Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 04:48

General

  • Target

    01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe

  • Size

    304KB

  • MD5

    01559a3880b976ffbc703ed70949f2d2

  • SHA1

    d52245e0a05faaedad8cb5413e17fe5d2f1b9ee5

  • SHA256

    0403e90716cf3657a6ecdd798f9ef1b7e7cbff91901d692ec8affd3ebbc67206

  • SHA512

    ee86c6b109319ef6fcd665f7f65cfcccf7e83ca306cc8d8fc6dd848f59cc367f840d1de388ce1f57a068705f944f8438001d671e4f925a199d6075f821e617cb

  • SSDEEP

    6144:uBozIRslRTksH8mGfVEJ4W4sV4rgjL4/QHwJRQwn5j9KqX6nQ+Tac:bzrlJDH8Jf6r4s+rEMoQJRQw5j9T6R

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

ami,c:/ cws adbox 98.92.71.171,us dos-ms ip watch my hacker comunauter

C2

windows1212.no-ip.biz:81

Mutex

Windows Firewall

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft Corporation

  • install_file

    Windows Update.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    Inisial System Operation

  • regkey_hklm

    Microsoft Actualisation

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4708
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:2072
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Deletes itself
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            PID:5000
            • C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe
              "C:\Windows\system32\Microsoft Corporation\Windows Update.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:2952
              • C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe
                "C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe"
                6⤵
                • Executes dropped EXE
                PID:1604
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 564
                  7⤵
                  • Program crash
                  PID:3972
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1604 -ip 1604
      1⤵
        PID:4680

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        230KB

        MD5

        7f7eb51b27ebb721dccdc2cda543b550

        SHA1

        79984900bf5aa061fcb696c6ef62d6aec403a85a

        SHA256

        0339ee24ab0b4108f2ba59ab2dbf6b134bb4c0256363b81b0876352fb06d58e7

        SHA512

        c8f549d295997a4f6fca4f46755ce2869efc33480811c99d2157904dd88ab85cf0901c52b674d90f3b3b6845ed47c594b8d885f70500b280f219aa4d9e40c9f1

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        9084b818f5b9eeba95ef1c4ddf62c5ff

        SHA1

        fbc7df4eb7401d7b94661b209d020007dbf8b725

        SHA256

        0ff058d33fcf73ac3048ab69b7298dccfd1270af03f4698546f47fd0a9134d98

        SHA512

        2598b665ceb0a716d21d036417a1c2c6f298a302f14ec35a7d0619a819264f24760ba6120eca7a5934d4d4c84461a603d74acd2baba1a36259cb5bd2a3d7469a

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        c99e4643f4c74a00aac44912412d245f

        SHA1

        47f99969a95c3cd93d977c28be3c0f2dcd1563e0

        SHA256

        90c4c395d4db89e7243e34534f6f7b0f2e688300c4829860ce19e0e4dac46eb1

        SHA512

        1007e9258ee981f36810453b29937c14b709ae88f4b2da9fe2f3cf92d08c057d78fa6c6c9b8ab2e065a070d69248ed6eb03d4b8eb2d9e4b12acb1f708d6a13c6

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        e157191c4dfb6235ff567f050e6c3834

        SHA1

        6d0dd6fc573115375de942e0c50739c22c805f3e

        SHA256

        1295e466df26da4c62713777134e6af75f51aa8a520e7c6ba8886a955c419e8a

        SHA512

        e2104f3ef741734eeb150e447ef710474fed49b6c2bddcd31929b92794b625717f90747279d7066e76e854dfbdf87e4ca0abb750769ebfd8082349742af31bc6

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        d00f1fc2655a11fe819a9b1e16f29e95

        SHA1

        7670c92c87c929f7b9af5e274fe40132b226194c

        SHA256

        9ce02c8ddeaf830aa32594d24400fa9dc20c0d71ce9907a73b24a2e44388dd7e

        SHA512

        cdd6c7eb8ba53f655164d94471e971a78690e499940019dfcf2f262ce25671696dec046fd59b32a8001efc963987bc60d68b83caeb846474a012ece8a9cb527d

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        81707723f665b7dd8b9719e887b44f10

        SHA1

        53a68096a25fef9d81123f3e67212ef982d3e929

        SHA256

        17dd3d0af34e191207ce0ae3ceea5d93e8bfb1e638aff1619196c6d421537179

        SHA512

        0d567d6206c4d70522959c664af2126258f9df60bd3153a66fd500ee2f94febd605a5160c09713fd0889e3989dbfe98183be643caaa0eab776a8554ebeeab10c

      • C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe
        Filesize

        304KB

        MD5

        01559a3880b976ffbc703ed70949f2d2

        SHA1

        d52245e0a05faaedad8cb5413e17fe5d2f1b9ee5

        SHA256

        0403e90716cf3657a6ecdd798f9ef1b7e7cbff91901d692ec8affd3ebbc67206

        SHA512

        ee86c6b109319ef6fcd665f7f65cfcccf7e83ca306cc8d8fc6dd848f59cc367f840d1de388ce1f57a068705f944f8438001d671e4f925a199d6075f821e617cb

      • memory/228-0-0x0000000000400000-0x000000000040B000-memory.dmp
        Filesize

        44KB

      • memory/228-6-0x0000000000400000-0x000000000040B000-memory.dmp
        Filesize

        44KB

      • memory/1604-167-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/1604-163-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/2072-497-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

      • memory/2072-17-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
        Filesize

        4KB

      • memory/2072-77-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

      • memory/2072-16-0x0000000000D30000-0x0000000000D31000-memory.dmp
        Filesize

        4KB

      • memory/2952-164-0x0000000000400000-0x000000000040B000-memory.dmp
        Filesize

        44KB

      • memory/4708-11-0x0000000024010000-0x0000000024072000-memory.dmp
        Filesize

        392KB

      • memory/4708-8-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/4708-7-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/4708-144-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/4708-5-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/4708-3-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

      • memory/4708-15-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

      • memory/5000-145-0x00000000240F0000-0x0000000024152000-memory.dmp
        Filesize

        392KB

      • memory/5000-498-0x00000000240F0000-0x0000000024152000-memory.dmp
        Filesize

        392KB