Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19-04-2024 01:32

General

  • Target

    f9357573750f3695088b529c3b55f705_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    f9357573750f3695088b529c3b55f705

  • SHA1

    3cc8fb5123fc45d82ff71318a1902e0b33300139

  • SHA256

    04aeb8e65ce22aed9cf961ea1fa22615fa1b5566294d53e8d4dcd93d575e8560

  • SHA512

    e308a4f3889573f64eb8d425e3c2eb45a6320e9a59e5911fbf0abc17d83f61acc94741a3a53ff863e04bb9ae1682c2bc24b20ac3f57cf04ff8aff30d11c8ce61

  • SSDEEP

    24576:dX7Ii6S9baGrDjLP/yexVS2QsvdjwVqeUu87NcQkbFfnSxUSyTwm:ZIi6S9LX3zS27NbNlkFfnyQTw

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

NET

C2

new3style.no-ip.biz:2011

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Windir

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    new3style

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1400
      • C:\Users\Admin\AppData\Local\Temp\f9357573750f3695088b529c3b55f705_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f9357573750f3695088b529c3b55f705_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Identifies Wine through registry keys
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
            PID:2516

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      3
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      3
      T1547.001

      Defense Evasion

      Modify Registry

      3
      T1112

      Virtualization/Sandbox Evasion

      1
      T1497

      Discovery

      Query Registry

      1
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1400-11-0x0000000002E40000-0x0000000002E41000-memory.dmp
        Filesize

        4KB

      • memory/2216-6-0x0000000004260000-0x0000000004261000-memory.dmp
        Filesize

        4KB

      • memory/2216-7-0x00000000040D0000-0x00000000040D1000-memory.dmp
        Filesize

        4KB

      • memory/2216-120-0x0000000004250000-0x0000000004251000-memory.dmp
        Filesize

        4KB

      • memory/2216-119-0x00000000042A0000-0x00000000042A1000-memory.dmp
        Filesize

        4KB

      • memory/2216-5-0x0000000004240000-0x0000000004241000-memory.dmp
        Filesize

        4KB

      • memory/2216-4-0x0000000002070000-0x0000000002071000-memory.dmp
        Filesize

        4KB

      • memory/2216-2-0x0000000004080000-0x0000000004081000-memory.dmp
        Filesize

        4KB

      • memory/2216-1-0x0000000000400000-0x0000000000613000-memory.dmp
        Filesize

        2.1MB

      • memory/2216-2714-0x0000000000400000-0x0000000000613000-memory.dmp
        Filesize

        2.1MB

      • memory/2216-3-0x00000000040A0000-0x00000000040A1000-memory.dmp
        Filesize

        4KB

      • memory/2216-0-0x0000000000400000-0x0000000000613000-memory.dmp
        Filesize

        2.1MB

      • memory/2216-118-0x00000000040C0000-0x00000000040C1000-memory.dmp
        Filesize

        4KB

      • memory/2216-117-0x00000000040B0000-0x00000000040B1000-memory.dmp
        Filesize

        4KB

      • memory/2216-116-0x0000000004090000-0x0000000004091000-memory.dmp
        Filesize

        4KB

      • memory/2216-115-0x00000000040E0000-0x00000000040E1000-memory.dmp
        Filesize

        4KB

      • memory/2216-121-0x0000000004280000-0x0000000004281000-memory.dmp
        Filesize

        4KB

      • memory/2216-2712-0x0000000000400000-0x0000000000613000-memory.dmp
        Filesize

        2.1MB

      • memory/2516-2710-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB