Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 05:09

General

  • Target

    f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe

  • Size

    329KB

  • MD5

    f753d0e1e3c5b7540a76a27c27b9765a

  • SHA1

    73b6a4020d07f4d0a2a1352b504436bab24c990f

  • SHA256

    66b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a

  • SHA512

    acbf48633d332c565deca1d4a528119b0547e336bdb56616722db32df2685383ff130b5d50bb4e89eb673cc07b5b663c66335a894c37b6b3245807c3ee158aa2

  • SSDEEP

    6144:4jsS6+qPb4PC9smagEUOd2VugiJTR6HVbsOam2R29wQYLdQU2BYbvaXO:4jsX+eb4e9HEUaosd6HVbvam2I9JY2aB

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

ragnar

C2

127.0.0.1:999

192.168.1.248:81

192.168.1.248:8080

Mutex

566ABROO13O35V

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    minijuego.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    coliseo

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2156
        • C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2304
          • C:\Windows\SysWOW64\install\minijuego.exe
            "C:\Windows\system32\install\minijuego.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:2696
            • C:\Windows\SysWOW64\install\minijuego.exe
              C:\Windows\SysWOW64\install\minijuego.exe
              5⤵
              • Executes dropped EXE
              PID:2496
        • C:\Windows\SysWOW64\install\minijuego.exe
          "C:\Windows\system32\install\minijuego.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          PID:608
          • C:\Windows\SysWOW64\install\minijuego.exe
            C:\Windows\SysWOW64\install\minijuego.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1580

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    3
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    3
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\APISETSCHEMA.DLL
      Filesize

      6KB

      MD5

      2f03490092c032392fb6ff635222b9b2

      SHA1

      77e86c4677b8670474bfb2dbc60a47e3b340a679

      SHA256

      951e57ba594507058366321ae29dc117cde9d3801a0535a704db4c7762690c81

      SHA512

      f2c0a9cf67ec21fa039f8930c260258dd93066a747c13e8a9d7f6fe947ac9b75d30c8184ff03fb87e23cf717c32d917bc05530763edd3dd645bf12c7b655f81b

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      225KB

      MD5

      1e6e103853f388b3f17e694463df6a7a

      SHA1

      5565bf1249914cc90a4175f9618b7347199554d9

      SHA256

      e2d34973521f592e924b3039a23c787b5fc9befb60a999e72e444c66043e0852

      SHA512

      5ec8c7d190a89137a54455951d48b4f97275c518bce1d2bdc794589320ff5ffbba233a6108f24f75b4d7be961fd483b3420b471a798d1bff5386223fcf776e96

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      8651ea22eec86b2a0d876f2ff7e82486

      SHA1

      34927146e7b2c0ceed3a78b3ec5b06d1cd81c186

      SHA256

      3eb18892ebce877b373b8b20e166a8d2b0372e87e4091d80aed6f15011906529

      SHA512

      cfd114ac61c2604a22c6e4e4867784b05b05d480b213ad614d69e1224649f77a5c7324356491f032e87e2896662152c5473b7f0b3d365749c379b92bdd7e82a0

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      46fddd811286e911c3852d98753e59f0

      SHA1

      7941a408cf6f0c4647d8e6c4d4564a7ba5079f2c

      SHA256

      faeb7b9abc48c01f1d1680cd4dfab0a2669eac75b7083c236689a1528d7a00d3

      SHA512

      6a1c2086b8e6c0216d35c9532279f03da4c7b73dc504cfc509722aca52e9321c1e8082acf6590c46e96fad7b973fe954299582bc2a5048491da9b44d80d013fc

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      84da39786084be457504a490dc731347

      SHA1

      882f69dc3331339df4da101de2c11c3f6d50d07d

      SHA256

      d0a22dee4b5672c5f37fe41b129bf091b54cfb975dd956ec26d35250a2076030

      SHA512

      e84060a17a107ce0a285f2aedfe692531251b7dc1f6a8cce3856ee153c6a491b0f67c369d3ed54fcb6ad0bf2ad34f4fdc66b6f5587f4b84f6ac9acd454760ce9

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      d1eec83ab34f4876f55cd23736f52f83

      SHA1

      a561db8f74f3afa91fcbfc58ae1316d132615427

      SHA256

      de0026b70bdbd5039dd30533b4060000c0858f0ba40331583ecb356e364c998d

      SHA512

      268dece1f04b109436c08f2b4ba5a186f2fd6391a9250da917aa98790f58a603e43e1c062cb5d09c183da188eabe08663ddefafebc0f31d6c03f99869adb53ed

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      0367302cbc2b15c9a6f15e80fb67145a

      SHA1

      1dfe39e67c817d30d20a04e139c98df8a453ed47

      SHA256

      09333fd0a4f5ae01033a0a40020ddccb8945d5b677626332e9ba94901760da50

      SHA512

      5820a22c600e3d7c83a6bfa5a06266b67b788ffc6dfe251f327ab19565540bb47a96d415a36a0ea993a3c32717d6aa323b675694e18a55e1796455475fff708d

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      5c11fbc41fd240fe5b681e7d0d40adda

      SHA1

      733dce4772edabd61011acfeb47094c58a5ce22d

      SHA256

      a1b96234467b833cae2b53f4b3b41b46bf2d82b87b6ac11adfed0d38a970a85b

      SHA512

      42eba2c73bff630288491afa40a03be7ee9960a085d07124aace8c53105877fafa4cbc8b4f133a5fff6ecaa17c394813186d9c056dff2daddc68f334b75f3960

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      5145bbaa726c65538a266a0683bd695c

      SHA1

      10fde0a45c7356d538be644cf64d2ccfab5d5134

      SHA256

      8565af8445ff55420d05a68fbad41a321f34fcaab0bf11b9a956a10761b8f5b1

      SHA512

      08772f8fa1254a5f45d4d60be613c8711215582498718b0c8207c29456fc757e38d50739c1ad06fc29b508631430794bd239067dfb043171462bb75d96affc8f

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      5a23f27ffbf53695978e91ee33220980

      SHA1

      0a55f2c011eec29c48847204c5dc916076a7b0bd

      SHA256

      8dc61feba7fe0db9ae6b531a73507695b38c04a4a11c972038012ac15517edbf

      SHA512

      66a6886208fb07c3b5b24d1cdb6651de1e51e8e995cd12999594fa7cea4f4830bbafadfd2b0b11f49509c27049392ed5ee7b2fd5dc880a124cd1ea5fc01453dc

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      21980d46d434ac697d188b4b2a8dea43

      SHA1

      b20ed107c9b0d44b82b3268446b238be3faca93c

      SHA256

      87840b94b29efd53e28b184cba12ecc481fa0ed58213c522e5eba6eff1729c94

      SHA512

      b1ce10e8ca96b272aa804d23bc0b24267ac290f5cc77b769699a0a07b498c36c8c0ec4b3c2f85743cf29459db9253082e698dc57a0514cc45154fbfde61bc42c

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      1a78c0459f09f67500da5c247c008f8b

      SHA1

      42574550d16f268b3de0f4a0f6c60f4c776d4775

      SHA256

      44302ff254833c7b66539ba226fa90d8c41825bd1ce2c2abe6a4be4bee5f810c

      SHA512

      cedce245cf2261105e3a9649849c9de32a92c99bc751c46ee92ec9ebc07dca1b2416cbf899e11fbc75086ed83deb25778554b62fc337612cb0dfcd65e9829db6

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      083105f437b6b182f445cffbbf384a13

      SHA1

      cdadc187c0ea92a27d9dd771e272661369cd3590

      SHA256

      c543008b3d28548a7aec14ec9915d2e475b8f22ef83b691591f93d45a7bf8c5f

      SHA512

      9e433d33691e7f1db1e04381bc4f62b8c96e3acbb96fd95b4fc57902ab81445996864abd55660cee3df60d589e22cdac305c5abb4e7788e2e3ccd5d5f43e27aa

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      c63f939231508fb607a8323649f55aeb

      SHA1

      36d864d521de89fa9a64f459f5c2fa9dbaa9544d

      SHA256

      2385c3155f1623ec17c7dd0a73ee7b199b13355f02b79903358a043deaf3cdd3

      SHA512

      9cb8ea0f50cef15dd3d34d41009d264935342a282684dbaa494a705a3d12b2012a88feb460c3497239ab5114f5acdb9ba433b388b1f9b76df9a82b8a00862821

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      35d69942f761a4b68a378e4dddfee15e

      SHA1

      9b7f4204a882dd63c7c0f3ca10f72950b7219923

      SHA256

      eb236f030bb33c1c32c0fac5494000c6323f2bb3f708c61faf4a6774b37d4288

      SHA512

      89a0ea8240b8effc3875169ee15dc70d12d0d6de9c20376fa32f3b3aaa3a3f24751a848a853766c620423f7d5b4d0d1860a77a52c6dae4eb7a34ea9447423c83

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      0cde17ce7e84a0cf35a4518ee4fbbf63

      SHA1

      569475596a7a0f14afe9688e1a06dc8e87054302

      SHA256

      d0a378d488b23f510268a356c9f74840a4eea38c81c14761db04b86a996c1895

      SHA512

      54329d18b77cadeb310e2631124f0c0cd92a6d74e81a109a2357f0a200f8e28252ca7524d3f39afdb7284dc023544d4930f8b949c7e889df8b9284d7d2ff5505

