Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-06-2024 04:48

General

  • Target

    01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe

  • Size

    304KB

  • MD5

    01559a3880b976ffbc703ed70949f2d2

  • SHA1

    d52245e0a05faaedad8cb5413e17fe5d2f1b9ee5

  • SHA256

    0403e90716cf3657a6ecdd798f9ef1b7e7cbff91901d692ec8affd3ebbc67206

  • SHA512

    ee86c6b109319ef6fcd665f7f65cfcccf7e83ca306cc8d8fc6dd848f59cc367f840d1de388ce1f57a068705f944f8438001d671e4f925a199d6075f821e617cb

  • SSDEEP

    6144:uBozIRslRTksH8mGfVEJ4W4sV4rgjL4/QHwJRQwn5j9KqX6nQ+Tac:bzrlJDH8Jf6r4s+rEMoQJRQw5j9T6R

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

ami,c:/ cws adbox 98.92.71.171,us dos-ms ip watch my hacker comunauter

C2

windows1212.no-ip.biz:81

Mutex

Windows Firewall

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft Corporation

  • install_file

    Windows Update.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    Inisial System Operation

  • regkey_hklm

    Microsoft Actualisation

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1276
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:776
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Deletes itself
            • Loads dropped DLL
            • Drops desktop.ini file(s)
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1672
            • C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe
              "C:\Windows\system32\Microsoft Corporation\Windows Update.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:324
              • C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe
                "C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1828

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Active Setup

    1
    T1547.014

    Privilege Escalation

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Active Setup

    1
    T1547.014

    Defense Evasion

    Modify Registry

    3
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      230KB

      MD5

      7f7eb51b27ebb721dccdc2cda543b550

      SHA1

      79984900bf5aa061fcb696c6ef62d6aec403a85a

      SHA256

      0339ee24ab0b4108f2ba59ab2dbf6b134bb4c0256363b81b0876352fb06d58e7

      SHA512

      c8f549d295997a4f6fca4f46755ce2869efc33480811c99d2157904dd88ab85cf0901c52b674d90f3b3b6845ed47c594b8d885f70500b280f219aa4d9e40c9f1

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      c99e4643f4c74a00aac44912412d245f

      SHA1

      47f99969a95c3cd93d977c28be3c0f2dcd1563e0

      SHA256

      90c4c395d4db89e7243e34534f6f7b0f2e688300c4829860ce19e0e4dac46eb1

      SHA512

      1007e9258ee981f36810453b29937c14b709ae88f4b2da9fe2f3cf92d08c057d78fa6c6c9b8ab2e065a070d69248ed6eb03d4b8eb2d9e4b12acb1f708d6a13c6

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      9084b818f5b9eeba95ef1c4ddf62c5ff

      SHA1

      fbc7df4eb7401d7b94661b209d020007dbf8b725

      SHA256

      0ff058d33fcf73ac3048ab69b7298dccfd1270af03f4698546f47fd0a9134d98

      SHA512

      2598b665ceb0a716d21d036417a1c2c6f298a302f14ec35a7d0619a819264f24760ba6120eca7a5934d4d4c84461a603d74acd2baba1a36259cb5bd2a3d7469a

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      e157191c4dfb6235ff567f050e6c3834

      SHA1

      6d0dd6fc573115375de942e0c50739c22c805f3e

      SHA256

      1295e466df26da4c62713777134e6af75f51aa8a520e7c6ba8886a955c419e8a

      SHA512

      e2104f3ef741734eeb150e447ef710474fed49b6c2bddcd31929b92794b625717f90747279d7066e76e854dfbdf87e4ca0abb750769ebfd8082349742af31bc6

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      81707723f665b7dd8b9719e887b44f10

      SHA1

      53a68096a25fef9d81123f3e67212ef982d3e929

      SHA256

      17dd3d0af34e191207ce0ae3ceea5d93e8bfb1e638aff1619196c6d421537179

      SHA512

      0d567d6206c4d70522959c664af2126258f9df60bd3153a66fd500ee2f94febd605a5160c09713fd0889e3989dbfe98183be643caaa0eab776a8554ebeeab10c

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      d00f1fc2655a11fe819a9b1e16f29e95

      SHA1

      7670c92c87c929f7b9af5e274fe40132b226194c

      SHA256

      9ce02c8ddeaf830aa32594d24400fa9dc20c0d71ce9907a73b24a2e44388dd7e

      SHA512

      cdd6c7eb8ba53f655164d94471e971a78690e499940019dfcf2f262ce25671696dec046fd59b32a8001efc963987bc60d68b83caeb846474a012ece8a9cb527d

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      a258a8e36b4caf616341326e7b95a854

