Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 03:21
Static task
static1
Behavioral task
behavioral1
Sample
010eed353174269e5671afbc7a18210b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
010eed353174269e5671afbc7a18210b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
010eed353174269e5671afbc7a18210b_JaffaCakes118.exe
-
Size
304KB
-
MD5
010eed353174269e5671afbc7a18210b
-
SHA1
d77a920d0fedf7a974cbcc367094b95d2942d7f0
-
SHA256
5bc30db63db6b4957befabc80f89f1f253e681f3d87179fa2c3efd2199fe02c8
-
SHA512
ab41a4112e37e328822d9e06f18bc253c79cb4d8a35f285d768f2be5fde82ba544a9b0fbc87e97e3462739a313cefb6d02913718919bd054f0c42569dd608aa0
-
SSDEEP
6144:s6ioEQqmNE3YGV7gFaT6t/9kxIaLh48V/77HabJl1bVM0UD:ObPCrGZgkT6t/OIKhP/ncl1pM0U
Malware Config
Extracted
cybergate
v1.02.0
cyber
e79.no-ip.info:82
Y31C1I0JKF8BV8
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
csrss.exe
-
install_dir
dashboard
-
install_file
2.0.14699.0.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
file1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run file1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" file1.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run file1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" file1.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
file1.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH} file1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH}\StubPath = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe Restart" file1.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH}\StubPath = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
file1.exefile1.exe2.0.14699.0.exepid process 1664 file1.exe 2336 file1.exe 2052 2.0.14699.0.exe -
Loads dropped DLL 5 IoCs
Processes:
010eed353174269e5671afbc7a18210b_JaffaCakes118.exefile1.exefile1.exepid process 492 010eed353174269e5671afbc7a18210b_JaffaCakes118.exe 492 010eed353174269e5671afbc7a18210b_JaffaCakes118.exe 1664 file1.exe 2336 file1.exe 2336 file1.exe -
Processes:
resource yara_rule behavioral1/memory/1664-17-0x0000000024010000-0x000000002406F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" file1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" file1.exe -
Drops file in System32 directory 4 IoCs
Processes:
file1.exefile1.exedescription ioc process File opened for modification C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe file1.exe File opened for modification C:\Windows\SysWOW64\dashboard\ file1.exe File created C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe file1.exe File opened for modification C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe file1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file1.exepid process 1664 file1.exe 1664 file1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
file1.exepid process 2336 file1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file1.exedescription pid process Token: SeDebugPrivilege 2336 file1.exe Token: SeDebugPrivilege 2336 file1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
file1.exepid process 1664 file1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
010eed353174269e5671afbc7a18210b_JaffaCakes118.exefile1.exedescription pid process target process PID 492 wrote to memory of 1664 492 010eed353174269e5671afbc7a18210b_JaffaCakes118.exe file1.exe PID 492 wrote to memory of 1664 492 010eed353174269e5671afbc7a18210b_JaffaCakes118.exe file1.exe PID 492 wrote to memory of 1664 492 010eed353174269e5671afbc7a18210b_JaffaCakes118.exe file1.exe PID 492 wrote to memory of 1664 492 010eed353174269e5671afbc7a18210b_JaffaCakes118.exe file1.exe PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE PID 1664 wrote to memory of 1188 1664 file1.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file1.exe"C:\Users\Admin\AppData\Local\Temp\file1.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Users\Admin\AppData\Local\Temp\file1.exe"C:\Users\Admin\AppData\Local\Temp\file1.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe"C:\Windows\system32\dashboard\2.0.14699.0.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
219KB
MD5f660b1b97987bf6df5b65f73ae5b207d
SHA1b7803c5b7354f9ec37234a4bca4a29b99fb09310
SHA25656effe538a98d2f6b199eb4b6c8f152934bc6cbff17ddae3835506858a45250a
SHA51239e6b93f996d3301c4d957a8fb4bb8c7ae502331680519e7457024f54048c0b03acb81feccffccc30a692106fb335f28002a649685d6bd116868db9a6012156d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD500f2b181135cb806f0a946214298cfad
SHA10c9dbb4a1ccd11c77c5dbceaf4ac4a7b06a2e6d0
SHA25668cda15e3242c18a9aad6e3c7b9cd40ff959ce432f3e6c6f605d1a065f33308f
SHA5121cdf7cb9b118d69b63297dd21de10acf5a6b36f5dcbc93001f638bc17fbd6b73c508a06d033f87cdb8da5fa6065505e0ccd38924fa8e1d0729e9dbc70c6d2710
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5686f61cb9d5558afe0bca5dd37103847
SHA1ef9c71c4364f8a1ab5d4dee87b0e0dbdbb8473a7
SHA2563ebc07d6ba03a54f9e2c7661ac1a43cc85835a30f9329db703e3db0e4518e49a
SHA5123cff83a9573296ca8c092b6f99f02d4eadb63cdad8a5472f15e512a03a7aa20cfe97dfbdc351398a4d3d9c5bde543c20fd851d52484f73cd36cdb70753b740e0
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5cf9de356f990d34476c04dee62743bfd
SHA1bca83fcc7bb39ed5481e1c40d0eea637c40c438b
SHA256b08dd4d310119b97183a650258d5b3a9a336625d84570110cf1b815f2adc34cd
SHA512d9e28d2e6c3e743cc46de1b65737886d9f99016f38b754862c8c057c17d39e798d959b926484baf9f86cc96a53d3276ebb9e217d856846daeb5f2cc7929320db
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5942b579d51ed5fb7d28659e716bb02b0
SHA1411a0a57c865525540c3225a8d8dd7096bafb231
SHA25654444326882a9ecde6e2312190e1c825ae9fb9e370af59dc0db386a5fb89fe3f
SHA512fc08ca9a612fbecf58228c678eecb81a752dabb507b2afb864842dc9a37416ff6c94920d82c55d72953f021470597b6aef12f626730da58a3c32ce4770615495
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56520286ac73c78088e631be748003784
SHA19eec3bdb175828e9d9f13525fe801e4211fec691
SHA25609212c15b3fc5871fdace3b1522cd3c96e0455d9943fd56ebaf106fdd45e4fb6
SHA51281d7943d6f9e2131a124676fed104970173649baaa20f1f9b9f741aaecede2381894a3aa3b7a9e41bb6d05a551d0cd42dd05b18fc8ab3dac8bdb9adfa5f79c4d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56ab184769ef96baebcf4e621689493ad
SHA1bcae751a2c89abd852d3098d7633a24f986ecab3
SHA256d28c3b08d139566d61754f2022d289b6e217ab45f141cb437ca87a8457effcf6
SHA512e44b25fbf8d9c40283489163da5f357ace3bdf01cc03edc8feee75a9ccc62902adf935a0a1fb04eba92a315135c1b402c1652b24c433cdbad9e65294074fe8df
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD528db5a56e5396275a238d39130934c75
SHA1541a40e9228df2fb8bcf875d0751a7a28eb9f246
SHA256356f14a115db1e971fb779aa31d1c1face19fe72e23a5b108c25fce3ef1572ab
SHA512d5d9b26857e0876647e2e976897d44fda2266c24a7d61c5a46afe089e7206198ddb60e63ab4082f7dc567273cb3e6cd587f020480424bb9ce7b0b3e07841102d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f3875a8a14e755a2580803600ff2ed95
SHA130717780bc90105cec55d8e3ff975736ee50d513
SHA256701357b5db8dc42e5f753f9c7b9ae2e33963d4491235587fd4bcb41b6bb7dbef
SHA512c69733635521416170711b0abc21e01875f30e81643cabe47c6ed9ee1e813b5b03d40c7391707f359ac4aae22081977db04fee1770817aa533f849ec53c471a2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5988a0bed8f8723f423529f20202a5aef
SHA14c2cfbf36a6241501f7775061d874bf06c36787d
SHA25670a9a4e5bd0ab1d7a0fe2ef04b8a92ee45b15baf19d6e2b74afe6f6a5960ba72
SHA5124739b7dc27edbf08ab0d355e6280d36cd15660c57d3124501c42edc54bd39da3cd2f92a3ad289da866adcbdb677a8337f8c18b33e0f8fbbadf2a1932567b0d37
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD523bcf26e7e4e9f3b1d5eadfde1fda594
SHA1a8871182f943fc86732109d8762d047f9113d3f7
SHA2560f17af9ceda081ab1e719a163f0496995db9bd19622b7e65c324d49ffc79d3d3
SHA512701b0c37732739e97b11155c48eed29b60652a632852c093639504da98a784420e0864009f090ea4669cb5130dd1a487efd49c111b7cb53db14af37a2a39d3c0
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD569d433d37a8795bbf0aba308ca72e04e
SHA1bc3be8c11eca640a11bdbf94c5acbba8a219d5f7
SHA2563d91b4bb1d7b7a527f0035c9a421967876740792cfe9b183960e5a79585bd677
SHA512d86804648b504911515fa48f2e54e9f160fc972b24843a44771daffd7350e329983067d91a98e01cf292406a18746659902d9b9292886f638956e1ead726c2f1
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
\Users\Admin\AppData\Local\Temp\file1.exeFilesize
280KB
MD58bcae1ee41d559ccba43a52e2d556264
SHA1fa517415422ffe8180a1898dd9693e1d829dd207
SHA256188bc912de9ba7a40183e69dfe79c3261cbada4afaeb8ece3b37559f59c49e8e
SHA512ba800eef6e781ea95906cae47970b42100d8256210712fce958220bdc62bf566d650202b864b2a528558d88dc4f8e1f3181e0c3a51b3eeff24fe764b4156e751
-
memory/492-13-0x0000000073FF0000-0x000000007459B000-memory.dmpFilesize
5.7MB
-
memory/492-2-0x0000000073FF0000-0x000000007459B000-memory.dmpFilesize
5.7MB
-
memory/492-1-0x0000000073FF0000-0x000000007459B000-memory.dmpFilesize
5.7MB
-
memory/492-0-0x0000000073FF1000-0x0000000073FF2000-memory.dmpFilesize
4KB
-
memory/1188-18-0x0000000002D30000-0x0000000002D31000-memory.dmpFilesize
4KB
-
memory/1664-17-0x0000000024010000-0x000000002406F000-memory.dmpFilesize
380KB