Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    22-06-2024 02:08

General

  • Target

    00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe

  • Size

    549KB

  • MD5

    00cf8adbfebe8de5c9f5a6caf77bc5cb

  • SHA1

    6e9723685f93d3ddd5625a726aaf5e2757c50c4d

  • SHA256

    99610e6f8f7e58c8bc2f5bf10aeda421252a8b0706695caf9f152f718b634504

  • SHA512

    65503e39c41a8a46b9b99198da87916356fae0630edac9b6e6b1860e9176247df659fc5bd937e2d8bd84c596f216a8d3025f36be4c1d1c1d06cfa323c0725153

  • SSDEEP

    12288:7lFtWpbjQ+nPXCmHntSkhLLsWgCCKVJgbfj:ZFtg4+nvCmHntSWgCCKefj

Malware Config

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      C:\Users\Admin\AppData\Local\Temp\\server.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 36
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1304
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 44
      2⤵
      • Program crash
      PID:2716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    503KB

    MD5

    338901f55359a82fc929f3025e951d44

    SHA1

    3bf960e8bc01ccf5fd1d7a7e3fc5b54fd80b10c1

    SHA256

    dda3b31b016c7888026e02a7e57813c27807ecfe253e24bc0f881b26396b3d40

    SHA512

    3f5ce5a721b6edafd97c30cb45aed42999661c57ee389dec39557fdb279e289a5c3d11d4dad16efefbffd343167e673e338e4552c3a0b756e47228f8a8a3269e

  • memory/2156-15-0x0000000000400000-0x0000000000490000-memory.dmp
    Filesize

    576KB

  • memory/2440-0-0x0000000000320000-0x0000000000335000-memory.dmp
    Filesize

    84KB

  • memory/2440-3-0x0000000000400000-0x0000000000405000-memory.dmp
    Filesize

    20KB

  • memory/2440-8-0x00000000036B0000-0x0000000003740000-memory.dmp
    Filesize

    576KB

  • memory/2440-14-0x00000000036B0000-0x0000000003740000-memory.dmp
    Filesize

    576KB

  • memory/2440-19-0x0000000000400000-0x0000000000405000-memory.dmp
    Filesize

    20KB