Analysis

  • max time kernel
    91s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 02:08

General

  • Target

    00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe

  • Size

    549KB

  • MD5

    00cf8adbfebe8de5c9f5a6caf77bc5cb

  • SHA1

    6e9723685f93d3ddd5625a726aaf5e2757c50c4d

  • SHA256

    99610e6f8f7e58c8bc2f5bf10aeda421252a8b0706695caf9f152f718b634504

  • SHA512

    65503e39c41a8a46b9b99198da87916356fae0630edac9b6e6b1860e9176247df659fc5bd937e2d8bd84c596f216a8d3025f36be4c1d1c1d06cfa323c0725153

  • SSDEEP

    12288:7lFtWpbjQ+nPXCmHntSkhLLsWgCCKVJgbfj:ZFtg4+nvCmHntSWgCCKefj

Malware Config

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      C:\Users\Admin\AppData\Local\Temp\\server.exe
      2⤵
      • Executes dropped EXE
      PID:2292
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 224
        3⤵
        • Program crash
        PID:2172
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 232
      2⤵
      • Program crash
      PID:3616
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2292 -ip 2292
    1⤵
      PID:3292
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1916 -ip 1916
      1⤵
        PID:2708

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\server.exe
        Filesize

        503KB

        MD5

        338901f55359a82fc929f3025e951d44

        SHA1

        3bf960e8bc01ccf5fd1d7a7e3fc5b54fd80b10c1

        SHA256

        dda3b31b016c7888026e02a7e57813c27807ecfe253e24bc0f881b26396b3d40

        SHA512

        3f5ce5a721b6edafd97c30cb45aed42999661c57ee389dec39557fdb279e289a5c3d11d4dad16efefbffd343167e673e338e4552c3a0b756e47228f8a8a3269e

      • memory/1916-0-0x00000000001D0000-0x00000000001E5000-memory.dmp
        Filesize

        84KB

      • memory/1916-2-0x0000000000400000-0x0000000000405000-memory.dmp
        Filesize

        20KB

      • memory/1916-13-0x0000000000400000-0x0000000000405000-memory.dmp
        Filesize

        20KB

      • memory/2292-9-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

      • memory/2292-10-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB