Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 06:00

General

  • Target

    14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe

  • Size

    453KB

  • MD5

    14eb3587ab34bd7b0e4ce4dbea721c4a

  • SHA1

    ae84d44580bab2b4ad071bf0d6e53c6d48a5f52e

  • SHA256

    fc9113fd86ece98b2213489bf817d18ad744166e4f4701db339597998999b31e

  • SHA512

    2564399d7013d89ba612d7285264c6d6ecaaf841a0f135c3fc8310f950516be35e6ca8638ca54b89bdef558d0a2a7edb82e956dbbf8bb1c72722e59f3ec9c25b

  • SSDEEP

    12288:t29eFcZt+yejZfwFLWtF57RAV7udh0ToTFeII8ycicK:omDyoLX6GsoK

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

remote

C2

127.0.0.1:999

Mutex

341INKA36V71IF

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1400
      • C:\Users\Admin\AppData\Local\Temp\14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Users\Admin\AppData\Local\Temp\vbc.exe
          C:\Users\Admin\AppData\Local\Temp\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2592
            • C:\Users\Admin\AppData\Local\Temp\vbc.exe
              "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2652
              • C:\directory\CyberGate\install\server.exe
                "C:\directory\CyberGate\install\server.exe"
                5⤵
                • Executes dropped EXE
                PID:2636
            • C:\directory\CyberGate\install\server.exe
              "C:\directory\CyberGate\install\server.exe"
              4⤵
              • Executes dropped EXE
              PID:1592

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        221KB

        MD5

        38b6990afda72474367f9961de76fda9

        SHA1

        b5b976de8466c71890cbc03dd61ac4f498b8da07

        SHA256

        c842e676d2f3b16eea02868358d822bd00fc9c85b2bef73cf78df622307390c6

        SHA512

        9b92467f71d2d3551198e9b3ec69b123e26b3bbed6e6552d5812535cd20d9e986d777979bf60971bee666a560d4058058fb0d8e04a45f809590e4a307e78fb2d

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        dfa853de1e204696b99fb5c481534dfa

        SHA1

        641b746a0d93c55ad2be664526a09f9ff828ac2b

        SHA256

        f612145ec0c9ee8511e88c69ce06dda17b9db129ef8c53f024138e472f89a5f2

        SHA512

        5f31d48f48fd2d9aea1c5a0fc07091f61dade789aa843d5d9abdafcd9fec8986d17c59f34c2ab4c0b9cc8ce2bbabc22d666a9c6203e7f9ac9631683b15b32508

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        4062df860f09b3c987d2ad994c10ee63

        SHA1

        a51a2f7c0aaa804b2a7fa2f9b78104900a9a2e72

        SHA256

        5f2a1f903b4a641e8360cf1a70257d66a233d5549b95f2852687ce2a6951e698

        SHA512

        1d55fd52aab20401699230702e2c6b18903ae757a0e8e68f407ac96a6d054d20d9b8f52e772f160f9b96063b655c1d91ae55c3c7f4877efda9e9d120322c6de3

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        0c2bc886404188ea28f227cdcfcd1c2c

        SHA1

        debfa46b636979b1c1e8de1a603cb377d39e62d4

        SHA256

        e2d7e4f8508382b810d865e267fca09f1d325383b484e336fb8f87b06bd481c0

        SHA512

        3d825b1fdec71b560b91a16ba9ef284907952296fc05e020f792f10293dc3dccc87f8496bc69203520d84af6cd7ba7cc6f7cba41e2f2cb398a37b7a09f99247c

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        474e01a4c46f4d0763d2fb4d7e410f20

        SHA1

        aa0c0e715536dd19190ded41ce077411738266a7

        SHA256

        8e67a063c81f42545e00d955d08249a8357a101218a5c8c672ad70975615fac7

        SHA512

        13b2449b048fe97387a515f0287cb70e610686658b372ca93489c19e43af6261210c1e4a8c364e981c4a0fed1c176f841d098c5a925b9817fce5f097b129ca17

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        10b8323102282cc8a0d31cbcb0fb6dfd

        SHA1

        3e91e1be3d4560841e1f344936e567a51e5a8963

        SHA256

        ff5bd76b81f44f2c93b7bda2c07301742b5842691563ffd4f2b22560a281f23a

        SHA512

        885ebf37c4da28c072e63f48cf585b93d56b62fa5ea979d91a28dc9e08ebb4fed9bb42d705c4f2c640f83640655e4959504c4752ce200b64bb315df08b24342b

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        e136c817f06bf2a76fb20ec89e90a95e

        SHA1

        60efc9042832ddc8bea19ecd1c5d288e132f42f7

        SHA256

        d6773ef3f923e729f1cb7ebd35197ec4588a00bb2acf9f1d7c42202a17b02454

        SHA512

        39775e5e46d72ae70382ba0f30dbc07fa482c2e986de434b9ad502787ae0fdf5984068038f393d34b0d8f0cdae325401d25210e0506d399749ef97fe2fb003a2

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        2c85bcd1e5e845caccd62166119c6e69

        SHA1

        6375e6c3dd3423ea920f1a4def770f99b88fdff6

        SHA256

        47f003c3c53b6098448d68eef7de4a3f0faab0ce233021efb125ff80d50a3ff7

        SHA512

        77b95481f0b114ccd545f0f041bbae6e9c6372fcb242fe0aff73daaf44335d1ec9514d9ac53533253faae9926147b9b1d774c772b70adc57b186d6694ebffa4b

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        57ebc44f9a11fb80f940a22747fed875

        SHA1

        2220cc49bed28d30f446b02a5295f4bd360f66c5

        SHA256

        f98876b9d358150e20968efa85645ee2e9c53e68cd6e138b974450573651f7de

        SHA512

        d66abf102d1779fcb7676ebe8111d2023d0d33ef946b0039cd4ff9dc894fe4c65533de9c70175816ff24f3f6adc05c5232f65dbeee5a84c5080c48472fb2739a

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        d92753db66236b0e8691cc597abfa95c

        SHA1

        00a6cfac8c25e714586f9fa3dd5b66b0cce4b724

        SHA256

        3076f6021fd07a580291ca97b2a7a589859de8b033f837e634d871294fd4b342

        SHA512

        ffaac0af760aa087b6b92592e2d50b0bf28cb862bb9ea0582af9d8e88f36a1038c8fb9d5c3e4ae7f081b4451c9a38a6b345cccc4ed2eee31eb479db84120f2a5

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        158cd578fc01398f18aeec5e68b6ccc3

        SHA1

        b7ecba5ff5c4c7193b30e438a055afb5dc360345

        SHA256

        97ae35f307de6d38da397efd0787b13b935ede42b27658b3827968991f7e4c09

        SHA512

        47c468993e75b791b2828483be74fc7ba5ddf4235e010b6403685c8b8af09f10b8c63a60cc129b9844762176fdbf49e294e24be19177c8007de3001216903380

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        9127530e81307b57352f3567d1e84b91

        SHA1

        1e7f6d300af1b54903ef77d90dce9926ba9ceb21

        SHA256

        190857ca9c7411b2caeb672ebf208f68e0961568077fbc492d4d23a4c77063b6

        SHA512

        c3e3b07a33e27f5436a7f958842625c461b8e19d8c38961e5d455c38b468afadb32cc33c4f22c07cd5f552d26017a94272e633f211b8c9a4cad0c541b1ed3e6d

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        31a83a6d67be272f3dc6e0655f3a1c06

        SHA1

        fc64dc633617ae5500b6c8ccdccb3966af86f21f

        SHA256

        d00f537af1fc7b7f1e30b14c5a06690be9ae070a63e6a2037816f7ffdb91117b

        SHA512

        c427564dfe9116f630122e13125b5dc015ae31a4a6538ff84b1d8505ac97fba8f29f1cd8a6a942553fdcd2209f055ad7cdd6e42e1bd30ceab491bd1034633cfb

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        f445b6310eca1b9cf04195bafec1ceb1

        SHA1

        c6dc371885098b8e96cb3b2b4905f6ae2aa6dac9

        SHA256

        f657d16d4c9f9df013cf5d691055ea3b7c28a3b771eb91aff71f3bb8bdc0050f

        SHA512

        5e263b6c573b51c0ca1bb3c5437c45d1f6047f351763fa6d0b38b00731b7f1578db12004b3dfc9bc6dd29a4096d0f8abd19bf61c38ee08b168a146e5a7a541dc

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        8504a23223baaf2e35e10170ec754243

        SHA1

        f8a2bf82a595033da53652c17d8e6ee3290ec824

        SHA256

        78ecd5cf33cb63f2fd066903b93dfc31fd79196ff49fcc74c2d6a227aac01848

        SHA512

        a94b0984ccbcdaf98afddfad3af608949bf163f138780f5cf92a5f8a3f984e20570aeeaa07a09ce2f3e8ae8edf884a3be39f042daacbdac9536c8de8ab24e553

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        8fc89ea0a009b7773a2c79fcf3a5f7b0

        SHA1

        89811abdaaa81500a39529e1342af5efa4455f49

        SHA256

        aca917a07fa84af02ba8659ec79f51fda654481179cc311adc39828a29b49026

        SHA512

        32452f9d8870016695b8a4bf895aad18c283099d9cfa4fbc1f8a418d3c1662ac0588522b68cdc31d112e4243c1647802ecda7e9f1c2db8b4e2764ffe4764e8d5

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        06eeb9547693e8639e2c738fec0884ae

        SHA1

        e4f96c9d306b4aae4f649e7dc9cc5accf2d4f9e5

        SHA256

        a79fb5f1585344a86067b8f134db14dfa0cf94e7c15ef732744d72b2a62396c3

        SHA512

        e1235eb79ff29ffebdf74fd064c6ebdc51d329409567b3b622a076b8b479204f06a0555a9d38d916629694f18a999134416020feaa7f130af8e18f8959ceb03f

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        5731b3c19a6c3d8179ab921f810a3ae7

        SHA1

        3b1d05a8ce36ed54b8c132421610041b2cce0d9f

        SHA256

        b74cf0ef1fb9c167842307c2f4ad7018d67edb502aaf0747c260bd77980fbcce

        SHA512

        f6e748cdf0c8a6f777847de3c4c281504e278e11886ec2b791e8f849a311e2553a208c61fe4bc16488875247a76f5f22e6661feeaafdc4cf47bdac41a0ab30f3

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        03e81d8f11b71b2c76b672671fe47d5f

        SHA1

        6c151390856d9024d746ff1d8310e1fd6d91ca45

        SHA256

        71713cfa7a0077987dbc59d7ad89509afceed6a2b18872937ea516e588bd223f

        SHA512

        5a45580e30a31817f9bb27d72c66d49a9c520bfb35fce49e1c19d48316886dd8b076b8ed77231486e71034fc7840e794faa5a32834a1faa5cac2e60222b6f8e2

      • C:\Users\Admin\AppData\Roaming\cglogs.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • \Users\Admin\AppData\Local\Temp\vbc.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      • memory/2344-24-0x00000000741A0000-0x000000007474B000-memory.dmp
        Filesize

        5.7MB

      • memory/2344-2-0x00000000741A0000-0x000000007474B000-memory.dmp
        Filesize

        5.7MB

      • memory/2344-0-0x00000000741A1000-0x00000000741A2000-memory.dmp
        Filesize

        4KB

      • memory/2344-1-0x00000000741A0000-0x000000007474B000-memory.dmp
        Filesize

        5.7MB

      • memory/2652-135-0x0000000000400000-0x000000000051E000-memory.dmp
        Filesize

        1.1MB

      • memory/2652-34-0x00000000001C0000-0x00000000001C1000-memory.dmp
        Filesize

        4KB

      • memory/2652-46-0x0000000000360000-0x0000000000361000-memory.dmp
        Filesize

        4KB

      • memory/2652-40-0x00000000001E0000-0x00000000001E1000-memory.dmp
        Filesize

        4KB

      • memory/3000-22-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB

      • memory/3000-33-0x0000000024080000-0x00000000240E1000-memory.dmp
        Filesize

        388KB

      • memory/3000-28-0x0000000024010000-0x0000000024071000-memory.dmp
        Filesize

        388KB

      • memory/3000-23-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB

      • memory/3000-21-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB

      • memory/3000-345-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB

      • memory/3000-20-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB

      • memory/3000-19-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB

      • memory/3000-11-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB

      • memory/3000-13-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB

      • memory/3000-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/3000-16-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB

      • memory/3000-10-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB