Malware Analysis Report

2024-09-22 09:12

Sample ID 240621-3dgsravfmb
Target 002c97086073bcdf6039973287a23635_JaffaCakes118
SHA256 48e0b6f0c80584a30e3af4a58bbfba0bb4daf2c72cad888b00d8418d78a87ad7
Tags
cybergate w stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48e0b6f0c80584a30e3af4a58bbfba0bb4daf2c72cad888b00d8418d78a87ad7

Threat Level: Known bad

The file 002c97086073bcdf6039973287a23635_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate w stealer trojan

CyberGate, Rebhip

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-21 23:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 23:23

Reported

2024-06-21 23:26

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Kryptonite.exe N/A
N/A N/A C:\Windows\111.exe N/A
N/A N/A C:\Windows\111.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2176 set thread context of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Kryptonite.exe C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe N/A
File opened for modification C:\Windows\111.exe C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\111.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe C:\Windows\Kryptonite.exe
PID 3028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe C:\Windows\Kryptonite.exe
PID 3028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe C:\Windows\Kryptonite.exe
PID 3028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe C:\Windows\Kryptonite.exe
PID 3028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe C:\Windows\111.exe
PID 3028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe C:\Windows\111.exe
PID 3028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe C:\Windows\111.exe
PID 3028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe
PID 2176 wrote to memory of 2648 N/A C:\Windows\111.exe C:\Windows\111.exe

Processes

C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe"

C:\Windows\Kryptonite.exe

"C:\Windows\Kryptonite.exe"

C:\Windows\111.exe

"C:\Windows\111.exe"

C:\Windows\111.exe

C:\Windows\111.exe

Network

N/A

Files

C:\Windows\Kryptonite.exe

MD5 544f56f393eb5cd7c218bab8e9bc8bfd
SHA1 0b2b743f55c70de720a1095b1fbb69fe780058e5
SHA256 8cc2225c42941d1546f1f8d8f0f1771ab6928339a9b140ff7c875a177bbb4e3b
SHA512 6827dc484a8c6ea65aab65fbc4b58ff3979331d28dca7ff12f908a277934fe2656d00a8a87262534194d90c859896a06f361f2430dba780887fe7d9cd88b42b0

C:\Windows\111.exe

MD5 7dc6cfcfbbc42c597ca18216cad9ffc9
SHA1 8e7c10b41821a9723a2b0259d1d7c410a0e8d855
SHA256 be8ef5a37e1171c02716d0c25ef333a4a8fa3aac95ede79aafc19b4afe4e8729
SHA512 b2233bfd048ac3d61ef6c815249d9faad50bd7517d54e82a3256cca5fe22de36f77ab448004a751a08f94c6847a8a1fbceaab30f82fbd585cc2bd243518d5771

memory/2012-14-0x00000000739B1000-0x00000000739B2000-memory.dmp

memory/2012-17-0x00000000739B0000-0x0000000073F5B000-memory.dmp

memory/2176-16-0x00000000739B0000-0x0000000073F5B000-memory.dmp

memory/2176-15-0x00000000739B0000-0x0000000073F5B000-memory.dmp

memory/2012-18-0x00000000739B0000-0x0000000073F5B000-memory.dmp

memory/2648-29-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2648-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2648-26-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2648-25-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2648-24-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2648-22-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2648-21-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2648-20-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2648-19-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2176-31-0x00000000739B0000-0x0000000073F5B000-memory.dmp

memory/2012-32-0x00000000739B0000-0x0000000073F5B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 23:23

Reported

2024-06-21 23:26

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Kryptonite.exe N/A
N/A N/A C:\Windows\111.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Kryptonite.exe C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe N/A
File opened for modification C:\Windows\111.exe C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\111.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\002c97086073bcdf6039973287a23635_JaffaCakes118.exe"

C:\Windows\Kryptonite.exe

"C:\Windows\Kryptonite.exe"

C:\Windows\111.exe

"C:\Windows\111.exe"

C:\Windows\111.exe

C:\Windows\111.exe

Network

Files

C:\Windows\Kryptonite.exe

MD5 544f56f393eb5cd7c218bab8e9bc8bfd
SHA1 0b2b743f55c70de720a1095b1fbb69fe780058e5
SHA256 8cc2225c42941d1546f1f8d8f0f1771ab6928339a9b140ff7c875a177bbb4e3b
SHA512 6827dc484a8c6ea65aab65fbc4b58ff3979331d28dca7ff12f908a277934fe2656d00a8a87262534194d90c859896a06f361f2430dba780887fe7d9cd88b42b0

C:\Windows\111.exe

MD5 7dc6cfcfbbc42c597ca18216cad9ffc9
SHA1 8e7c10b41821a9723a2b0259d1d7c410a0e8d855
SHA256 be8ef5a37e1171c02716d0c25ef333a4a8fa3aac95ede79aafc19b4afe4e8729
SHA512 b2233bfd048ac3d61ef6c815249d9faad50bd7517d54e82a3256cca5fe22de36f77ab448004a751a08f94c6847a8a1fbceaab30f82fbd585cc2bd243518d5771

memory/3352-24-0x00000000735C2000-0x00000000735C3000-memory.dmp

memory/2336-25-0x00000000735C0000-0x0000000073B71000-memory.dmp

memory/2336-26-0x00000000735C0000-0x0000000073B71000-memory.dmp

memory/3352-27-0x00000000735C0000-0x0000000073B71000-memory.dmp

memory/2336-28-0x00000000735C0000-0x0000000073B71000-memory.dmp

memory/3352-29-0x00000000735C0000-0x0000000073B71000-memory.dmp

memory/2336-30-0x00000000735C0000-0x0000000073B71000-memory.dmp

memory/3352-31-0x00000000735C0000-0x0000000073B71000-memory.dmp

memory/2336-32-0x00000000735C0000-0x0000000073B71000-memory.dmp