Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 08:52

General

  • Target

    1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe

  • Size

    296KB

  • MD5

    1562ea6ccbc11556a2fbc40aeaf1897d

  • SHA1

    d3e9413c1ede49d83be13b118c861cbe41b3e6c2

  • SHA256

    a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb

  • SHA512

    44572ee9589c46f1fe2d009f77b5b199343e506257613ccf8de524fc57e590ec04d102a760aade26bfb23fb4a16f81c242ae98e34ae28382aaa51568d10725aa

  • SSDEEP

    6144:POpslFlqLhdBCkWYxuukP1pjSKSNVkq/MVJbR:PwslgTBd47GLRMTbR

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

etis.no-ip.biz:100

Mutex

5J67372O7SI8C2

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    rafaella.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    The file you are searching for has been deleted.

  • message_box_title

    Error

  • password

    etis

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:2568
      • C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2012
        • C:\Windows\SysWOW64\WinDir\rafaella.exe
          "C:\Windows\system32\WinDir\rafaella.exe"
          3⤵
          • Executes dropped EXE
          PID:1596
      • C:\Windows\SysWOW64\WinDir\rafaella.exe
        "C:\Windows\system32\WinDir\rafaella.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2344

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Active Setup

    1
    T1547.014

    Privilege Escalation

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Active Setup

    1
    T1547.014

    Defense Evasion

    Modify Registry

    3
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      224KB

      MD5

      fcdc2ec75169e8f15aa481a855d2d1ce

      SHA1

      e175eb08f9c24ef111cb7a0691ef75e81ffc9f49

      SHA256

      b9dcdb13419530c9b517e0ca3ee3f8c63ae59e970e8ad286a41a4b77addc3173

      SHA512

      32310fa60f8d1d8c70517ab451034617407106aa5d1ecd80cbd47534952d3ad9fc73b391ff8f76f577b89d996ddf032e6cf46c13a4a45fa93d1e8ede183cdd51

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      c6a57eb3bdbf10bab9ae050c5aa7a940

      SHA1

      0e34774ec9b27c8d61983433bb06fd608be3420a

      SHA256

      3bb2419816762ec7537a1298a181a292ce2bb6d239d989ef3b28a69d39aeffbf

      SHA512

      f98aede02d7dbb42ad87fef4377cbe26d26788846dae1c61364dbdaf77340378db208626120b82cdaab6191ee261d7c8d62b53a48b171258864f421a6f0777db

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      fa16c17bd57ddac978987e3b4fe3a82c

      SHA1

      b41cb944cef71aad508be364cd3dab9456cc7d4f

      SHA256

      8e3749f8e6100d6fe75bc92c36f2d3e1b994fd33a2102d1a6cfca9822a344584

      SHA512

      66d24575f7cf727d1119e9a8d5420d41fc03457066653ece67aad2330e8220a6a891566d2181a35cc7105b389c2dda9039047c0771085fc48e8b0ccc61ca8713

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      e3316ef318e9322c29e840719d6e51b2

      SHA1

      009d0fca6c0e01dd5c17c4738d07730940ce088c

      SHA256

      356805e8dd89737f6ccbf88b2d84d33a8ec90c0f0f786b851ef8f68e603380cb

      SHA512

      91498a051a14fce59053cd188a2b9859f6b5fef0565dee5d0b87a3b7645b701777e56bf16f3fb5367c16948e6d48a0e3d2b8abd269cab9698106969c68f8ee5b

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      d07f6d2486723e1a114f03d322adcf60

      SHA1

      69a64297b09c8d679e5dddf3c932a4ec1e44a587

      SHA256

      dff24518646134ba890bd53823d88e7df5bb6e13e214f3ec870b2a39cf6bbcf0

      SHA512

      33cfaa555b3783b2026196ea7e9a54d762a069526b1182875e55e8e56cae3adf256898a9d01d9b28f2d4df56a673fcac07e780ba5ed6e1c97600b2bfe503ff6a

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      a0bff030c7ea47144eb4f2740e45484b

      SHA1

      c6102a3274de269d612bd7fbee212bc48bbed425

      SHA256

      b1b3b1ec212ac5413326b8867d51ab28d851664225a85755301764165d05e990

      SHA512

      d837006591fc7526b12c612dfa4eb4b10853fa90c3446290dadaa507d17b6023cef149c83d441566855116141e15fc55049ddf622146ae70c3dd00e9e084f005

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      fa09d55b41bde0a2661420706c1f0f83

      SHA1

      d60f54f56c5c1cf72428f7bbac382d9fa11579bd

      SHA256

      971bbb6b2b91483c0e723509baf4163ca5d0f747af50635328febe8f15e1db3e

      SHA512

      38972da3457a978f2adfa03838182255547926dde54015e8194328da2ab1cdc5c49fb72f141318205324ef44c57aa922f74ef4340ed58f8f526e6537aeceb5f3

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      93803456c54e1da5c0bd17b59f999928

      SHA1

      800b89889a229ff82396cf92e0ad1bd5b3b2f949

      SHA256

      ea09f2be24eb678d6fcf66bdb26dc269eef1015d8d0d1d40b7d32245d8b8ae36

      SHA512

      f968e9be79747477e054272edf32515827e32f95e49da212a14b0416bf169b0ed0424c131849e389ebc5ff53cd6c44a60d7ae938cc600688d432b945aabceadb

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      8f4f70b06c422f6cd97922ce06a2b2b9

      SHA1

      489f63af2f3b9c208b316dacfa0a2e9f8f82a7dd

      SHA256

      730fa91d4c3769bd19ff5997b2b58fb6df5b549f70b1a73b1589e75224cd25e6

      SHA512

      45193a5bfa883ed037634addca0982164097cbd8810cfbcb41e37c85a8ce07039539ae542f9fadef2214135315725a0efc2b7f3241d159ec116f0573094bcee9

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      c55cf1aec52529c837ff94f94be1b9d2

      SHA1

      4486d318d0abebadea286c7a769f9140b4342eac

      SHA256

      6d2361e1c45d6a8fbe14721a7e9b0089b07532e42b74d6888eddb75c93ff98fb

      SHA512

      e1ec8dc70b8aa660ec6aea27dc1d48e0d28b1b933751d7d9c86418fa97f760caf2e89302958d0e660a5c4ede80c04ee7dc81281f2768eb264a8db8c9954f909d

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      883c9d12b80e689ff3e01f4cc1687e5f

      SHA1

      2ffca5d1fa8e89610f02cfe11bbe214485abf5b9

      SHA256

      cfda9af4e8409f913c3d265d20ad1e4f67b1b65e6b0b451682db0ef5cfa3432a

      SHA512

      67de1cc8eda4079e43d0ab06e3e68e15aa6c511372f1e9127256886a306d24e51fba30e6e597c3bd3c5c2315b331f73583e829d3d498ebe0e3c50db2755d9a17

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      2d82b86bdeb30177bece9cf0db3d258e

      SHA1

      ca9da9148d626fec5724d6da353e73927c5dcdfe

      SHA256

      c0703bce4a45b6cfeb6351c99671d8958094df50d7950ed39713dcb595a488fd

      SHA512

      9ff8d19f2106ce98b4b377e8f8330632aea3ce7a63c064f2c0a7f2a5fee5ef332523ab3f237967a0742d823b6643fe26111bd29538f3bd81a39e0adfdd8089f1

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      4cd91252cc12842a05ea09668a10b3ab

      SHA1

      a929214d1e1a2a78bf34ab52087945aa70fb564f

      SHA256

      f98a14a42b5840cf17c304b9baf5b0c980cfb1393698764303499a861c5748ce

      SHA512

      cf54f0030974b462ccbfd3b724dc1f0bf2ab84b741c882a2cd9be140cf5dbaf7f1521742014717a3714756a910edb693141cfec29c7ed2e8a9ca179e62828931

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      0113a1eba293841d61461773d9969fd4

      SHA1

      7419b0ad990bb63c49d0f7624bd1afe0379da102

      SHA256

      437b52e36fed243f9bdea95594abdad81a64d0e98bafe9cf35220e4d525f0e59

      SHA512

      41d432987be623c19fce5e3520539d2c10b255135f17894c74ee6f8b54009b59c315c7319fbe0d1370e7a235c1f155327f2f98f071196a18c769121e5ed8b62e