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      f128a4619a125d459bad1c1a1ea275e1

      SHA1

      df36cac439ab50d793b7a254afc12cb2e8eeb1b4

      SHA256

      fed1a5efaade1591b15c4afe343eadc37aed47379b441b4a429f5ab1ac7e5002

      SHA512

      4935302ca20273f42402d29e1a1b9f1cd291a9697737b2829a50524d7f84c66501a7179ade3de81dca49f5a3a3e59fcbd3f24403d80b2306e85b81b8d249c283

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      905da612e5934dadb5dd85724fdb8d6c

      SHA1

      fa857eb43649a4f609e811fdda156a972f1810a6

      SHA256

      e4bdab48bc44b44b193c16a5dbbc931062dd04d584d47f479325ff73460d09d2

      SHA512

      4e526a6580dc9da1802b3dd4a9e9d99ad9ae3c1117ddb619a549ee31ffc558ec263e7ddbd3cbe8ea21cd726170d551f4e7795475557e846d62f785cec186570b

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      46b4d6c91cb4256e40452c0f05cdd227

      SHA1

      de20ffb510618536527b9f87f4f2136a3104c883

      SHA256

      9d4fba4bf33282beeb41318c652c7def96b27c8ef4e6c0cecddaa79522e5716a

      SHA512

      60f7f917403849c1ffc39a016034b1011c582be45358918a63dfbeb02a120d8fad58b9cdc3d5d1fa775f885f3f2047a198318b88ffa9e0de7085c48a279af702

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      f366a273b4abfffe7ecb2d5f71c4aa52

      SHA1

      ce9ff950184d853beda71eccc741c0e59ee779cd

      SHA256

      867e04c04e7281a9948804f774e0868cbf935a3e66aeda911e245b7232963b26

      SHA512

      862d4f1d95f835dcce7d9317f09c360fde1ba0f3b021351226ad1702452078e653cb77533edca24030a0c202244e0fc26843ba28d29acbf5dd4542dc9b711d79

    • C:\Users\Admin\AppData\Roaming\Adminlog.dat
      Filesize

      15B

      MD5

      bf3dba41023802cf6d3f8c5fd683a0c7

      SHA1

      466530987a347b68ef28faad238d7b50db8656a5

      SHA256

      4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

      SHA512

      fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

    • C:\Windows\SysWOW64\install\minijuego.exe
      Filesize

      329KB

      MD5

      f753d0e1e3c5b7540a76a27c27b9765a

      SHA1

      73b6a4020d07f4d0a2a1352b504436bab24c990f

      SHA256

      66b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a

      SHA512

      acbf48633d332c565deca1d4a528119b0547e336bdb56616722db32df2685383ff130b5d50bb4e89eb673cc07b5b663c66335a894c37b6b3245807c3ee158aa2

    • memory/608-347-0x0000000000230000-0x0000000000240000-memory.dmp
      Filesize

      64KB

    • memory/608-362-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

    • memory/608-342-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

    • memory/1580-390-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

    • memory/1580-364-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

    • memory/2304-33-0x00000000003A0000-0x00000000003A1000-memory.dmp
      Filesize

      4KB

    • memory/2304-386-0x0000000010480000-0x00000000104E5000-memory.dmp
      Filesize

      404KB

    • memory/2304-372-0x0000000004960000-0x0000000004970000-memory.dmp
      Filesize

      64KB

    • memory/2304-19-0x00000000001B0000-0x00000000001B1000-memory.dmp
      Filesize

      4KB

    • memory/2304-25-0x00000000001D0000-0x00000000001D1000-memory.dmp
      Filesize

      4KB

    • memory/2304-325-0x0000000010480000-0x00000000104E5000-memory.dmp
      Filesize

      404KB

    • memory/2304-62-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

    • memory/2496-387-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

    • memory/2496-393-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

    • memory/2548-1-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

    • memory/2548-4-0x00000000003D0000-0x00000000003E0000-memory.dmp
      Filesize

      64KB

    • memory/2548-7-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

    • memory/2552-338-0x0000000000710000-0x0000000000720000-memory.dmp
      Filesize

      64KB

    • memory/2552-335-0x0000000000710000-0x0000000000720000-memory.dmp
      Filesize

      64KB

    • memory/2552-26-0x0000000000220000-0x0000000000230000-memory.dmp
      Filesize

      64KB

    • memory/2552-361-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

    • memory/2552-15-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

    • memory/2552-11-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

    • memory/2552-10-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

    • memory/2552-8-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

    • memory/2552-9-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

    • memory/2552-5-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

    • memory/2696-383-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

    • memory/2696-378-0x0000000000280000-0x0000000000290000-memory.dmp
      Filesize

      64KB