Malware Analysis Report

2024-09-22 09:43

Sample ID 240421-cpqa6agg3w
Target fe322d3f592d0d527909c78b19c9723c_JaffaCakes118
SHA256 e7c017101889f4560a4762d9d8ec6d52df0fd547cc304789c8ecdfb585a52fac
Tags
cybergate chrome persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7c017101889f4560a4762d9d8ec6d52df0fd547cc304789c8ecdfb585a52fac

Threat Level: Known bad

The file fe322d3f592d0d527909c78b19c9723c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate chrome persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Adds Run key to start application

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-21 02:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-21 02:15

Reported

2024-04-21 02:17

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{57W8XE75-QVS0-3EQK-S03K-8K83IMX8LU7U} C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57W8XE75-QVS0-3EQK-S03K-8K83IMX8LU7U}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe Restart" C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3224 -ip 3224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3224 -ip 3224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 552

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
BE 2.17.197.240:80 tcp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3224-1-0x0000000000400000-0x0000000000459000-memory.dmp

memory/3224-2-0x0000000000600000-0x0000000000604000-memory.dmp

memory/3224-3-0x0000000002200000-0x0000000002225000-memory.dmp

memory/3224-4-0x0000000002510000-0x0000000002520000-memory.dmp

memory/3224-5-0x0000000002700000-0x0000000002710000-memory.dmp

memory/3224-6-0x0000000077302000-0x0000000077303000-memory.dmp

memory/3224-7-0x0000000002310000-0x0000000002320000-memory.dmp

memory/3224-8-0x0000000077303000-0x0000000077304000-memory.dmp

memory/3224-9-0x0000000002510000-0x0000000002520000-memory.dmp

memory/3224-10-0x0000000000400000-0x0000000000459000-memory.dmp

memory/3224-12-0x0000000000400000-0x0000000000459000-memory.dmp

memory/3224-13-0x0000000002200000-0x0000000002225000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-21 02:15

Reported

2024-04-21 02:17

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{57W8XE75-QVS0-3EQK-S03K-8K83IMX8LU7U} C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57W8XE75-QVS0-3EQK-S03K-8K83IMX8LU7U}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe Restart" C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe"

Network

N/A

Files

memory/2756-0-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2756-1-0x00000000003B0000-0x00000000003B4000-memory.dmp

memory/2756-3-0x0000000001F60000-0x0000000001F70000-memory.dmp

memory/2756-4-0x00000000775B0000-0x00000000775B1000-memory.dmp

memory/2756-2-0x00000000005F0000-0x0000000000615000-memory.dmp

memory/2756-5-0x00000000775AF000-0x00000000775B0000-memory.dmp

memory/2756-7-0x00000000775B1000-0x00000000775B2000-memory.dmp

memory/2756-8-0x0000000001F10000-0x0000000001F20000-memory.dmp

memory/2756-6-0x0000000000800000-0x0000000000810000-memory.dmp

memory/2756-9-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2756-12-0x00000000005F0000-0x0000000000615000-memory.dmp

memory/2756-11-0x0000000000400000-0x0000000000459000-memory.dmp