Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 13:32

General

  • Target

    0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe

  • Size

    756KB

  • MD5

    0be5ab0b82e33f33c5d17f5eb30a9f53

  • SHA1

    537b248b03493b85ca7d31eb3c081316f9c5356f

  • SHA256

    632ead31eb6616726169f1978681c9d70083d356fddea6810aff8bb585063891

  • SHA512

    c44adcd6123f1f71b38c5d840c829090bc5275ac6bb346f6aba0f19498cb1d269e822eb86219949b41f1146d844a0846d9fb21888951e6fcb87e5d48015e760d

  • SSDEEP

    12288:OUJ3QGIgmNAANioxobIeVNPnvkXacrs2Pj7Her:/NlSgoqb7vkXdner

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

lawliet.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    spynet

  • install_file

    svchosts.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3460
      • C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4968
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:5072
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:632
            • C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"
              4⤵
              • Checks computer location settings
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2744
              • C:\Windows\SysWOW64\spynet\svchosts.exe
                "C:\Windows\system32\spynet\svchosts.exe"
                5⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:4472
                • C:\Windows\SysWOW64\spynet\svchosts.exe
                  "C:\Windows\SysWOW64\spynet\svchosts.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:3112
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 564
                    7⤵
                    • Program crash
                    PID:4964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3112 -ip 3112
        1⤵
          PID:3856

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Defense Evasion

        Modify Registry

        3
        T1112

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
          Filesize

          229KB

          MD5

          90467c58bc1364bb0e37f68865c5fb03

          SHA1

          87764898570a37216f89a75e619bf56ac1e1d9c4

          SHA256

          e652e0a77456792f5568581e7451998679c793716fbd7dddc7fdc136bfce39d2

          SHA512

          8fbdd9db737ef1a2e41254b3b7ae86b898a1cc9e1ff4c0f6a6ef0a7a917bb5438eda4aff6741bf0a09d7b492f3189d5972d95fb748134f17d213d2bc373464d7

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          7f9c94a3064b059a99c090c2d899e95a

          SHA1

          b135772244aa4f55584e62a68150841378beb4e0

          SHA256

          8828fa03091e77fda2b8aa170fef60b9dc0303ca53f26370598974b130062a1c

          SHA512

          527733a037a9b2bc14669013a27cf3f37578512324c2d013c1591a87aeeda05799c5268e7338733f197891bb345702b802eca1ea220b0bf157749db1c78fd853

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          07342f3921b2088c48096cd61318be1b

          SHA1

          3e54f3ea794c675f5da0f0f02420ae8026cd6b98

          SHA256

          29340a984bf14bf70a31cdd0ef22382cd11b4e7d94ac21de1e1f73e1b8f54063

          SHA512

          7875f4466ea680ee229c09c0965bea4d97d186be5d6e51b6602e307218a8051d040be76c230d910ff9f31310eb62aed517b98cbb66242426b990bd13c004b23f

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          89991480932609dd2f343132b5f6ead9

          SHA1

          9f7a1e90d03e612344ca2940c748dd0687a27f0a

          SHA256

          e7d8c1df43a5a637706ad7ec0bb8f9d31ecb9e10115f55df25134dbd82950d97

          SHA512

          f4cdcbb022db93acf44cd9d018d0822064615d15d443c1ee583be8c15bf46c9fd5fb9c572dfba3ec0f8399fcf22ce8fbd0e9f941291674e87f1c1ea1681d5e49

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          aaa8b369db03e21164a6660103c3912d

          SHA1

          6028eb77bbe76c5c2cbf28245d29099dfa4e6de5

          SHA256

          ef2eac9829bc92ae8d7823232a7cdcb02eef3aa0a328f69a869d8111cc7c2974

          SHA512

          e005edb7ddff6404c37d4f0d2e5b69b845a28871e24a27335309baf546c09366562cfa69d00ae05bb08efe436a81947d1e03ec485e0ae4fc733f325a95c57fcd

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          259d20a94215e98285962261fb140871

          SHA1

          3ff9e0943a3a1268794c6ab3d7651f41771eec4e

          SHA256

          402d8f59b3823a94501fad3477ddcf1e3db9fb702f1e996f853f380e5c901a53

          SHA512

          40c109a7a5b66cc376ff4e95dc7f7a356b70a0eedf1470a010cf98bcfa10cb98741e7405406972883094682ba67c5de3707874e66bec3d21e3225327f1c85b0d

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          830aca5a3e0178917cd84a94a292ca62

          SHA1

          1dbd0be3b669da18903f7769c3963da022e3cf79

          SHA256

          caf33e7208824581c00b04c5bbef0c8a4edb18e8af2cf1a790dc80b0756766e2

          SHA512

          ca7abf403e98c5446cc272792be89e30c15faa7d566b8ef4d92fdfb37905402a5a675e72356d7b1c3f1750efaaeb7291f54db86be15a5c794a9aad45f76cf745

