Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 03:20

General

  • Target

    010df753725191c555267e402257bef3_JaffaCakes118.exe

  • Size

    399KB

  • MD5

    010df753725191c555267e402257bef3

  • SHA1

    8ccc273f2e40c6b7395e9b196e47e67ba057c0c6

  • SHA256

    a9b94db1ffd00e365827c47cf2627d12ebc02a6b0ab1305a0a7c139098c5ea6d

  • SHA512

    d3ed8a3f818cd24e12f98cf9c8b76e85350f5f79f5fad0a71a1618067542c37e83c6ca435f43f0486eb7cc986452e965f1a0f1fe09bd5d4f3a5f0ac1c67faf52

  • SSDEEP

    12288:Av/rOWedulF+opSZA7bk1zevXPh+r/Xd:MyWOuOoYZAMwvXPEr

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

phayzonstuff.no-ip.biz:100

Mutex

7WO01W52GAFFM2

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Thank you for patching your webcam, it is successful!

  • message_box_title

    Webcam Patch

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3500
      • C:\Users\Admin\AppData\Local\Temp\010df753725191c555267e402257bef3_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\010df753725191c555267e402257bef3_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4368
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Suspicious use of AdjustPrivilegeToken
            PID:4264
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:3528
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Drops file in System32 directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:4472
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                PID:3768

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        03fbd5eb2ad0b4967d89dee415664ea7

        SHA1

        eb67fd63564c54b1b0b1aa14ac9426e2ab99ff15

        SHA256

        9b1a9497928f4b35fbb640b6fc8fed36b11718a14ac38f9086aea95f8ab3793f

        SHA512

        97070df4d94f1ebc347d470d1bda62675848e45db544351497896ea83f8759dc818d19d48dba9d2502bc074fc4da3ea6f79bd3725c1b4e054441e47c4cf2583b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        ee9a44e309484c3c2fca10e7c6f967e7

        SHA1

        c28b4bdec80867ed2e26120d6bdb1ba069115740

        SHA256

        27516f226fa3266a1dc7181d8c5d795a0914c0c9bd0afc1c88569c751edf083e

        SHA512

        683eab3223d92da98aaa4d9166b4925c9532af754123a10e06812c54abeea2a1c73257ba65932a9f13919e96c458c03418b09699d24dd30407ba225255fc21e5

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        20f0a596d813ef567a1410a6b44a623b

        SHA1

        97edd092b67a48e16b505aec297c2bf260236c97

        SHA256

        498b4a5d886ea6523f0f4a245a9d5b92a542bfcf232e52c72228fd30f6eb5e33

        SHA512

        b60b14be8050060fb716c4e8781f176fb2d2a6b38295c24beeee4abb0d8e9f1bffda614f9bcb6cc963f765dff8f3080d578e8d7a573e5e75b449344c3eb4b7bc

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a6cd066d476b8a7597ecfc46b900c2e4

        SHA1

        ff8890cefd0548c598555ea436c169c0a58e5baf

        SHA256

        511058eb9db6ddc0e01a4a72dc999ff3757aeaa58f5a95bf949aec21cdce423c

        SHA512

        86148dff5b23a9380c96b242ea0465303bbb307b11aea1d72439b33f244f9b82bf9c38f17dab9d73d0afb3553f48b534aee4941abc4b84a49dc2d78970d852a6

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        062ef3311d5029499e3173b1e5b57c06

        SHA1

        dda124b5be30468520caae2fe157fda17a6c84af

        SHA256

        5e70cd3a612aa1ced151b626cb7657806ffef391ef72df3921a3fef619c3cde0

        SHA512

        edb676b281962210dff94e46584b6bfef87292de63cb5b3c808e4459a4bcb285ea43128ded0fd2d39edb4b1c2d4b747a3707ce37a9ec80a44d6c3352bbd16be7

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        06aa6f56c7ef77b915e3fcbef5b81a5f

        SHA1

        14935a7d177e3ddc980bd232b469174a259f472a

        SHA256

        61b9dc29d187f5862efda7033bde44669d4fa48f369bed2b970694cde9324478

        SHA512

        3805397254fa59f9340c20919b249abec14b82d153b587e02362abfe2dd989858584f98a74275b87c5c01db9ec33f5a7c0c4ce6ae31631237428c8fe5b3a63bb

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8311adb53dac767c5321b9879b6d1a42

        SHA1

        8b258e37bbbbd7cbb24183aa3c356d9626d8e556

        SHA256

        354c0cb22a53afac969f159454d62415417bea8617afef14761bbf1ec9551e54

        SHA512

        e215a58c2ead5f27fd68bb6c3c6e1ffbafaa4368f7d971d195edaccd78d616e5253e602bfd795e6db934d086a27f861bba08e72c2d0f906d3b170556ba6c2238

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1a417e7082e646e7940e616494746a4e

        SHA1

        9f5ecbc7b61712dff761f02473a2b186f347d494

        SHA256

        6d773241a93a14f3d540bfe6a270f70edda6bd80c6ea4a5933e8325268080f8c

        SHA512

        84b0a6d531a74ce7441dcd9abe86fd8b52b629b1cd54becaa175870990d6800cb041ad9cfe378a1fa986d381735fb38c02f59fc6ee4a79cafa108c6fb98e7639

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        dba731376640fe5f2a90bb30ddb77f16

        SHA1

        a52cf0f861e415245ae2844aad7a16bb78e9e724

        SHA256

        a5af2afad03c29f5fef46229f59168f349ca23ce2956ab1f628ebaf621532c12

        SHA512

        4d12748d49b12ee3042f826e7ab3e7e65d981b7a6512a8c18840881bc3579a8511e3f6dae355b5c4abd9622f1b0c9c06d24dae7a712687336f16978a8bb6fd4b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        eba40f5545bc7ffb12ddcd3b62dd3de1

        SHA1

        2febd5a31d5a282d5d6ae8909833b7f162367053

        SHA256

        503c33be54134e8eb61fb3cbcfe075a879a9fe24db16b0539ed09351cd51a7d5

        SHA512

        a50362594cc0cf4e77b85974edcef172c0d56a88da65e9755b0f3bb0b0aabc3b425a6004b376a233a5f869e83786a58bf5460176241ada13a06b35dae7ce52c6

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        bbf2b5eb38af0ad296f43f9dfa982f1d

        SHA1

        23cd9fa4ba2be7f51680672b082f0effa01aa94e

        SHA256

        8ae5866a47d4ae34f2a084eeb7a1c8e2b609084578d83897c28fb0094dfa69ab

        SHA512

        3056498715959eeeeb9ff1a27362f969d322fa23fdb17bdadd62fc357571faa1a72daaa577b7b949726550b3f9e13b0edbf7517641578ecbf3f57daa59e6ebe3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        62323cd8f2cf099947bb8e91f1240aee

        SHA1

        08671cc6dfc3057f1c1bf962f987a85e6ec0d11e

        SHA256

        8e56bddafca1c27e1b9740cb0e3ec6905c5fcf75dbb564d4ebfc11a405e830f9

        SHA512

        b105367c8bb6df106d48d8b55591663dcab3fdd889cb71846c38e14ba2c00e860b47ef4b60902abe220169d06c3900d7f8c3e5a496b3b67793830de5f56be345

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d26d496f536a775bb2d071c17477c532

        SHA1

        6a4d7f379b4eee4745818d8e7ecb52771f7234bd

        SHA256

        9f75555aabd6414495c85d2a7c87d5dc7e16bca9ce7e08e427ed63ae373038aa

        SHA512

        ca09db5757624cab5dd082df471b0592ea3e25e6753999ec866ec4b2ba9c6126992a4c985325dc45a791a3208cf91d73dbc3e524646d72f0a0af35fc7697ece8

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        84d60bd9850e42f62309b22d3f96f85d

        SHA1

        de8e1df7ad9040399916baf4c1cd5340e5ebc3e1

        SHA256

        0e19fa95981f79953dd45b606f83a94682fe69e759ec33585a2ca3ded3f92167

        SHA512

        d03e001e080567f3c3276727496b1bf4385c1b543c6d08868f53921a613c813570895ddcbfe0e8c0027609a02ff59cb1e63c1a48ec0949de79ef1aad8a202731

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3bff8b771eae2cdd3f35d162af4a6b72

        SHA1

        8fe9aa169733d00e88e41fe091df470700932b14

        SHA256

        db94f8ce6e0b042044d359d5ee89e9f17299b81a8f1676b2c3ae2e77a048c893

        SHA512

        7043fa6df1edbe8ed9573b31126fbbd206b14d7e388ec3e09127aace52916fee33c1f38fc3f322e5f67b659455f479cadc918c6beb23e692abd98ae2f48eadca

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1bb38b76c5132f2679f0126706629e2a

        SHA1

        21008d64144f1432f689d70845acfbb188c22970

        SHA256

        60d6a761e277bb144420212c571eed1aed9e4889b7c5853168d378887691a2f9

        SHA512

        10bea71c7eb5043662450168473406ed14261fcbccd2701737007dbe88ed994eee5d837b30e81e15152f868f411df5124a658801892fde2a4711fe305a9c2111

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        74edda6fd1fd6e214101896acd33898f

        SHA1

        8b10fe112b1aeddb244b32a05d38584f2fe709dc

        SHA256

        f4fb4e88cefcc552b1dfa027467f3097c24fc0f0c887784b83d176c1cccc471e

        SHA512

        6e991352b913d309e7f04329302d82907c41c6454329f5601cd1159ef992e146524766a94f4b19c370387771342d2d9c3f0c8d7462f1d5e46921604fad756e47

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        cfd6ccea6227fbb0ebde74b076e19cd6

        SHA1

        c1beab81685dc0e620de30e3a0c7687707a78089

        SHA256

        d1ad20d6b39e561849f6c0491e23823d4fe88335c4044011ee7dcd1b6da3aa8c

        SHA512

        d3201999ad33951d00e2c6a9ca11f0c624e99c088545f5acd1b990f9c5afd52dc4c12cef5e3a190f0855fa042fb89beb487f341450986ef658a835946a6dcb82

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a763e1af067d21559890b3c6b57c36e2

        SHA1

        e49c63ea18a744f50734bca2fd3d7873b8381ed2

        SHA256

        498bb166fcebb26b8b1e978db949c1f0d009d463e88242706effd8ac7aab273c

        SHA512

        346d9d7a9999404f8d6a58862d99b2fd9bde57a70d2d8c416df9b0ef4a487f53f9596a012fac6e24a994aa6a5e63d00ec4d08f3905d28ae95e4b50d20986cffe

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Svchost.exe
        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • memory/4264-19-0x0000000001140000-0x0000000001141000-memory.dmp
        Filesize

        4KB

      • memory/4264-18-0x0000000001080000-0x0000000001081000-memory.dmp
        Filesize

        4KB

      • memory/4264-994-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/4264-79-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/4368-6-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/4368-17-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/4368-149-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/4368-14-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

      • memory/4368-9-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/4368-8-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/4368-3-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/4372-0-0x0000000074C72000-0x0000000074C73000-memory.dmp
        Filesize

        4KB

      • memory/4372-10-0x0000000074C70000-0x0000000075221000-memory.dmp
        Filesize

        5.7MB

      • memory/4372-2-0x0000000074C70000-0x0000000075221000-memory.dmp
        Filesize

        5.7MB

      • memory/4372-1-0x0000000074C70000-0x0000000075221000-memory.dmp
        Filesize

        5.7MB

      • memory/4472-1448-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/4472-150-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB