c2367e4ed157a1a2d

        SHA1

        1a08792d51482751ed5c4c422059dcce70fc7c65

        SHA256

        aaecad526247b5444f5baf7421fa611b47413d5c4ae28523e6cd2cdbbd42c62e

        SHA512

        e599d305aafd7833ee67d5fdb4214d1d5706825a1f942e829b7ad540a64aa5c46a160ee7bb7f750b791675752b990f34a1d0b84be3f93c86a5d09a0db1ee216a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d7ea396d39fa7d9941f542dfa72b738e

        SHA1

        6adea0e35b6831b9bf16cc67ef90e6b57061c8fa

        SHA256

        6d7a127e5b9789ebefce5470188b83cb977f2914306637efe077311625708a82

        SHA512

        def6b1473b8883f7ffebdf60f669a6cc6737c5099b1fcbabe219221616af3cdd3d45181f0f42e7ef87cc2fac6227828225edbfa9302ba89b8cd77c016a86112e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        471ad42abf8c756e1acb3fee0fbcd915

        SHA1

        bd3da7ec30399779d9f8bd3ac899d9000e4ab313

        SHA256

        52d83c569a6dd0dc03b08de57d5adb48bd9411296b815ac792ee761e543d3a53

        SHA512

        60cb9f3037a1c95edb30025d8a50af657dc3b283cceed6ac5e0fc0981e418e4840c075126dd1594f06905646615a37c9a873d6079b86a14c81ae6f76cb4687e9

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e63eb29dd2e3d73ef79256d3c4937cac

        SHA1

        bfe62e9ada9ec19d6a2ff2c2d528e93ca0c6595a

        SHA256

        9fd33fd0c2dc0476e8fdb94b7853433fcde0e27b8998e84eedb73bb549424f83

        SHA512

        9d513ae48bea3e419ef3f14569f01a49369af4ec75198b295d933452387a73045a9e7ef38d2e07ecb303be331246a508d3eaadad88007e534ce286870a38b91a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1cf8aa6624b5234bb3916b0f8b4f0971

        SHA1

        9f4aeea3fed663a3ff678b6811d6f898eebffd87

        SHA256

        b026255540770d8ec70fb7f85c736b49dd3efdede9aa6790bd104b74c20c80d5

        SHA512

        541600641ccc139de8c1b24bb5aa75758aad82ad20354532b3997baf457f162ed6732f9e194c36281d28ffd13998ac1999ecb1b796ce2f94ae30c596191a2144

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5a9b5e1b6afd48e45a9daa96cf816580

        SHA1

        d7bc516473b6d777dee841e8671f0d2a116b386c

        SHA256

        4c908b07a2a36acb500de253d80dd70fa9d483266d698bd84e458c316d200dbf

        SHA512

        9822da645112fc79cb4c03ca12fbbe58e55f11f56275496bb977cedbe02e38efd8631c881834f3b1dc4a0a0bf4f886a08211c4a06ef08150df6252b9dc708e68

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4be75c847a0488208738ddb1e17b6381

        SHA1

        f79f3df86a6581b93891c9ed29b4360548a1199a

        SHA256

        1dd6b93a12db99bdf685470e97f6b4f3d3e1638f7b71f35f2793315a55d499ba

        SHA512

        094b4b37eb44fec1eaeb1e043beb9e5dd0db1fbf7e9fb98a5f0662a8d83bc92abba948ca0e71a3461d15ccc3dd02199d094eb3cb8bd54419515a6d0b0db93b3c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5f7b9675433fa983fd1baf5db5219ca2

        SHA1

        d9f4e9b376a78c179b639ca595ec7d4314fa01b0

        SHA256

        84093636a666012d803756375105e6e8f0b13fde779f4e12d5acc3a4f83adb56

        SHA512

        7eca92416d2949dc47d06340e3a484fe0c68ec87db5d38180c6b99684bb6a6dc7897bdae25bdb799a38f076ffcc8f369cb99c09554ef38421385360a63ce93a4

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8b06bc695616e6daa2f917a15f283151

        SHA1

        02372e1208fd332a94ed445d9cbffcde2da08f86

        SHA256

        d1d598eafee3b9170270fae0bd9ceaaeef943b1f1c8a6e7fd62ba6806f45cbaa

        SHA512

        bd35bfb9860e41192280a02c74734d8756f3a2f51a22795eb32f22e19e2f69c8abe919426c4fbff1049f5f22b3b62fb02499179db10d4bb75cd9329fb6e406a5

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        be3b8886f20ea6a3175bd69b9577c6f6

        SHA1

        3f3ac37053eb310e4e79c0f7446d517a6b13f26d

        SHA256

        0b615216435a5130666646ada3189640df623419ddbf10f5b1acddf3a139ff24

        SHA512

        c0a451d993adf4d8b7e715531c947286fcc8463b74c8fa635d94fb80a3e00578ebe067729000ce7457985d6359a1123a77a6b4d9eea8979560f2788669d620ee

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b0838df9e181885aea7c6ed6d249f4cc

        SHA1

        cfee3e54cc68f47928db5ad37b391ec8cf853b84

        SHA256

        0c9b1d790b20cbb66298ba5c5252cf14759529f96f239195570c498b57bdd5d3

        SHA512

        970c32f55b786d3e62941475290400d08b5fd2f00c4a7fa553252ada7ac987ae7d6da07985006d4794e7cc9f78762069d35e89e26d9ca89ceaed5f145fef6300

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        550fd4706d75cd367e4094e7a1331238

        SHA1

        674f3b85a8bfd98d8f110dcb053b057f32a140f9

        SHA256

        852dda9ce49dfb5c766a3e6d358010d97cd0578220c8d21efb0dd74c642ad925

        SHA512

        2b68e806bbd732dc9658b239f7fa8d1515d9dc137118775e730d8021c61f72f4b945f61c8d0f4dbfe1d862ac7f9427d2d47cc23a03470a1667d201545b240e3e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0c27d3ced45a15f4bbf32d6c24e214fb

        SHA1

        651e2f5329709e5710b1ae674986a589c8cc03c3

        SHA256

        1c273c523e7a53e4c330f0bbb70045a7583f035726d5025df4ffbbe75ef1a7ca

        SHA512

        d7b185229eea03e5261976c0e7adc74f520a5eef10b8532ec8ff5c20390d27ec16c33ce239303b0e0505c4fbaa2bce87190eb94712f934775db47565394b56c8

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5c7d33786dede428557dd3a20489db0e

        SHA1

        76f4fd93f30267ba2262a38949087899b1acf98d

        SHA256

        486f4d2af7199e48ac798a3ac529561b05fd69cd386e7540423d183bd82cffbe

        SHA512

        574a9ff825a17e74ba4cc99e1b2c985c538f3ec00ee466acf0fec7531d945698bc155a0a85ac3941a33632c57bf9e415df590f42579532cbb1b7683eb1cd5a41

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        df0fd03ca9f53b507c2bff763abde1e1

        SHA1

        fd0699b18727527758572caf154d3836299b046d

        SHA256

        9f15b8ae0188d1bab7bfc51753d6d093272f934f9da1983f97b404e4a4ae529a

        SHA512

        82522ea63a073474450438598cb9e74bb20edc559bb34c62125c1713f7e7037dd3e50dcdc81f24fc38907d6c8c429fa833772565d48bd9e83842c5eeeafe31d1

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        9d2fcd98ad22fb36a64edbca41e7c2a9

        SHA1

        e6cbe4b4a391a77c50e57dbe9fcf2ab65d8f8831

        SHA256

        5b3364cc293542814b6f0a10ce92e5fd8d08b0e55a6c70600e29a831999eed14

        SHA512

        33469bd42c0c15b85a3140c4fb6681ee52dc0283db80a0f885062f6f8758a9ed96e3d08f0672f7b58b5e176e882097a2b531335f0c294666b0df862a50db0006

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • \Users\Admin\AppData\Local\Temp\Testing.exe
        Filesize

        296KB

        MD5

        ee9b34767367aaa660049adb43c094de

        SHA1

        9884c5d7ef3eb03591515e6caac0ed70a62d7689

        SHA256

        06d70401728ba068a54e4a1facf2a533f7b05530a433c4066175163094a29e8b

        SHA512

        455e326f24a7b388f32b5e742c8eef1148fef0387e35c403cfbe920b1dd6bec8362f0c95a5c7e87898b648d051f097efb76e523eb9ccdb79c63f3c95c9272d82

      • memory/980-1650-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/980-848-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/1176-16-0x0000000002D80000-0x0000000002D81000-memory.dmp
        Filesize

        4KB

      • memory/2168-0-0x0000000074A00000-0x0000000074FAB000-memory.dmp
        Filesize

        5.7MB

      • memory/2168-2-0x0000000074A00000-0x0000000074FAB000-memory.dmp
        Filesize

        5.7MB

      • memory/2168-1-0x0000000000A30000-0x0000000000A70000-memory.dmp
        Filesize

        256KB

      • memory/2168-603-0x0000000000A30000-0x0000000000A70000-memory.dmp
        Filesize

        256KB

      • memory/2168-580-0x0000000074A00000-0x0000000074FAB000-memory.dmp
        Filesize

        5.7MB

      • memory/2944-869-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2944-311-0x0000000000690000-0x0000000000691000-memory.dmp
        Filesize

        4KB

      • memory/2944-539-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2944-310-0x0000000000120000-0x0000000000121000-memory.dmp
        Filesize

        4KB