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          7558096cc9e116a7205884a62ce6b1d1

          SHA1

          e0c209675652fdbe50e4327a07ca89c978a4bff0

          SHA256

          449f17aeea6a225738ed052175a8de02c725d3f20c54b47f0b94c573038a1f56

          SHA512

          af9ba3fd82c26565b42bb3dc9672e25adebdd0fd93e98f17ca87e738f0514bf049a2a30787e05ddb51167b1ac93c1b2d133055776cdae5e781d80c4441c4ae11

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          55d4b6584d22de1beeb3ee666b83f344

          SHA1

          f9697c01abf68e885efb556073dfe23ed08d6a54

          SHA256

          fca0cefcb894a7ce414ca3f89f22a7fc6dbf6aaff45bfe29cfe69877e3112146

          SHA512

          cbf50c3ff9e0facd652ba3dbbc62d28fe97a0d32fcab9f3eda0fa9626ca3d02770b64e734ce17749dc78a48b17e8132547f4bafddda8e2dc72929cf4886bb6c6

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          1aba098336d131f8466df84b1fa8bb1b

          SHA1

          889f01521cb1468a7c95378b985fcb655543f0c1

          SHA256

          03564b1bdbf378f870d800b4a67bf036bc01a5a7d7777235a2287b62ed28f167

          SHA512

          f04d015cc3af9183d905b51fbff6b347baacdbb4453f46af0f6fe3e8b1e0c441e85c6b2871d013b4ecf56c1d86d32be635307af65b3c5b7235150d86d426bdfe

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          fb2f80decf59ab74f296625b476cb437

          SHA1

          34f76b76575fef105c516676b42d9a693eda2392

          SHA256

          863f7dc909558b2c4020b60196f2367888f603dcc00fcf658afa0314807c7550

          SHA512

          045a77d73838c73b36e6a827cd7c21a55445326cfe059bbb093d688de76bcf51330d40f6bcd4a8c16e246824ffaf9ebb7bf818885fea958962a0e7c5d92ae68d

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          1be789afa59635551403914a89769c46

          SHA1

          f4388f25bb56fec42ecaa85ec616b9007f97d2c7

          SHA256

          fe728988b8ee5192e0d875529d880ec24cfbfee9319475e29345849f7cca59a6

          SHA512

          02ea8225e9e6f51e28c8822f55a47e4af6b135d990366ef3378183898d3a7a13d108075a9723a00d7ac91ff0d15484cbd678fb427fa56e45a2f6bb0eb158f41b

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          bad34a7e566b5a9ba877661ed2aeda57

          SHA1

          c8ddf081882194dbefc4495b9ec5f6246a51ea08

          SHA256

          021dfab4f8c7d974ef407bc1228bb92740b9e08ebeb6a83fbab9eee16023a3a5

          SHA512

          10df6629d39f5dfacf69d5efda0cc789336e1b704767c561a3bb99fb8c2e91d282f1672da9a15154711477069070d762f375f2992d6adb436bffff274d54dc5e

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          e7ae39f3840db030da318c0d936c1747

          SHA1

          fc26f2db2d73a053b237db2c6986be9fa9bd2359

          SHA256

          27f4d833eddbc5c853993b6dcdc04d2590eab16f8a2e79c22463d6d19e38ab80

          SHA512

          e34a46b84da4699872ed8503e289e0dee1d4e679fe877a64ca202fd27581f450d47c8e3db4423777be5c5134515c332a1bc2bbc29e13527e319b1abbba353767

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          ea792eadb39343f708e3ac2c326712e7

          SHA1

          1dae426e518cf0336cb513653d38b27d0aa144b3

          SHA256

          5ea3c1bd1a81f1b9bb8f2b63d2806b40952fb6cff67e30f98df7e219ecbfa990

          SHA512

          c11c15fa02b3d4fb1f533aa65dd155a3885dc190d4065dbd1c7398ccc1bf54d1a5c1b9c04dded4c0c8a134b2de931e564c44f6d37741d7e6bfad813c8229b8f8

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          ef12206692d8bcbd1f79b2a06ffd5b7c

          SHA1

          32e8dc90c54fe6e792c637d248f794b7f2109c9c

          SHA256

          7a5aab467920e85b39006e79b48bfcd2233726a1c10e25eb3a1df7d77d1795cd

          SHA512

          6dcfbe1058a1f90390f1f3c9ee514e04b5454d74fa12dc7ddf6c15d2f035cc6ce59cb79d17fc3cf82e95180f42fdf00d0308dbc9e195c5ce1ca72cdc2c1f47ae

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          8f247de1941db3b54a3ba7cfb3cff665