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      f1cdde69d3881168f15c145c4c13034b

      SHA1

      522edcb9c4065e636e6fc24bb55abab8cfd77f7d

      SHA256

      b7f1817525eb2ef20a6c9840e9a910655385584cadff0705e5db26700f10627f

      SHA512

      31df521c964eb6f6c25279f85908a4a3bd0782853cac34f2b4687673d81f3479d1b5ed9f493d30bf4ecd34a780f4f8cbe28648b674a74d273ef02d76c2ff987f

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      0702678a3c6be57a890bce6bd1982560

      SHA1

      cb7742da8051dcba2456d35c3821aea598dc54ee

      SHA256

      fa8b0dc96a4f26f7b20025f463b9b1559171df84b1d213d2bffbf5f7141de1c2

      SHA512

      c6846aeb7f52d348fd62e2c28d20440f992dec6239e5e1c0fd3659ecc14dba67c6aab0f79fa17c7853aa3bb481d43c511921d378ff89612f908ee7dc6d9a58c5

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      6dbe59359ff5c498654c64d1510cfa52

      SHA1

      f4ea5b6cedb75bc488d8953acc266fbb6a2884e2

      SHA256

      503c37e7db2f8d4492489fc680c6774ecc2820b4c144cca015db15e8e69885c9

      SHA512

      f18e13006488699d6b886d677e6b370a496040da408fcd347875592fc2e338ebfd0fe22de51a4b2840b878fbd57325d3b8702629a6551382bb4f120c6a95cc40

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      fde4a074e2e25e2cbd1456cb9471089a

      SHA1

      2272f69121f682d451793ab888e2802134d55884

      SHA256

      3516eee6156f4d4d6f0f69ab26a2867ff5824a7c360df90bd7db80b059b7d675

      SHA512

      88c041c1297addad85c1d1b4c1cd8df3ec70960dc068f17f87a8b7ddd52a14d52de9e5e80ef47478fc4ffd611cfe08cb2cd39e18a0b97869ada79ff800361748

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      80aa87b3386be6662cb92ed5536a17c9

      SHA1

      8cd05f12f5b575e77bd48be5efc68bf7444c4553

      SHA256

      a212a369fefb8f2790bb20cf370ccaa24eb0f7cb18e559a8255b4bdcb611a45e

      SHA512

      dd49638bba7c5ccb11d6e535038e40c93840b04391e9131a355e2f19c491103f1dd338fc42a54e62aa66ef3a75edb4c28e22bb39ddac6776dbb5fd5c75bb5095

    • C:\Users\Admin\AppData\Roaming\Adminlog.dat
      Filesize

      15B

      MD5

      bf3dba41023802cf6d3f8c5fd683a0c7

      SHA1

      466530987a347b68ef28faad238d7b50db8656a5

      SHA256

      4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

      SHA512

      fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

    • C:\Windows\SysWOW64\WinDir\rafaella.exe
      Filesize

      296KB

      MD5

      1562ea6ccbc11556a2fbc40aeaf1897d

      SHA1

      d3e9413c1ede49d83be13b118c861cbe41b3e6c2

      SHA256

      a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb

      SHA512

      44572ee9589c46f1fe2d009f77b5b199343e506257613ccf8de524fc57e590ec04d102a760aade26bfb23fb4a16f81c242ae98e34ae28382aaa51568d10725aa

    • memory/2012-18-0x0000000000350000-0x0000000000351000-memory.dmp
      Filesize

      4KB

    • memory/2012-1108-0x0000000010480000-0x00000000104E5000-memory.dmp
      Filesize

      404KB

    • memory/2012-7-0x00000000001B0000-0x00000000001B1000-memory.dmp
      Filesize

      4KB

    • memory/2012-13-0x00000000001D0000-0x00000000001D1000-memory.dmp
      Filesize

      4KB

    • memory/2012-291-0x0000000010480000-0x00000000104E5000-memory.dmp
      Filesize

      404KB

    • memory/2236-6-0x0000000010480000-0x00000000104E5000-memory.dmp
      Filesize

      404KB

    • memory/2236-2-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB