Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 12:03

General

  • Target

    f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe

  • Size

    629KB

  • MD5

    f7f41c9bee49e0e2c4f94f41f3037b1c

  • SHA1

    9c61d8c592f77302b79a6e6cead5801646be5dc4

  • SHA256

    ad875aaa6ebc8aa0b7fce88983abbb60414f42b57176c16e33fee7792c74a225

  • SHA512

    5a1ab0f8a48c80a8026a762cb0c4f3e05838ac41b6a89b5c4c8bb616ecdd2178aac5e95154bc67c09dc93d3467d0c63aa13b8a7949320299c498dad82142e7f1

  • SSDEEP

    12288:dX0ivl8HHFL/KBmEASU1LBJDvSM/Ie+YbNuOIIAao4m5YScO:dkQEHFuEECLPiS5qIAhT

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

sanderb12.no-ip.biz:90

Mutex

0CWBOEMW71N663

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Internet Explorer

  • install_file

    iexplorer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    This program is not a valid Frame Network .NET file!

  • message_box_title

    Error

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1256
      • C:\Users\Admin\AppData\Local\Temp\f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdateApplication.exe
          C:\Users\Admin\AppData\Local\Temp\\WindowsUpdateApplication.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
              PID:472

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      3
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      3
      T1547.001

      Defense Evasion

      Modify Registry

      3
      T1112

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdateApplication.exe
        Filesize

        289KB

        MD5

        d16582e1490fb59b4bd74c6d5c70c6d2

        SHA1

        ff84c4d4609ed1db75ab5938b18d75641e785c42

        SHA256

        60744996b8e911086f5e005979587cb2c84c4a1fc90e8e8c6c180a38bbab7858

        SHA512

        1bdb2cc25d0ec90fc4913668cd2240a4f76abde950cff5538eac9a068b0218879e1869b4892450a30ce89263da9b317506ec5c37fc50ff5fbadcb7619ee6cd4b

      • memory/472-261-0x00000000000B0000-0x00000000000B1000-memory.dmp
        Filesize

        4KB

      • memory/472-263-0x0000000000030000-0x0000000000031000-memory.dmp
        Filesize

        4KB

      • memory/1256-15-0x0000000002130000-0x0000000002131000-memory.dmp
        Filesize

        4KB

      • memory/2872-0-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp
        Filesize

        9.6MB

      • memory/2872-1-0x0000000001F70000-0x0000000001FF0000-memory.dmp
        Filesize

        512KB

      • memory/2872-2-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp
        Filesize

        9.6MB

      • memory/2872-3-0x0000000001F70000-0x0000000001FF0000-memory.dmp
        Filesize

        512KB

      • memory/2872-550-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp
        Filesize

        9.6MB