          SHA1

          39d0fe7d172567357decbe171f6d60389a1e2492

          SHA256

          167069d5f586fcbc09237af0b033c45bf837df75b74edbcf14121da69cbb2b64

          SHA512

          d0edfab01a0d08a8133d62163a91f0639ddb9014570d4b0b516f073046ef72b17d40cdfc759a44f0d16c1503a93eb267ba60bc1412688b30233fdcba34493ec5

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          61d10983e585cc9431d256e0d364ddc6

          SHA1

          e6a7af8203dabc0a9c90ae9c1e391e40838b1300

          SHA256

          44075bcebd63ac9722cc74b409683fc6ccbe65ebc7646738353393082ec57740

          SHA512

          2a66ec8259555a9be43f728d63bc30fcf9c2e2d495dc3b82b32eb3aa08cc6b83ae65a5f40ada177089cd75321af961e233a70788f3d8bdd596ee9a0e2fdadf78

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          f3eb3a9a78c3deede1c04b257ff867d3

          SHA1

          e75522112a816d1abcca22f44be5d4ab9c6d41d3

          SHA256

          78bcb2e8410dec77e58c60df9dde77f9b7ecd14f073f13636a645dbd7014264c

          SHA512

          29a1331a879953f24e9fc1194ec868970442d4e0396a1f79cb25dd920f50eb90d312e460acbce18c6eb6c0fae66f12db0f1fd134dec8b29b45cfc7cbef72be97

        • C:\Users\Admin\AppData\Roaming\logs.dat
          Filesize

          15B

          MD5

          e21bd9604efe8ee9b59dc7605b927a2a

          SHA1

          3240ecc5ee459214344a1baac5c2a74046491104

          SHA256

          51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

          SHA512

          42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

        • C:\Windows\SysWOW64\spynet\svchosts.exe
          Filesize

          756KB

          MD5

          0be5ab0b82e33f33c5d17f5eb30a9f53

          SHA1

          537b248b03493b85ca7d31eb3c081316f9c5356f

          SHA256

          632ead31eb6616726169f1978681c9d70083d356fddea6810aff8bb585063891

          SHA512

          c44adcd6123f1f71b38c5d840c829090bc5275ac6bb346f6aba0f19498cb1d269e822eb86219949b41f1146d844a0846d9fb21888951e6fcb87e5d48015e760d

        • memory/2220-13-0x0000000000400000-0x00000000004782DA-memory.dmp
          Filesize

          480KB

        • memory/2220-0-0x0000000000400000-0x00000000004782DA-memory.dmp
          Filesize

          480KB

        • memory/2220-7-0x0000000000400000-0x00000000004782DA-memory.dmp
          Filesize

          480KB

        • memory/2220-4-0x0000000000400000-0x00000000004782DA-memory.dmp
          Filesize

          480KB

        • memory/2220-3-0x0000000000400000-0x00000000004782DA-memory.dmp
          Filesize

          480KB

        • memory/2220-2-0x0000000000400000-0x00000000004782DA-memory.dmp
          Filesize

          480KB

        • memory/2220-1-0x000000000042C000-0x000000000042D000-memory.dmp
          Filesize

          4KB

        • memory/2744-100-0x0000000000400000-0x00000000004782DA-memory.dmp
          Filesize

          480KB

        • memory/3112-184-0x0000000000400000-0x0000000000457000-memory.dmp
          Filesize

          348KB

        • memory/3112-190-0x0000000000400000-0x0000000000457000-memory.dmp
          Filesize

          348KB

        • memory/4472-175-0x0000000000400000-0x00000000004782DA-memory.dmp
          Filesize

          480KB

        • memory/4472-187-0x0000000000400000-0x00000000004782DA-memory.dmp
          Filesize

          480KB

        • memory/4968-18-0x0000000024010000-0x0000000024072000-memory.dmp
          Filesize

          392KB

        • memory/4968-156-0x0000000000400000-0x0000000000457000-memory.dmp
          Filesize

          348KB

        • memory/4968-22-0x0000000024080000-0x00000000240E2000-memory.dmp
          Filesize

          392KB

        • memory/4968-15-0x0000000000400000-0x0000000000457000-memory.dmp
          Filesize

          348KB

        • memory/4968-14-0x0000000000400000-0x0000000000457000-memory.dmp
          Filesize

          348KB

        • memory/4968-12-0x0000000000400000-0x0000000000457000-memory.dmp
          Filesize

          348KB

        • memory/4968-8-0x0000000000400000-0x0000000000457000-memory.dmp
          Filesize

          348KB

        • memory/5072-84-0x0000000024080000-0x00000000240E2000-memory.dmp
          Filesize

          392KB

        • memory/5072-23-0x0000000001680000-0x0000000001681000-memory.dmp
          Filesize

          4KB

        • memory/5072-24-0x0000000001740000-0x0000000001741000-memory.dmp
          Filesize

          4KB

        • memory/5072-857-0x0000000024080000-0x00000000240E2000-memory.dmp
          Filesize

          392KB