Malware Analysis Report

2024-09-22 09:37

Sample ID 240620-fl62aavbpl
Target 02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118
SHA256 f4933c76defb878e184a15d92ad86a7d5b7d0b1a4e3bbf62259f8078687b92bc
Tags
cybergate bootkit persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4933c76defb878e184a15d92ad86a7d5b7d0b1a4e3bbf62259f8078687b92bc

Threat Level: Known bad

The file 02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate bootkit persistence stealer trojan

CyberGate, Rebhip

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 04:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 04:58

Reported

2024-06-20 05:01

Platform

win7-20240508-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 3012 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 3012 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 3012 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 3012 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 3012 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 3012 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 3012 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 3012 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 3012 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 3012 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe

Network

N/A

Files

memory/3012-0-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3012-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3012-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3012-5-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/3012-8-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/3012-7-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/3012-6-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/3012-4-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/3012-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3012-11-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/3012-10-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/3012-13-0x0000000000510000-0x0000000000511000-memory.dmp

memory/3012-18-0x0000000000320000-0x0000000000321000-memory.dmp

memory/3012-17-0x0000000000480000-0x0000000000481000-memory.dmp

memory/3012-16-0x0000000000280000-0x0000000000281000-memory.dmp

memory/3012-15-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3012-14-0x0000000000470000-0x0000000000471000-memory.dmp

memory/3012-12-0x0000000000310000-0x0000000000311000-memory.dmp

memory/3012-21-0x0000000000340000-0x0000000000341000-memory.dmp

memory/3012-22-0x0000000000380000-0x0000000000381000-memory.dmp

memory/3012-25-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/3012-24-0x0000000000520000-0x0000000000521000-memory.dmp

memory/3012-23-0x0000000000370000-0x0000000000371000-memory.dmp

memory/3012-20-0x0000000000360000-0x0000000000361000-memory.dmp

memory/2688-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3012-29-0x0000000003080000-0x00000000030F0000-memory.dmp

memory/2688-27-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3012-30-0x0000000000400000-0x0000000000470000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 04:58

Reported

2024-06-20 05:01

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe
PID 2316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\02ffdd8ae33338f3cc1ec6307db007ca_JaffaCakes118.exe

Network

Files

memory/2316-0-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2316-2-0x00000000029C0000-0x00000000029C2000-memory.dmp

memory/2316-34-0x00000000021B0000-0x00000000021B1000-memory.dmp

memory/2316-33-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/2316-32-0x0000000002090000-0x0000000002091000-memory.dmp

memory/2316-31-0x0000000000510000-0x0000000000511000-memory.dmp

memory/2316-30-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/2316-29-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/2316-28-0x0000000002150000-0x0000000002151000-memory.dmp

memory/2316-27-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-26-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-25-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-24-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-42-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/2316-41-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/2316-40-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/2316-39-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-38-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/2316-37-0x0000000002200000-0x0000000002201000-memory.dmp

memory/2316-36-0x0000000002960000-0x0000000002961000-memory.dmp

memory/2316-23-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-22-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-21-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-20-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-19-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-18-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-17-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-16-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-15-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-14-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-13-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-12-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-11-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-10-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2316-9-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-8-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-7-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-6-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-5-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/2316-4-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2316-3-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/916-43-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2316-44-0x0000000000400000-0x0000000000470000-memory.dmp