Analysis Overview
SHA256
c5030fafcf1a7f0e3a4de3b407b06327ecc2381661ee0e07d6d1db39134e1bf3
Threat Level: Known bad
The file 0e60698419d484cff5da21a5355d9cc0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
UPX packed file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-25 14:14
Signatures
Cybergate family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 14:14
Reported
2024-06-25 14:16
Platform
win7-20231129-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe"
Network
Files
memory/1676-0-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1676-3-0x0000000000400000-0x0000000000456000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 14:14
Reported
2024-06-25 14:16
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e60698419d484cff5da21a5355d9cc0_JaffaCakes118.exe"
Network
Files
memory/4464-0-0x0000000000400000-0x0000000000456000-memory.dmp
memory/4464-3-0x0000000000400000-0x0000000000456000-memory.dmp