Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    21-06-2024 13:32

General

  • Target

    0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe

  • Size

    756KB

  • MD5

    0be5ab0b82e33f33c5d17f5eb30a9f53

  • SHA1

    537b248b03493b85ca7d31eb3c081316f9c5356f

  • SHA256

    632ead31eb6616726169f1978681c9d70083d356fddea6810aff8bb585063891

  • SHA512

    c44adcd6123f1f71b38c5d840c829090bc5275ac6bb346f6aba0f19498cb1d269e822eb86219949b41f1146d844a0846d9fb21888951e6fcb87e5d48015e760d

  • SSDEEP

    12288:OUJ3QGIgmNAANioxobIeVNPnvkXacrs2Pj7Her:/NlSgoqb7vkXdner

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

lawliet.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    spynet

  • install_file

    svchosts.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1680
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:1208
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2484
            • C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2120
              • C:\Windows\SysWOW64\spynet\svchosts.exe
                "C:\Windows\system32\spynet\svchosts.exe"
                5⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:2920
                • C:\Windows\SysWOW64\spynet\svchosts.exe
                  "C:\Windows\SysWOW64\spynet\svchosts.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:1252

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        229KB

        MD5

        90467c58bc1364bb0e37f68865c5fb03

        SHA1

        87764898570a37216f89a75e619bf56ac1e1d9c4

        SHA256

        e652e0a77456792f5568581e7451998679c793716fbd7dddc7fdc136bfce39d2

        SHA512

        8fbdd9db737ef1a2e41254b3b7ae86b898a1cc9e1ff4c0f6a6ef0a7a917bb5438eda4aff6741bf0a09d7b492f3189d5972d95fb748134f17d213d2bc373464d7

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        7f9c94a3064b059a99c090c2d899e95a

        SHA1

        b135772244aa4f55584e62a68150841378beb4e0

        SHA256

        8828fa03091e77fda2b8aa170fef60b9dc0303ca53f26370598974b130062a1c

        SHA512

        527733a037a9b2bc14669013a27cf3f37578512324c2d013c1591a87aeeda05799c5268e7338733f197891bb345702b802eca1ea220b0bf157749db1c78fd853

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        07342f3921b2088c48096cd61318be1b

        SHA1

        3e54f3ea794c675f5da0f0f02420ae8026cd6b98

        SHA256

        29340a984bf14bf70a31cdd0ef22382cd11b4e7d94ac21de1e1f73e1b8f54063

        SHA512

        7875f4466ea680ee229c09c0965bea4d97d186be5d6e51b6602e307218a8051d040be76c230d910ff9f31310eb62aed517b98cbb66242426b990bd13c004b23f

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        89991480932609dd2f343132b5f6ead9

        SHA1

        9f7a1e90d03e612344ca2940c748dd0687a27f0a

        SHA256

        e7d8c1df43a5a637706ad7ec0bb8f9d31ecb9e10115f55df25134dbd82950d97

        SHA512

        f4cdcbb022db93acf44cd9d018d0822064615d15d443c1ee583be8c15bf46c9fd5fb9c572dfba3ec0f8399fcf22ce8fbd0e9f941291674e87f1c1ea1681d5e49

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        aaa8b369db03e21164a6660103c3912d

        SHA1

        6028eb77bbe76c5c2cbf28245d29099dfa4e6de5

        SHA256

        ef2eac9829bc92ae8d7823232a7cdcb02eef3aa0a328f69a869d8111cc7c2974

        SHA512

        e005edb7ddff6404c37d4f0d2e5b69b845a28871e24a27335309baf546c09366562cfa69d00ae05bb08efe436a81947d1e03ec485e0ae4fc733f325a95c57fcd

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        259d20a94215e98285962261fb140871

        SHA1

        3ff9e0943a3a1268794c6ab3d7651f41771eec4e

        SHA256

        402d8f59b3823a94501fad3477ddcf1e3db9fb702f1e996f853f380e5c901a53

        SHA512

        40c109a7a5b66cc376ff4e95dc7f7a356b70a0eedf1470a010cf98bcfa10cb98741e7405406972883094682ba67c5de3707874e66bec3d21e3225327f1c85b0d

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        830aca5a3e0178917cd84a94a292ca62

        SHA1

        1dbd0be3b669da18903f7769c3963da022e3cf79

        SHA256

        caf33e7208824581c00b04c5bbef0c8a4edb18e8af2cf1a790dc80b0756766e2

        SHA512

        ca7abf403e98c5446cc272792be89e30c15faa7d566b8ef4d92fdfb37905402a5a675e72356d7b1c3f1750efaaeb7291f54db86be15a5c794a9aad45f76cf745