      SHA1

      e073f7307909561846efb6ad27b92d378b690453

      SHA256

      01f2c0d519cf6fdbb9891db591cee0b99625e6a582a037f50c75ada58b3754be

      SHA512

      26ea35192fbd0f388d83407778672a9d438cdedfc6f49534e5a956f5d1066e3e3790b0c0c8badbe0fa54b3a3278e0a069df7f5a9841b365b43b4f16d291a7960

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      3e81a406535c290c9911b555cbffbc43

      SHA1

      781541798053c699c7f6aba58420cbf8585d0fcc

      SHA256

      3847ccc45659b12cadb59d4893344764c99735fa7453479aff97c2cea39eca15

      SHA512

      91acfb58919fd66300a2ec0e21590e14e6ebc2f1b73ea52e5cfc6a8acfd0976d7489df64db81d7d65fde2000928dd2384823c8cdc3b99837191f44915acee99d

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      73204860cecb5c0022b8b1b2d1b54212

      SHA1

      25dbff7ae940b8b3b166d23649600a173ad37920

      SHA256

      22ab143ccd9e095a4a7a0849f6d63fff284e1b94d018afc5f0743e4d9fc78f7e

      SHA512

      1f66a2dc5b12b1f30e56ea6bfa2303f83ad8ca860daf5c15e277ef7a10454999ea880e7d8a3632076fb412c87e9e3bf00ca788b67baf8ee64c5ea32d08260c24

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      4295e728a491a01a51b11c952f6d13ca

      SHA1

      b2f5db2e4ac672fe5e4a8d8e6f122f611cab2eed

      SHA256

      830a835cb5b24051a815463067a30933b393f50d0a15b13cbcdf78ef436a5d3d

      SHA512

      7e4bedd5e49a7d59ca7aa388cafce27db69d666a28ffae654d6dd4320673c16fc0c3cae6a9bd209b3da56e9036e202f34b5f8cf9b70ae243bbd9cfc2b0c5c31a

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      933a02388bbadd241dcef856c1cfea0b

      SHA1

      7395e3c1f7c97c1fa32342255345892dc0ace286

      SHA256

      2800cc89ab2142e2b10778ec30be530f2aeff5af1577832a40491e63721ff99e

      SHA512

      ca33b31751b69efa455f7589b2ec9423cf627116e4ee5ebb34b18c02a9b7cba10a66b8514da3048bdfdfd3bd893e39c7a3b7de0bfb68689d1bffa13dd79834c5

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      d09cb909f55cdc4ef12b6b713d5b23ce

      SHA1

      6795b00505050a4d290b645078ec88702f48d90b

      SHA256

      6fb9af5bb1615b410803b13980965128ba63ba0af6c9a349f6e355a92d7c381a

      SHA512

      4f28eed9f1a1e1f8ca2f26d5fbc118be3e2c179f59e09a617af1610d43f348a1eff2901af489ea4d49d8c8cae8ca3c0959736347f6f501e28f714386e2faf297

    • C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe
      Filesize

      304KB

      MD5

      01559a3880b976ffbc703ed70949f2d2

      SHA1

      d52245e0a05faaedad8cb5413e17fe5d2f1b9ee5

      SHA256

      0403e90716cf3657a6ecdd798f9ef1b7e7cbff91901d692ec8affd3ebbc67206

      SHA512

      ee86c6b109319ef6fcd665f7f65cfcccf7e83ca306cc8d8fc6dd848f59cc367f840d1de388ce1f57a068705f944f8438001d671e4f925a199d6075f821e617cb

    • memory/324-885-0x0000000000020000-0x000000000002B000-memory.dmp
      Filesize

      44KB

    • memory/324-902-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

    • memory/324-881-0x0000000000020000-0x000000000002B000-memory.dmp
      Filesize

      44KB

    • memory/776-343-0x0000000000400000-0x0000000000681000-memory.dmp
      Filesize

      2.5MB

    • memory/1208-22-0x0000000002920000-0x0000000002921000-memory.dmp
      Filesize

      4KB

    • memory/1276-17-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1276-4-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1276-865-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1276-21-0x0000000024010000-0x0000000024072000-memory.dmp
      Filesize

      392KB

    • memory/1276-5-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1276-11-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1276-14-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1276-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

    • memory/1276-16-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1276-18-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1276-8-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1276-15-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1672-877-0x0000000003EE0000-0x0000000003EEB000-memory.dmp
      Filesize

      44KB

    • memory/1828-905-0x0000000000020000-0x000000000002B000-memory.dmp
      Filesize

      44KB

    • memory/1828-909-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1828-903-0x0000000000020000-0x000000000002B000-memory.dmp
      Filesize

      44KB

    • memory/1828-904-0x0000000000020000-0x000000000002B000-memory.dmp
      Filesize

      44KB

    • memory/1828-906-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/2972-13-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

    • memory/2972-0-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB