Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 05:09

General

  • Target

    f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe

  • Size

    329KB

  • MD5

    f753d0e1e3c5b7540a76a27c27b9765a

  • SHA1

    73b6a4020d07f4d0a2a1352b504436bab24c990f

  • SHA256

    66b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a

  • SHA512

    acbf48633d332c565deca1d4a528119b0547e336bdb56616722db32df2685383ff130b5d50bb4e89eb673cc07b5b663c66335a894c37b6b3245807c3ee158aa2

  • SSDEEP

    6144:4jsS6+qPb4PC9smagEUOd2VugiJTR6HVbsOam2R29wQYLdQU2BYbvaXO:4jsX+eb4e9HEUaosd6HVbvam2I9JY2aB

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

ragnar

C2

127.0.0.1:999

192.168.1.248:81

192.168.1.248:8080

Mutex

566ABROO13O35V

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    minijuego.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    coliseo

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2340
        • C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"
          3⤵
          • Checks computer location settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:5052
          • C:\Windows\SysWOW64\install\minijuego.exe
            "C:\Windows\system32\install\minijuego.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:3320
            • C:\Windows\SysWOW64\install\minijuego.exe
              C:\Windows\SysWOW64\install\minijuego.exe
              5⤵
              • Executes dropped EXE
              PID:860
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 548
                6⤵
                • Program crash
                PID:2836
        • C:\Windows\SysWOW64\install\minijuego.exe
          "C:\Windows\system32\install\minijuego.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          PID:548
          • C:\Windows\SysWOW64\install\minijuego.exe
            C:\Windows\SysWOW64\install\minijuego.exe
            4⤵
            • Executes dropped EXE
            PID:2156
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 576
              5⤵
              • Program crash
              PID:636
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2156 -ip 2156
      1⤵
        PID:1104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 860 -ip 860
        1⤵
          PID:4236

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        3
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        3
        T1547.001

        Defense Evasion

        Modify Registry

        3
        T1112

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\APISETSCHEMA.DLL
          Filesize

          6KB

          MD5

          2f03490092c032392fb6ff635222b9b2

          SHA1

          77e86c4677b8670474bfb2dbc60a47e3b340a679

          SHA256

          951e57ba594507058366321ae29dc117cde9d3801a0535a704db4c7762690c81

          SHA512

          f2c0a9cf67ec21fa039f8930c260258dd93066a747c13e8a9d7f6fe947ac9b75d30c8184ff03fb87e23cf717c32d917bc05530763edd3dd645bf12c7b655f81b

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
          Filesize

          225KB

          MD5

          1e6e103853f388b3f17e694463df6a7a

          SHA1

          5565bf1249914cc90a4175f9618b7347199554d9

          SHA256

          e2d34973521f592e924b3039a23c787b5fc9befb60a999e72e444c66043e0852

          SHA512

          5ec8c7d190a89137a54455951d48b4f97275c518bce1d2bdc794589320ff5ffbba233a6108f24f75b4d7be961fd483b3420b471a798d1bff5386223fcf776e96

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          5c11fbc41fd240fe5b681e7d0d40adda

          SHA1

          733dce4772edabd61011acfeb47094c58a5ce22d

          SHA256

          a1b96234467b833cae2b53f4b3b41b46bf2d82b87b6ac11adfed0d38a970a85b

          SHA512

          42eba2c73bff630288491afa40a03be7ee9960a085d07124aace8c53105877fafa4cbc8b4f133a5fff6ecaa17c394813186d9c056dff2daddc68f334b75f3960

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          5145bbaa726c65538a266a0683bd695c

          SHA1

          10fde0a45c7356d538be644cf64d2ccfab5d5134

          SHA256

          8565af8445ff55420d05a68fbad41a321f34fcaab0bf11b9a956a10761b8f5b1

          SHA512

          08772f8fa1254a5f45d4d60be613c8711215582498718b0c8207c29456fc757e38d50739c1ad06fc29b508631430794bd239067dfb043171462bb75d96affc8f

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          1b7c64bde8f2b22f1b84fc016be577eb

          SHA1

          d40ea254b95e4c3f363592166bcc3c689d0ab331

          SHA256

          8b496197420e5b25f9776944f51fa9650cec698c204f028e0aeb1e4bda981b8c

          SHA512

          ef66f0648a0bae756827b8d89a673a18f800018a69f71793b8694b11f9f5a82d2ea750fde4157644d2f14b632d2fe2f4900a239541980677dafb79e971eb6e0f

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          21980d46d434ac697d188b4b2a8dea43