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        7558096cc9e116a7205884a62ce6b1d1

        SHA1

        e0c209675652fdbe50e4327a07ca89c978a4bff0

        SHA256

        449f17aeea6a225738ed052175a8de02c725d3f20c54b47f0b94c573038a1f56

        SHA512

        af9ba3fd82c26565b42bb3dc9672e25adebdd0fd93e98f17ca87e738f0514bf049a2a30787e05ddb51167b1ac93c1b2d133055776cdae5e781d80c4441c4ae11

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        55d4b6584d22de1beeb3ee666b83f344

        SHA1

        f9697c01abf68e885efb556073dfe23ed08d6a54

        SHA256

        fca0cefcb894a7ce414ca3f89f22a7fc6dbf6aaff45bfe29cfe69877e3112146

        SHA512

        cbf50c3ff9e0facd652ba3dbbc62d28fe97a0d32fcab9f3eda0fa9626ca3d02770b64e734ce17749dc78a48b17e8132547f4bafddda8e2dc72929cf4886bb6c6

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        1aba098336d131f8466df84b1fa8bb1b

        SHA1

        889f01521cb1468a7c95378b985fcb655543f0c1

        SHA256

        03564b1bdbf378f870d800b4a67bf036bc01a5a7d7777235a2287b62ed28f167

        SHA512

        f04d015cc3af9183d905b51fbff6b347baacdbb4453f46af0f6fe3e8b1e0c441e85c6b2871d013b4ecf56c1d86d32be635307af65b3c5b7235150d86d426bdfe

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        fb2f80decf59ab74f296625b476cb437

        SHA1

        34f76b76575fef105c516676b42d9a693eda2392

        SHA256

        863f7dc909558b2c4020b60196f2367888f603dcc00fcf658afa0314807c7550

        SHA512

        045a77d73838c73b36e6a827cd7c21a55445326cfe059bbb093d688de76bcf51330d40f6bcd4a8c16e246824ffaf9ebb7bf818885fea958962a0e7c5d92ae68d

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        1be789afa59635551403914a89769c46

        SHA1

        f4388f25bb56fec42ecaa85ec616b9007f97d2c7

        SHA256

        fe728988b8ee5192e0d875529d880ec24cfbfee9319475e29345849f7cca59a6

        SHA512

        02ea8225e9e6f51e28c8822f55a47e4af6b135d990366ef3378183898d3a7a13d108075a9723a00d7ac91ff0d15484cbd678fb427fa56e45a2f6bb0eb158f41b

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        bad34a7e566b5a9ba877661ed2aeda57

        SHA1

        c8ddf081882194dbefc4495b9ec5f6246a51ea08

        SHA256

        021dfab4f8c7d974ef407bc1228bb92740b9e08ebeb6a83fbab9eee16023a3a5

        SHA512

        10df6629d39f5dfacf69d5efda0cc789336e1b704767c561a3bb99fb8c2e91d282f1672da9a15154711477069070d762f375f2992d6adb436bffff274d54dc5e

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        e7ae39f3840db030da318c0d936c1747

        SHA1

        fc26f2db2d73a053b237db2c6986be9fa9bd2359

        SHA256

        27f4d833eddbc5c853993b6dcdc04d2590eab16f8a2e79c22463d6d19e38ab80

        SHA512

        e34a46b84da4699872ed8503e289e0dee1d4e679fe877a64ca202fd27581f450d47c8e3db4423777be5c5134515c332a1bc2bbc29e13527e319b1abbba353767

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        ea792eadb39343f708e3ac2c326712e7

        SHA1

        1dae426e518cf0336cb513653d38b27d0aa144b3

        SHA256

        5ea3c1bd1a81f1b9bb8f2b63d2806b40952fb6cff67e30f98df7e219ecbfa990

        SHA512

        c11c15fa02b3d4fb1f533aa65dd155a3885dc190d4065dbd1c7398ccc1bf54d1a5c1b9c04dded4c0c8a134b2de931e564c44f6d37741d7e6bfad813c8229b8f8

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        ef12206692d8bcbd1f79b2a06ffd5b7c

        SHA1

        32e8dc90c54fe6e792c637d248f794b7f2109c9c

        SHA256

        7a5aab467920e85b39006e79b48bfcd2233726a1c10e25eb3a1df7d77d1795cd

        SHA512

        6dcfbe1058a1f90390f1f3c9ee514e04b5454d74fa12dc7ddf6c15d2f035cc6ce59cb79d17fc3cf82e95180f42fdf00d0308dbc9e195c5ce1ca72cdc2c1f47ae

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        8f247de1941db3b54a3ba7cfb3cff665

        SHA1

        39d0fe7d172567357decbe171f6d60389a1e2492

        SHA256

        167069d5f586fcbc09237af0b033c45bf837df75b74edbcf14121da69cbb2b64

        SHA512

        d0edfab01a0d08a8133d62163a91f0639ddb9014570d4b0b516f073046ef72b17d40cdfc759a44f0d16c1503a93eb267ba60bc1412688b30233fdcba34493ec5

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        61d10983e585cc9431d256e0d364ddc6

        SHA1

        e6a7af8203dabc0a9c90ae9c1e391e40838b1300

        SHA256

        44075bcebd63ac9722cc74b409683fc6ccbe65ebc7646738353393082ec57740

        SHA512

        2a66ec8259555a9be43f728d63bc30fcf9c2e2d495dc3b82b32eb3aa08cc6b83ae65a5f40ada177089cd75321af961e233a70788f3d8bdd596ee9a0e2fdadf78

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        f3eb3a9a78c3deede1c04b257ff867d3

        SHA1

        e75522112a816d1abcca22f44be5d4ab9c6d41d3

        SHA256

        78bcb2e8410dec77e58c60df9dde77f9b7ecd14f073f13636a645dbd7014264c

        SHA512

        29a1331a879953f24e9fc1194ec868970442d4e0396a1f79cb25dd920f50eb90d312e460acbce18c6eb6c0fae66f12db0f1fd134dec8b29b45cfc7cbef72be97

      • C:\Users\Admin\AppData\Roaming\logs.dat
        Filesize

        15B

        MD5

        e21bd9604efe8ee9b59dc7605b927a2a

        SHA1

        3240ecc5ee459214344a1baac5c2a74046491104

        SHA256

        51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

        SHA512

        42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

      • C:\Windows\SysWOW64\spynet\svchosts.exe
        Filesize

        756KB

        MD5

        0be5ab0b82e33f33c5d17f5eb30a9f53

        SHA1

        537b248b03493b85ca7d31eb3c081316f9c5356f

        SHA256

        632ead31eb6616726169f1978681c9d70083d356fddea6810aff8bb585063891

        SHA512

        c44adcd6123f1f71b38c5d840c829090bc5275ac6bb346f6aba0f19498cb1d269e822eb86219949b41f1146d844a0846d9fb21888951e6fcb87e5d48015e760d

      • memory/1208-556-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

      • memory/1208-266-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

      • memory/1208-1034-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

      • memory/1208-264-0x00000000000A0000-0x00000000000A1000-memory.dmp
        Filesize

        4KB

      • memory/1252-926-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/1252-922-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/1260-21-0x0000000002190000-0x0000000002191000-memory.dmp
        Filesize

        4KB

      • memory/1680-16-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/1680-17-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/1680-15-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/1680-14-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/1680-12-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/1680-888-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/2120-1407-0x0000000005E40000-0x0000000005EB9000-memory.dmp
        Filesize

        484KB

      • memory/2120-911-0x0000000005E40000-0x0000000005EB9000-memory.dmp
        Filesize

        484KB

      • memory/2120-1531-0x0000000005E40000-0x0000000005EB9000-memory.dmp
        Filesize

        484KB

      • memory/2120-610-0x0000000000400000-0x00000000004782DA-memory.dmp
        Filesize

        480KB

      • memory/2120-908-0x0000000005E40000-0x0000000005EB9000-memory.dmp
        Filesize

        484KB

      • memory/2920-921-0x0000000000400000-0x00000000004782DA-memory.dmp
        Filesize

        480KB

      • memory/2920-912-0x0000000000400000-0x00000000004782DA-memory.dmp
        Filesize

        480KB

      • memory/3056-10-0x0000000003820000-0x0000000003899000-memory.dmp
        Filesize

        484KB

      • memory/3056-13-0x0000000000400000-0x00000000004782DA-memory.dmp
        Filesize

        480KB

      • memory/3056-4-0x0000000000400000-0x00000000004782DA-memory.dmp
        Filesize

        480KB

      • memory/3056-7-0x0000000000400000-0x00000000004782DA-memory.dmp
        Filesize

        480KB

      • memory/3056-8-0x0000000000400000-0x00000000004782DA-memory.dmp
        Filesize

        480KB

      • memory/3056-1-0x0000000000400000-0x00000000004782DA-memory.dmp
        Filesize

        480KB

      • memory/3056-0-0x0000000000400000-0x00000000004782DA-memory.dmp
        Filesize

        480KB

      • memory/3056-3-0x000000000042C000-0x000000000042D000-memory.dmp
        Filesize

        4KB

      • memory/3056-2-0x0000000000400000-0x00000000004782DA-memory.dmp
        Filesize

        480KB