Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 03:05

General

  • Target

    f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    f95d0beafe5a035fb1cd6073ae4a76ae

  • SHA1

    5969347c5b1f4156091b54edc834c997054cef82

  • SHA256

    c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8

  • SHA512

    3205e94f491f6032b33aa00ec78a37a07b02e08c308a1172d6b7b5605d6acd9d07d8bb36bd86d60d27147cb9496d9d37aff84e81d79363e5d59385c5ca0579b0

  • SSDEEP

    6144:Hk4qmM6KhriUJ5qPFYLSuq0MFGsPIkEkaeXt8rCVgPm:E9XrrEYLlJUIk3X6+S

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Powers

C2

hackersgratis.no-ip.biz:1338

hackersgratis.no-ip.biz:81

hackersgratis.no-ip.biz:1533

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Win32

  • install_file

    services.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    59255433

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4092
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          PID:2484
        • C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"
          3⤵
          • Checks computer location settings
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1720
          • C:\Windows\SysWOW64\Win32\services.exe
            "C:\Windows\system32\Win32\services.exe"
            4⤵
            • Executes dropped EXE
            PID:1564
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 572
              5⤵
              • Program crash
              PID:3324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1564 -ip 1564
      1⤵
        PID:3896

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        229KB

        MD5

        57baee9c40963a02b29033e265168212

        SHA1

        f47e2dcd9e95b1186b2db2bab3ce79770a21db0b

        SHA256

        3be31be6ddb05484e59ead85d9aeda9bbd77ce4aae6a94c57b405a3de5cc382f

        SHA512

        77125bd0457624b519079a9e135e534633f6f2b8fae7986995d5d9cf15438c31848bd154b3cd3a92807f983bca78abe2d23954e571fc524a0425fb8b1a8cba04

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        08db976670b354a30835611d4bfa4ac4

        SHA1

        b5ceba1db6e4de229548f9e7c21a8a5e2317a216

        SHA256

        1dadb25266433569412f0ac2624911e61fd959c4c04dab10751159d73753e78e

        SHA512

        3a63cb6f675c3e734a39638f9a6ee5b787dfd80dd8e49f6e0687df6c90e4ccca703cbf99d61cb5ccb57e87cb3fbd89c02f8bc1adb64180ade20a457be96743c7

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        3fe9727de3006525b31b42a305601c43

        SHA1

        6399bcd13d19f68c89f2e2d97bbe4a53af125474

        SHA256

        7f8d2fd30f735a1aad547cdfe98a1cdb42a3bfa654c104bf87c237aace7ee794

        SHA512

        a84757891931c488a58a194e6e2527b0650e7f22e7ac740f7218719669551c068d26131850749878fdbae802558e103f3a01a2146a6ed2ef6f5776e75d6c3812

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        57aa49514f026cca6b3c7d60e371e6ca

        SHA1

        858a2cd012cbfd7a57b06b2a33d33fc8c4fbf7f4

        SHA256

        a64e353f4e592fa6f4069ba40720746cfa18b7d7f4db6b4100a77c856e056cf0

        SHA512

        dc21e8c470b15b5e552f09f3cd0dc0108466d90590e33b2b859b8030e6bdb35264fa025e15ea08ea66563d0c19577665578fee814fc9c846e6d7dd52f482d4a1

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        6f2f6ac6e2f74ef8a5cfb4ea068f4c5a

        SHA1

        8c082e8704eb8f0bd8fdb3e0928ec5bed77b2df2

        SHA256

        974fae232046768f7d1d43ea96c057411c800ebaf5ed7fa66879f56f876bd65f

        SHA512

        92619a2bd384e1dcf0f57c34304c0794c9fcbf082ce6db94aa7bedfe36bbc476b11eb1e8ee31aa3fb5cd7a1fd6ebd2f2be0df5d9d5fc792a2b19c85d345f1718

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        04c075218a6190a3504974c4af8f46c1

        SHA1

        8c92c808575089d161b7b67f3fe5058ec826a8da

        SHA256

        66a086ea485ec1e033dd003e8b7bbdf4e70cd4e0ab792680c4ed7d9be7cf5136

        SHA512

        4423d3330c8ff5cddb894c82ef2fb0302c2d8b6569ed2430b7d36b71ab4f5a024c15347ad08def11a5636646ae1d7becd15728a2f86c574627576b4cf9f2c08b

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        796f6a1afad8feba1e545bd24e325b82

        SHA1

        37c31b65370888f4b5f2caf0a0d9d1cada7d00cc

        SHA256

        39e8e945081db463260e8f12b238b6d6d2801cf6fe6ab1756ff8bf201af31c08

        SHA512

        fc2da8598d6e904654828b132867f33a935c1a89f572b771a08b1c30b4689260c9a868c032106e960ed022e3e0bc41669347e0d90b3d5b032f9d9674d91b4858

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        cf531f5aef0e28a380e618468f0ef544

        SHA1

        cc4f7ec429e9c231e76d8b79bafd47e49bcfb21a

        SHA256

        83aca2784e274e6978c40106b6c6ac8f0d0b8c3344bc578e045b05ba00d1af8a

        SHA512

        847dd2d54f3c6cf6a6b7f7367e3986e8ecbfa49f2e313f45cd1934f03635282ca6fec6f25be5c48e2ac0ea2908bc820762a8a2adf1e239fa9d779d61951f4b04

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        d23c537b3f6f55753e521048d8868fff

        SHA1

        bdbb759a2b0c3e3d64a99cede816eb62abc658be

        SHA256

        c18d000fbeb149eeefaca8658466d47b93c2d01042577b6c480d51ede6322303

        SHA512

        ea66033b94d03761fd7b768edb79c3366a78177efffdcb26bddebe52635d86d1af45b9a5dae8c5f4746077241c8a290411b6e14d245c6259181ad59422801980

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        461758c695e6084836ab6bad73de76fe

        SHA1

        d066aa11e6dbcf381d5ebbed1986f6cb6984f29d

        SHA256

        d9a54d1bb52c12ad02b58ae0b75d913623dbdecdf52de1d2dbc7d861ecab34e3

        SHA512

        27d54b7e216e13d582ed0d46c6facdf69ea994f51e10653fa336b0dbd8bcffb1fc3ae4ad73e5aaf619189ec8fa11350cf5c10303ec19affcd16e4bd485ab0cb1

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        e1c17d2a61355a70a67876a1857e719f

        SHA1

        8ef8d49008bb6f838227dda6e823e935e2f5301a

        SHA256

        ce58f19cee0edf1b9beed57a3808161e7dc39bbd191908ec7379528dabd16c6b

        SHA512

        ec0cd42544b84627ad94c93857b1be2c1931e5dc1ed6ca21e344dce4efc5109fa0a88582e14e836f60e8b3483da30ddf63c93046feb0bb7b281f9c6ea2d9ba0f

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        0b224c63e2a4e19c665215b671307127

        SHA1

        858585ff709ff3848e6362cefe6c5d457d9f8b4e

        SHA256

        b86454d1c4a90dc00be4a8aeb913de67cf4b95df3868790de7a78e1e062ed63a

        SHA512

        65f222686b76109ad6316bbd46bea73e4dd1017d4a3201a1151be7f36896b513851c4e32a130d600a5c2af803911088c981af5bc9acd52e24bc879138285c39b

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        d8fc2eb70b3c68f846cc3bf479a74487

        SHA1

        94659d10dbdc167b08f251aa475ed68a10be91d3

        SHA256

        bc1833986cc84cefdb73b29e52bcbff22e16fe76c076578ac2dde95f7eed40e3

        SHA512

        4335a95c97c5fc5ed17683576fb5f2352c80cc2103fc86d81bfb51aed2a4f2422b87b51d141b7d58a281ce8a6f95995f5e39ff3471fff2554606163ca510ec88

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        7a0c116b6ffaed03f924a8163ff018c3

