Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 12:03
Static task
static1
Behavioral task
behavioral1
Sample
f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe
-
Size
629KB
-
MD5
f7f41c9bee49e0e2c4f94f41f3037b1c
-
SHA1
9c61d8c592f77302b79a6e6cead5801646be5dc4
-
SHA256
ad875aaa6ebc8aa0b7fce88983abbb60414f42b57176c16e33fee7792c74a225
-
SHA512
5a1ab0f8a48c80a8026a762cb0c4f3e05838ac41b6a89b5c4c8bb616ecdd2178aac5e95154bc67c09dc93d3467d0c63aa13b8a7949320299c498dad82142e7f1
-
SSDEEP
12288:dX0ivl8HHFL/KBmEASU1LBJDvSM/Ie+YbNuOIIAao4m5YScO:dkQEHFuEECLPiS5qIAhT
Malware Config
Extracted
cybergate
v1.07.5
Cyber
sanderb12.no-ip.biz:90
0CWBOEMW71N663
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Internet Explorer
-
install_file
iexplorer.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
This program is not a valid Frame Network .NET file!
-
message_box_title
Error
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
WindowsUpdateApplication.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Internet Explorer\\iexplorer.exe" WindowsUpdateApplication.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WindowsUpdateApplication.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Internet Explorer\\iexplorer.exe" WindowsUpdateApplication.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WindowsUpdateApplication.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
WindowsUpdateApplication.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1SL057WW-2N4U-V410-5MTD-T1EC671BX7P1} WindowsUpdateApplication.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1SL057WW-2N4U-V410-5MTD-T1EC671BX7P1}\StubPath = "C:\\Windows\\system32\\Internet Explorer\\iexplorer.exe Restart" WindowsUpdateApplication.exe -
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdateApplication.exepid process 3036 WindowsUpdateApplication.exe -
Loads dropped DLL 3 IoCs
Processes:
WindowsUpdateApplication.exepid process 3036 WindowsUpdateApplication.exe 3036 WindowsUpdateApplication.exe 3036 WindowsUpdateApplication.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsUpdateApplication.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Internet Explorer\\iexplorer.exe" WindowsUpdateApplication.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Internet Explorer\\iexplorer.exe" WindowsUpdateApplication.exe -
Drops file in System32 directory 2 IoCs
Processes:
WindowsUpdateApplication.exedescription ioc process File created C:\Windows\SysWOW64\Internet Explorer\iexplorer.exe WindowsUpdateApplication.exe File opened for modification C:\Windows\SysWOW64\Internet Explorer\iexplorer.exe WindowsUpdateApplication.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
WindowsUpdateApplication.exepid process 3036 WindowsUpdateApplication.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WindowsUpdateApplication.exepid process 3036 WindowsUpdateApplication.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exeWindowsUpdateApplication.exedescription pid process target process PID 2872 wrote to memory of 3036 2872 f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe WindowsUpdateApplication.exe PID 2872 wrote to memory of 3036 2872 f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe WindowsUpdateApplication.exe PID 2872 wrote to memory of 3036 2872 f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe WindowsUpdateApplication.exe PID 2872 wrote to memory of 3036 2872 f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe WindowsUpdateApplication.exe PID 2872 wrote to memory of 3036 2872 f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe WindowsUpdateApplication.exe PID 2872 wrote to memory of 3036 2872 f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe WindowsUpdateApplication.exe PID 2872 wrote to memory of 3036 2872 f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe WindowsUpdateApplication.exe PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE PID 3036 wrote to memory of 1256 3036 WindowsUpdateApplication.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7f41c9bee49e0e2c4f94f41f3037b1c_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdateApplication.exeC:\Users\Admin\AppData\Local\Temp\\WindowsUpdateApplication.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdateApplication.exeFilesize
289KB
MD5d16582e1490fb59b4bd74c6d5c70c6d2
SHA1ff84c4d4609ed1db75ab5938b18d75641e785c42
SHA25660744996b8e911086f5e005979587cb2c84c4a1fc90e8e8c6c180a38bbab7858
SHA5121bdb2cc25d0ec90fc4913668cd2240a4f76abde950cff5538eac9a068b0218879e1869b4892450a30ce89263da9b317506ec5c37fc50ff5fbadcb7619ee6cd4b
-
memory/472-261-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/472-263-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/1256-15-0x0000000002130000-0x0000000002131000-memory.dmpFilesize
4KB
-
memory/2872-0-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmpFilesize
9.6MB
-
memory/2872-1-0x0000000001F70000-0x0000000001FF0000-memory.dmpFilesize
512KB
-
memory/2872-2-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmpFilesize
9.6MB
-
memory/2872-3-0x0000000001F70000-0x0000000001FF0000-memory.dmpFilesize
512KB
-
memory/2872-550-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmpFilesize
9.6MB