          SHA1

          b20ed107c9b0d44b82b3268446b238be3faca93c

          SHA256

          87840b94b29efd53e28b184cba12ecc481fa0ed58213c522e5eba6eff1729c94

          SHA512

          b1ce10e8ca96b272aa804d23bc0b24267ac290f5cc77b769699a0a07b498c36c8c0ec4b3c2f85743cf29459db9253082e698dc57a0514cc45154fbfde61bc42c

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          5a23f27ffbf53695978e91ee33220980

          SHA1

          0a55f2c011eec29c48847204c5dc916076a7b0bd

          SHA256

          8dc61feba7fe0db9ae6b531a73507695b38c04a4a11c972038012ac15517edbf

          SHA512

          66a6886208fb07c3b5b24d1cdb6651de1e51e8e995cd12999594fa7cea4f4830bbafadfd2b0b11f49509c27049392ed5ee7b2fd5dc880a124cd1ea5fc01453dc

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          92f76ff720d1b50a8b8b26ae8392ee35

          SHA1

          e14de148fd1aca213674959dcfc772804f3221d9

          SHA256

          a80a450479486a879a5223e55d771ac71ed3393400ee12021148f2a72e4705e5

          SHA512

          9e74191396bed0e6021aee20e57863520501ae16d2753b6c50b581656e19f1549f6b6cb39e8fda85ce79550775c549744a5607fe90051a97b86bed54aee836b0

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          cce3b2a6a5c20054f7bed5f71bf3d347

          SHA1

          17910c673fcc4677cea57df1e5fecd575de055d2

          SHA256

          67537c128cb65e7342a1590fdbccd8507f7ccdc8ebf212d8b2b603c65acaf437

          SHA512

          d75ea609a0ab934211dd2d9a1291fc7a2a1cfc87eb92f13d94638c3bae30fc620498a3aa6b924e93d83687005919a23ee18f36260a2d388005e8348a54a86c46

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          1a78c0459f09f67500da5c247c008f8b

          SHA1

          42574550d16f268b3de0f4a0f6c60f4c776d4775

          SHA256

          44302ff254833c7b66539ba226fa90d8c41825bd1ce2c2abe6a4be4bee5f810c

          SHA512

          cedce245cf2261105e3a9649849c9de32a92c99bc751c46ee92ec9ebc07dca1b2416cbf899e11fbc75086ed83deb25778554b62fc337612cb0dfcd65e9829db6

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          083105f437b6b182f445cffbbf384a13

          SHA1

          cdadc187c0ea92a27d9dd771e272661369cd3590

          SHA256

          c543008b3d28548a7aec14ec9915d2e475b8f22ef83b691591f93d45a7bf8c5f

          SHA512

          9e433d33691e7f1db1e04381bc4f62b8c96e3acbb96fd95b4fc57902ab81445996864abd55660cee3df60d589e22cdac305c5abb4e7788e2e3ccd5d5f43e27aa

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          c63f939231508fb607a8323649f55aeb

          SHA1

          36d864d521de89fa9a64f459f5c2fa9dbaa9544d

          SHA256

          2385c3155f1623ec17c7dd0a73ee7b199b13355f02b79903358a043deaf3cdd3

          SHA512

          9cb8ea0f50cef15dd3d34d41009d264935342a282684dbaa494a705a3d12b2012a88feb460c3497239ab5114f5acdb9ba433b388b1f9b76df9a82b8a00862821

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          35d69942f761a4b68a378e4dddfee15e

          SHA1

          9b7f4204a882dd63c7c0f3ca10f72950b7219923

          SHA256

          eb236f030bb33c1c32c0fac5494000c6323f2bb3f708c61faf4a6774b37d4288

          SHA512

          89a0ea8240b8effc3875169ee15dc70d12d0d6de9c20376fa32f3b3aaa3a3f24751a848a853766c620423f7d5b4d0d1860a77a52c6dae4eb7a34ea9447423c83

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          0cde17ce7e84a0cf35a4518ee4fbbf63

          SHA1

          569475596a7a0f14afe9688e1a06dc8e87054302

          SHA256

          d0a378d488b23f510268a356c9f74840a4eea38c81c14761db04b86a996c1895

          SHA512

          54329d18b77cadeb310e2631124f0c0cd92a6d74e81a109a2357f0a200f8e28252ca7524d3f39afdb7284dc023544d4930f8b949c7e889df8b9284d7d2ff5505

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          6a1262077ad83a7f4df16008d67a0d6b

          SHA1

          575aa400c2efd7b2c5dea68ea635d32d7dea3cbe

          SHA256

          054689aacc24bf5958a8524032c6c0ab31d1f1786ac67ea9faac77bd61e9b1a7

          SHA512

          fd33c27099959e2dca7056551672cb6e9f36f6b91dfbd0fa91e01ddbda95d337b17a2018fbdab3b59a92f6ddbfd05700dc27b986afb3a0174a02787f49e77cc6

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          56b58579e8940db03a2b425bc4699f32

          SHA1

          5d2952e370f395a51628986907eb340a1d621d96

          SHA256

          b575c7bafc764031bd3fde47ea7f64152aad5430aa2d6ea37ed170782e83a746

          SHA512

          b018a86189857cd4c3daf147e68c532beb1d90089451b17a83d621a27d392eab60ccd768b046bf3e2e2db7aed36aeb714c7c4abc88c16467e47ddc103d797a67

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          f128a4619a125d459bad1c1a1ea275e1

          SHA1

          df36cac439ab50d793b7a254afc12cb2e8eeb1b4

          SHA256

          fed1a5efaade1591b15c4afe343eadc37aed47379b441b4a429f5ab1ac7e5002

          SHA512

          4935302ca20273f42402d29e1a1b9f1cd291a9697737b2829a50524d7f84c66501a7179ade3de81dca49f5a3a3e59fcbd3f24403d80b2306e85b81b8d249c283

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          905da612e5934dadb5dd85724fdb8d6c

          SHA1

          fa857eb43649a4f609e811fdda156a972f1810a6

          SHA256

          e4bdab48bc44b44b193c16a5dbbc931062dd04d584d47f479325ff73460d09d2

          SHA512

          4e526a6580dc9da1802b3dd4a9e9d99ad9ae3c1117ddb619a549ee31ffc558ec263e7ddbd3cbe8ea21cd726170d551f4e7795475557e846d62f785cec186570b

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          46b4d6c91cb4256e40452c0f05cdd227

          SHA1

          de20ffb510618536527b9f87f4f2136a3104c883

          SHA256

          9d4fba4bf33282beeb41318c652c7def96b27c8ef4e6c0cecddaa79522e5716a

          SHA512

          60f7f917403849c1ffc39a016034b1011c582be45358918a63dfbeb02a120d8fad58b9cdc3d5d1fa775f885f3f2047a198318b88ffa9e0de7085c48a279af702

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          f366a273b4abfffe7ecb2d5f71c4aa52

          SHA1

          ce9ff950184d853beda71eccc741c0e59ee779cd

          SHA256

          867e04c04e7281a9948804f774e0868cbf935a3e66aeda911e245b7232963b26

          SHA512

          862d4f1d95f835dcce7d9317f09c360fde1ba0f3b021351226ad1702452078e653cb77533edca24030a0c202244e0fc26843ba28d29acbf5dd4542dc9b711d79

        • C:\Users\Admin\AppData\Roaming\Adminlog.dat
          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • C:\Windows\SysWOW64\install\minijuego.exe
          Filesize

          329KB

          MD5

          f753d0e1e3c5b7540a76a27c27b9765a

          SHA1

          73b6a4020d07f4d0a2a1352b504436bab24c990f

          SHA256

          66b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a

          SHA512

          acbf48633d332c565deca1d4a528119b0547e336bdb56616722db32df2685383ff130b5d50bb4e89eb673cc07b5b663c66335a894c37b6b3245807c3ee158aa2

        • memory/548-123-0x0000000000400000-0x0000000000410000-memory.dmp
          Filesize

          64KB

        • memory/860-131-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

        • memory/1064-103-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

        • memory/1064-13-0x0000000010410000-0x0000000010475000-memory.dmp
          Filesize

          404KB

        • memory/1064-9-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

        • memory/1064-8-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

        • memory/1064-7-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

        • memory/1064-4-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

        • memory/1884-0-0x0000000000400000-0x0000000000410000-memory.dmp
          Filesize

          64KB

        • memory/1884-6-0x0000000000400000-0x0000000000410000-memory.dmp
          Filesize

          64KB

        • memory/2156-128-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

        • memory/2156-121-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

        • memory/3320-125-0x0000000000400000-0x0000000000410000-memory.dmp
          Filesize

          64KB

        • memory/3320-106-0x0000000000400000-0x0000000000410000-memory.dmp
          Filesize

          64KB

        • memory/5052-148-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/5052-79-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/5052-18-0x0000000000570000-0x0000000000571000-memory.dmp
          Filesize

          4KB

        • memory/5052-19-0x0000000000400000-0x0000000000410000-memory.dmp
          Filesize

          64KB

        • memory/5052-17-0x00000000001E0000-0x00000000001E1000-memory.dmp
          Filesize

          4KB