Malware Analysis Report

2024-09-22 09:12

Sample ID 240622-ckvp3swgpm
Target 00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118
SHA256 99610e6f8f7e58c8bc2f5bf10aeda421252a8b0706695caf9f152f718b634504
Tags
cybergate stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99610e6f8f7e58c8bc2f5bf10aeda421252a8b0706695caf9f152f718b634504

Threat Level: Known bad

The file 00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate stealer trojan upx

CyberGate, Rebhip

Executes dropped EXE

Loads dropped DLL

UPX packed file

Program crash

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-22 02:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 02:08

Reported

2024-06-22 02:11

Platform

win7-20240611-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2440 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2440 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2440 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2156 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\WerFault.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

C:\Users\Admin\AppData\Local\Temp\\server.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 44

Network

N/A

Files

memory/2440-0-0x0000000000320000-0x0000000000335000-memory.dmp

memory/2440-3-0x0000000000400000-0x0000000000405000-memory.dmp

\Users\Admin\AppData\Local\Temp\server.exe

MD5 338901f55359a82fc929f3025e951d44
SHA1 3bf960e8bc01ccf5fd1d7a7e3fc5b54fd80b10c1
SHA256 dda3b31b016c7888026e02a7e57813c27807ecfe253e24bc0f881b26396b3d40
SHA512 3f5ce5a721b6edafd97c30cb45aed42999661c57ee389dec39557fdb279e289a5c3d11d4dad16efefbffd343167e673e338e4552c3a0b756e47228f8a8a3269e

memory/2440-8-0x00000000036B0000-0x0000000003740000-memory.dmp

memory/2156-15-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2440-14-0x00000000036B0000-0x0000000003740000-memory.dmp

memory/2440-19-0x0000000000400000-0x0000000000405000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 02:08

Reported

2024-06-22 02:11

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

C:\Users\Admin\AppData\Local\Temp\\server.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2292 -ip 2292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 232

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp

Files

memory/1916-0-0x00000000001D0000-0x00000000001E5000-memory.dmp

memory/1916-2-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 338901f55359a82fc929f3025e951d44
SHA1 3bf960e8bc01ccf5fd1d7a7e3fc5b54fd80b10c1
SHA256 dda3b31b016c7888026e02a7e57813c27807ecfe253e24bc0f881b26396b3d40
SHA512 3f5ce5a721b6edafd97c30cb45aed42999661c57ee389dec39557fdb279e289a5c3d11d4dad16efefbffd343167e673e338e4552c3a0b756e47228f8a8a3269e

memory/2292-9-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2292-10-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1916-13-0x0000000000400000-0x0000000000405000-memory.dmp