        SHA1

        6e4fd807fdff68a4c59353cc2fa431eb12069d3e

        SHA256

        35215a98bde83dc21a049901f92bff80be9bfbfb1386f996e347482010d4f03b

        SHA512

        f09f38668c2c5dcf8e0be147e30aa97a3a9078961e785f43e0a4b390a6effd2b9255c964068365e6fa3208d902cd6577d40c012c6b14fb135f97445872a88797

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        4fb0a0c917c6461fc88fbd283700c597

        SHA1

        efd7784a0a695a8412252407bcde98ee65a4998f

        SHA256

        35b981b47e65250aa3f67b7efd8e6ff12d8dcac679b78b59c06c028dcc362811

        SHA512

        405a8f89b4ac7d39671b3c9c4ae0551f2a9b24a87e764e084a7a479a07655ef80fab9da508319a7540c7e4ee4716bda624f3996d381762a8182569f07f515ed8

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        4411608a726a822805ceaa5057f233c1

        SHA1

        d44d35f2089e2f5019037669844233040cccf932

        SHA256

        3e7b71b95f023fdfcae37fd4ad6bbccc9f8c9120afca1dff3126fe8b50157bf6

        SHA512

        24b17445dd730d7a15b503f2bd1c735d3c36fe3779fece9d232a1fd692eac47d1688680b3b95f23088f62ca06efaca36c047409e2cdacb1fa4b1321e71955baa

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        c07a95373d8e57ece4ed7c3b76081a45

        SHA1

        143e61fbea59f248e0a00bdf06ba4fcc571e5fa1

        SHA256

        fa08e0b0c9c3441f2731573f784a05e2c994fd6d3ae2e03668611b7a06fac245

        SHA512

        cf6e486656de9700573c6b8f22569ca5eabe249cf86149b979cbe0adf294d23ea3a3beb9fa5d7d5b56e4d3ccfe2455374008458c31441afde6541c439802f226

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        2fdd68081cf7f5d15e2b8b365dc746c4

        SHA1

        1bff0b8e37f4ed1743f362ba3908fca7c051f8fd

        SHA256

        60523904008f301e580b786aec7998e310e43f40ea64b03215a4cfa99b0012d2

        SHA512

        7fc89869434a4aeb6b746f3d6edf13d171f3b41b0fc4bfecddafcf31064c60b5985ed6555583aef1fb2d42bc93fff675b9eac572fd8d20053bceac77abef6858

      • C:\Users\Admin\AppData\Roaming\logs.dat
        Filesize

        15B

        MD5

        e21bd9604efe8ee9b59dc7605b927a2a

        SHA1

        3240ecc5ee459214344a1baac5c2a74046491104

        SHA256

        51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

        SHA512

        42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

      • C:\Windows\SysWOW64\Win32\services.exe
        Filesize

        276KB

        MD5

        f95d0beafe5a035fb1cd6073ae4a76ae

        SHA1

        5969347c5b1f4156091b54edc834c997054cef82

        SHA256

        c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8

        SHA512

        3205e94f491f6032b33aa00ec78a37a07b02e08c308a1172d6b7b5605d6acd9d07d8bb36bd86d60d27147cb9496d9d37aff84e81d79363e5d59385c5ca0579b0

      • memory/1564-157-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/1720-75-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/1720-1281-0x00000000240F0000-0x0000000024152000-memory.dmp
        Filesize

        392KB

      • memory/1720-138-0x00000000240F0000-0x0000000024152000-memory.dmp
        Filesize

        392KB

      • memory/2484-67-0x0000000003D20000-0x0000000003D21000-memory.dmp
        Filesize

        4KB

      • memory/2484-69-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

      • memory/2484-68-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

      • memory/2484-159-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

      • memory/2484-9-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
        Filesize

        4KB

      • memory/2484-8-0x0000000000B30000-0x0000000000B31000-memory.dmp
        Filesize

        4KB

      • memory/4092-90-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/4092-0-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/4092-137-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/4092-64-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

      • memory/4092-4-0x0000000024010000-0x0000000024072000-memory.dmp
        Filesize

        392KB