Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 03:21

General

  • Target

    010eed353174269e5671afbc7a18210b_JaffaCakes118.exe

  • Size

    304KB

  • MD5

    010eed353174269e5671afbc7a18210b

  • SHA1

    d77a920d0fedf7a974cbcc367094b95d2942d7f0

  • SHA256

    5bc30db63db6b4957befabc80f89f1f253e681f3d87179fa2c3efd2199fe02c8

  • SHA512

    ab41a4112e37e328822d9e06f18bc253c79cb4d8a35f285d768f2be5fde82ba544a9b0fbc87e97e3462739a313cefb6d02913718919bd054f0c42569dd608aa0

  • SSDEEP

    6144:s6ioEQqmNE3YGV7gFaT6t/9kxIaLh48V/77HabJl1bVM0UD:ObPCrGZgkT6t/OIKhP/ncl1pM0U

Malware Config

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3512
      • C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Users\Admin\AppData\Local\Temp\file1.exe
          "C:\Users\Admin\AppData\Local\Temp\file1.exe"
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:3092
          • C:\Users\Admin\AppData\Local\Temp\file1.exe
            "C:\Users\Admin\AppData\Local\Temp\file1.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2100
            • C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe
              "C:\Windows\system32\dashboard\2.0.14699.0.exe"
              5⤵
              • Executes dropped EXE
              PID:4060
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 564
                6⤵
                • Program crash
                PID:1856
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4060 -ip 4060
      1⤵
        PID:4520
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4068,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
        1⤵
          PID:528

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Defense Evasion

        Modify Registry

        3
        T1112

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
          Filesize

          219KB

          MD5

          f660b1b97987bf6df5b65f73ae5b207d

          SHA1

          b7803c5b7354f9ec37234a4bca4a29b99fb09310

          SHA256

          56effe538a98d2f6b199eb4b6c8f152934bc6cbff17ddae3835506858a45250a

          SHA512

          39e6b93f996d3301c4d957a8fb4bb8c7ae502331680519e7457024f54048c0b03acb81feccffccc30a692106fb335f28002a649685d6bd116868db9a6012156d

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          686f61cb9d5558afe0bca5dd37103847

          SHA1

          ef9c71c4364f8a1ab5d4dee87b0e0dbdbb8473a7

          SHA256

          3ebc07d6ba03a54f9e2c7661ac1a43cc85835a30f9329db703e3db0e4518e49a

          SHA512

          3cff83a9573296ca8c092b6f99f02d4eadb63cdad8a5472f15e512a03a7aa20cfe97dfbdc351398a4d3d9c5bde543c20fd851d52484f73cd36cdb70753b740e0

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          7f8c56649f2568b76bf8b7567857bf5f

          SHA1

          2dba119d99a3f2e4d2e2a3a09b69ec0e9ce8a0ca

          SHA256

          6bdd57aaa6cc92c7f073bbfe71a8a614c69d1e5b4ca32ad51856bfe888badb63

          SHA512

          748c6b3a05b12b23c203dff4277ff3e27b2342649017e242660997b61a242f804fb3c159f408d8802ecc1415db26b79999e70e19ad0e2c2c3a887429206b044d

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          cf9de356f990d34476c04dee62743bfd

          SHA1

          bca83fcc7bb39ed5481e1c40d0eea637c40c438b

          SHA256

          b08dd4d310119b97183a650258d5b3a9a336625d84570110cf1b815f2adc34cd

          SHA512

          d9e28d2e6c3e743cc46de1b65737886d9f99016f38b754862c8c057c17d39e798d959b926484baf9f86cc96a53d3276ebb9e217d856846daeb5f2cc7929320db

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          f79c99a30e8ed2560b17345ab6140953

          SHA1

          01faef56001839dcf7416998206303838694c7a6

          SHA256

          944c34552e2d2e4d20473e89e2e885ab9c45fbb5a7ca99222d2a886ba27bc8d3

          SHA512

          5580fb90c8eb50ce7bb81543d17af27d925c31679075b927b937480dc05e22d84ea81c3d6b3a798e6de3fc9cbe69532e980e16806abc00b616c1c1c8084595d6

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          fb43b1a720555e6977aaab5c78c0b018

          SHA1

          17f5f0db59020d6b07d509f641bdd952a6da7261

          SHA256

          1893547dad8f07fbc8462538d93b4b4b09131891e19bbd5d0371858128d04dc5

          SHA512

          6a48cf1538f3c7e49f8a7b2b9a86b4faebd8ef37d65f726e7b11e349b3ec10ec2800610f938bffb7786d0e63a492969a2908d4a370d594d076370d3e61b830cf

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          942b579d51ed5fb7d28659e716bb02b0

          SHA1

          411a0a57c865525540c3225a8d8dd7096bafb231

          SHA256

          54444326882a9ecde6e2312190e1c825ae9fb9e370af59dc0db386a5fb89fe3f

          SHA512

          fc08ca9a612fbecf58228c678eecb81a752dabb507b2afb864842dc9a37416ff6c94920d82c55d72953f021470597b6aef12f626730da58a3c32ce4770615495

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          ba74b92b6c84aca6f6afe41c73890c59

          SHA1

          a5780ff3cf2fac790a8c3b49626a60a0d825a013

          SHA256

          4affbdadc074644cfcbc8c12985eb9bf91781238b0c0a3b104d11f167bdd1cd8

          SHA512

          bf45f47633b4cacba37db3cb79227bbeac50d919d2f2a0ffc53703c8e65db293bd515bda73b96e6abe74fc70766a72740f035e205f97ee4852745280028e3843

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          6520286ac73c78088e631be748003784

          SHA1

          9eec3bdb175828e9d9f13525fe801e4211fec691

          SHA256

          09212c15b3fc5871fdace3b1522cd3c96e0455d9943fd56ebaf106fdd45e4fb6

          SHA512

          81d7943d6f9e2131a124676fed104970173649baaa20f1f9b9f741aaecede2381894a3aa3b7a9e41bb6d05a551d0cd42dd05b18fc8ab3dac8bdb9adfa5f79c4d

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          f79cc3a7573ae25f1e458da555b922ba

          SHA1

          9ab9379ba99fd7442db17e912d50c630e12d82ab

          SHA256

          780480a8412e2bf1558d97ff759cb43371262e8ea057bec6bcb3118763bad18f

          SHA512

          5baa8580281faf1aaac237acf17df335741e67c6b7456f70d84af96dfc8d41fee8f3441f189687a8ebb67d78a54fae0d9ffb69868b51f777d6e84614522cc54f

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          6ab184769ef96baebcf4e621689493ad

          SHA1

          bcae751a2c89abd852d3098d7633a24f986ecab3

          SHA256

          d28c3b08d139566d61754f2022d289b6e217ab45f141cb437ca87a8457effcf6

          SHA512

          e44b25fbf8d9c40283489163da5f357ace3bdf01cc03edc8feee75a9ccc62902adf935a0a1fb04eba92a315135c1b402c1652b24c433cdbad9e65294074fe8df

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          9900e1dd399cfb024ca19f9ad43f23ac

          SHA1

          b98b70a308ceaf9c2521560953e0d513ade016ed

          SHA256

          77165c060598db35e756919a8e7bdb8c5ce708ea18849d896a15dbbd60710e95

          SHA512

          7416d20aff33252021b1064904b342b7c3cedd714586ba3d14855192d391dd94b153686a706f9d0127e602f7626dff176b70add618d7544c65359062fc1c9de2

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          28db5a56e5396275a238d39130934c75

          SHA1

          541a40e9228df2fb8bcf875d0751a7a28eb9f246

          SHA256

          356f14a115db1e971fb779aa31d1c1face19fe72e23a5b108c25fce3ef1572ab

          SHA512

          d5d9b26857e0876647e2e976897d44fda2266c24a7d61c5a46afe089e7206198ddb60e63ab4082f7dc567273cb3e6cd587f020480424bb9ce7b0b3e07841102d

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          f3875a8a14e755a2580803600ff2ed95

          SHA1

          30717780bc90105cec55d8e3ff975736ee50d513

          SHA256

          701357b5db8dc42e5f753f9c7b9ae2e33963d4491235587fd4bcb41b6bb7dbef

          SHA512

          c69733635521416170711b0abc21e01875f30e81643cabe47c6ed9ee1e813b5b03d40c7391707f359ac4aae22081977db04fee1770817aa533f849ec53c471a2

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          988a0bed8f8723f423529f20202a5aef

          SHA1

          4c2cfbf36a6241501f7775061d874bf06c36787d

          SHA256

          70a9a4e5bd0ab1d7a0fe2ef04b8a92ee45b15baf19d6e2b74afe6f6a5960ba72

          SHA512

          4739b7dc27edbf08ab0d355e6280d36cd15660c57d3124501c42edc54bd39da3cd2f92a3ad289da866adcbdb677a8337f8c18b33e0f8fbbadf2a1932567b0d37

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          23bcf26e7e4e9f3b1d5eadfde1fda594

          SHA1

          a8871182f943fc86732109d8762d047f9113d3f7

          SHA256

          0f17af9ceda081ab1e719a163f0496995db9bd19622b7e65c324d49ffc79d3d3

          SHA512

          701b0c37732739e97b11155c48eed29b60652a632852c093639504da98a784420e0864009f090ea4669cb5130dd1a487efd49c111b7cb53db14af37a2a39d3c0

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          69d433d37a8795bbf0aba308ca72e04e

          SHA1

          bc3be8c11eca640a11bdbf94c5acbba8a219d5f7

          SHA256

          3d91b4bb1d7b7a527f0035c9a421967876740792cfe9b183960e5a79585bd677

          SHA512

          d86804648b504911515fa48f2e54e9f160fc972b24843a44771daffd7350e329983067d91a98e01cf292406a18746659902d9b9292886f638956e1ead726c2f1

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          dbf475eb8989ff11d105aaefbfa846f6

          SHA1

          a32a3246f92fe9b22f3895fa1ecc1351a158cc0f

          SHA256

          c7cd14dc83473469ebd146079ef6639c6a120c416867329f67d2c438ca9bf7d6

          SHA512

          9bfd333b57acdf8d771721f437975d893ede5df4effa5c87d562a62bc566565c8bc99e94721dbf6bbd9b17a26727dd7f49c473bbe0fa8dfb60c93206d00a9116

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
          Filesize

          8B

          MD5

          babfb95ed56c23a785f5fb304b1037e0

          SHA1

          29ea78387eb55f4ab639149d4af4531785be416d

          SHA256

          04a2b210ea3ec125797239d89624ea83512645ad52647fb533c98607e5fd34c8

          SHA512

          b068f2a2e3edd86d09177a68097b624b1536baccad2f96f6b283105acd50fd24484149d93df3fbd7e03a31a384c3f6b9de99f9057915990b06c00effb99a1b58

        • C:\Users\Admin\AppData\Local\Temp\file1.exe
          Filesize

          280KB

          MD5

          8bcae1ee41d559ccba43a52e2d556264

          SHA1

          fa517415422ffe8180a1898dd9693e1d829dd207

          SHA256

          188bc912de9ba7a40183e69dfe79c3261cbada4afaeb8ece3b37559f59c49e8e

          SHA512

          ba800eef6e781ea95906cae47970b42100d8256210712fce958220bdc62bf566d650202b864b2a528558d88dc4f8e1f3181e0c3a51b3eeff24fe764b4156e751

        • C:\Users\Admin\AppData\Roaming\logs.dat
          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • memory/1976-16-0x0000000024010000-0x000000002406F000-memory.dmp
          Filesize

          380KB

        • memory/1976-77-0x0000000024070000-0x00000000240CF000-memory.dmp
          Filesize

          380KB

        • memory/1976-19-0x0000000024070000-0x00000000240CF000-memory.dmp
          Filesize

          380KB

        • memory/3092-49-0x0000000075460000-0x0000000075A68000-memory.dmp
          Filesize

          6.0MB

        • memory/3092-20-0x0000000000E10000-0x0000000000E11000-memory.dmp
          Filesize

          4KB

        • memory/3092-21-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
          Filesize

          4KB

        • memory/3092-80-0x00000000039C0000-0x00000000039C1000-memory.dmp
          Filesize

          4KB

        • memory/3092-84-0x0000000075460000-0x0000000075A68000-memory.dmp
          Filesize

          6.0MB

        • memory/4812-0-0x0000000075542000-0x0000000075543000-memory.dmp
          Filesize

          4KB

        • memory/4812-12-0x0000000075540000-0x0000000075AF1000-memory.dmp
          Filesize

          5.7MB

        • memory/4812-2-0x0000000075540000-0x0000000075AF1000-memory.dmp
          Filesize

          5.7MB

        • memory/4812-1-0x0000000075540000-0x0000000075AF1000-memory.dmp
          Filesize

          5.7MB