Analysis Overview
SHA256
4fde6df559411dfe162f6ad7224c221beff544795250c07c4664b86613ef1425
Threat Level: Known bad
The file 0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Drops startup file
UPX packed file
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-25 02:19
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 02:19
Reported
2024-06-25 02:22
Platform
win7-20240611-en
Max time kernel
147s
Max time network
132s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{267O14J4-MSQB-1GNA-4R72-H5VT7321SPWK}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{267O14J4-MSQB-1GNA-4R72-H5VT7321SPWK} | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe"
Network
Files
memory/2360-19-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2360-13-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2360-7-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2456-6-0x0000000010490000-0x0000000010502000-memory.dmp
memory/2456-2-0x0000000010410000-0x0000000010482000-memory.dmp
memory/2360-295-0x0000000010490000-0x0000000010502000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | eb00ef56b405e04c96e43348b3459fcf |
| SHA1 | 63ef119a1dbad8b13591e27cf5b31904bc57a54c |
| SHA256 | cdf33e5eadcb94f64679d629979c4aa51d3c64bb642921e9bb95771f90c935d0 |
| SHA512 | 489c8d0d99e7237cebdf58b743360298fffdeb14101900ed731b9a6f31b2076125dd5f161ed9d51a23220e2119ae77f61d9970ddb92816c4b79f35f287354fc7 |
\??\c:\directory\CyberGate\install\server.exe
| MD5 | 0c06368e8fa4a3fa740efada93630c7e |
| SHA1 | b42bbb3b03bd79cf93d630c049bf71471f5ead4d |
| SHA256 | 4fde6df559411dfe162f6ad7224c221beff544795250c07c4664b86613ef1425 |
| SHA512 | 42115de1771197d9ca5f7142a0a67dc6daf5893081819e7c3072cc052d57b7410750a5e34cb56d84359725055942983a55e8e7f55baf7aff1d89053df519af25 |
memory/2360-307-0x0000000010490000-0x0000000010502000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 02:19
Reported
2024-06-25 02:22
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
51s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{267O14J4-MSQB-1GNA-4R72-H5VT7321SPWK}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{267O14J4-MSQB-1GNA-4R72-H5VT7321SPWK} | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c06368e8fa4a3fa740efada93630c7e_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3292-2-0x0000000010410000-0x0000000010482000-memory.dmp
memory/2968-8-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/2968-7-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/3292-6-0x0000000010490000-0x0000000010502000-memory.dmp
memory/3292-3-0x0000000010410000-0x0000000010482000-memory.dmp
memory/3292-63-0x0000000010490000-0x0000000010502000-memory.dmp
memory/2968-68-0x0000000010490000-0x0000000010502000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | eb00ef56b405e04c96e43348b3459fcf |
| SHA1 | 63ef119a1dbad8b13591e27cf5b31904bc57a54c |
| SHA256 | cdf33e5eadcb94f64679d629979c4aa51d3c64bb642921e9bb95771f90c935d0 |
| SHA512 | 489c8d0d99e7237cebdf58b743360298fffdeb14101900ed731b9a6f31b2076125dd5f161ed9d51a23220e2119ae77f61d9970ddb92816c4b79f35f287354fc7 |
\??\c:\directory\CyberGate\install\server.exe
| MD5 | 0c06368e8fa4a3fa740efada93630c7e |
| SHA1 | b42bbb3b03bd79cf93d630c049bf71471f5ead4d |
| SHA256 | 4fde6df559411dfe162f6ad7224c221beff544795250c07c4664b86613ef1425 |
| SHA512 | 42115de1771197d9ca5f7142a0a67dc6daf5893081819e7c3072cc052d57b7410750a5e34cb56d84359725055942983a55e8e7f55baf7aff1d89053df519af25 |
memory/2968-80-0x0000000010490000-0x0000000010502000-memory.dmp