Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 06:32

General

  • Target

    21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

  • Size

    595KB

  • MD5

    21650967f198dfcdd32c6b4387d75a51

  • SHA1

    7860833d961ed8e68bb506d5f6ef5bb854b387b1

  • SHA256

    2ed7b7d258601438a2f188ebebcd406d9d43748c3c79279038e62bb61c4334e4

  • SHA512

    dccb305ea7d5115d256d4170f35c77ad0f3c37caf09db3813606385db506fd528bb6c2a9b0c38cca0493d6e67ef6abe51bad643eb5eb0553155fcb4271d84fd5

  • SSDEEP

    12288:tE83Sb0dlSW05DuWXw4MeX6Z3Gupe88PwHCjNH:tEOSbkSW00dteXk3PpetwHCjR

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

1kax

C2

mokordo.zapto.org:5638

adriano4588.no-ip.info:2000

Mutex

6ASCN7PT6M6T2B

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    12081960

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3516
      • C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:1740
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              5⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Suspicious use of AdjustPrivilegeToken
              PID:4048
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
                PID:4964
              • C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
                "C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:2976
                • C:\Windows\SysWOW64\install\server.exe
                  "C:\Windows\system32\install\server.exe"
                  6⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Suspicious use of SetWindowsHookEx
                  PID:1952
                  • C:\Windows\SysWOW64\install\server.exe
                    C:\Windows\SysWOW64\install\server.exe
                    7⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Suspicious use of SetWindowsHookEx
                    PID:3124
                    • C:\Windows\SysWOW64\install\server.exe
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      PID:976

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

        Filesize

        595KB

        MD5

        21650967f198dfcdd32c6b4387d75a51

        SHA1

        7860833d961ed8e68bb506d5f6ef5bb854b387b1

        SHA256

        2ed7b7d258601438a2f188ebebcd406d9d43748c3c79279038e62bb61c4334e4

        SHA512

        dccb305ea7d5115d256d4170f35c77ad0f3c37caf09db3813606385db506fd528bb6c2a9b0c38cca0493d6e67ef6abe51bad643eb5eb0553155fcb4271d84fd5

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

        Filesize

        225KB

        MD5

        fb097ef39ee3397e4726029cbfa33c28

        SHA1

        7a9dc73f7945f3ee9f9c934af2fb0d4fe2128827

        SHA256

        9784ae7985cadb8249ae6b51d50e42362473053da454d2a82ad4443acd1a8b7f

        SHA512

        532863117d67e179118e09e74bb03f85b15f23c078372d92ff0735994e77af49fe1daf0fba9d418f7ab6d83d4c1e9e895acd443a4e1fc310853e7480d32f4370

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        adc848bf41fcb6d60b80be2b20b4f8bd

        SHA1

        3d7694b9d33b962a6a1f5575333760a8e7937157

        SHA256

        ddd1f0df5c618b549e68136e09ea679a80cf2b335eb75ed39b3262679b82e408

        SHA512

        3ed9ab55a607804c389ac858ac95d8d706b1fb7b576b7c4c8e910750507c02c7c1d2d4de98a45e85bd1e5ecff4ef9628f4baee13a644c1b9eec34e49d541155a

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        ed25bc9d4b9142dc154e5d3b44e0a646

        SHA1

        a23eb3ecb5a57410d8511acfd1faa0548f52fd61

        SHA256

        8f3d1fc9566fa68fba9a3cefd3f9f5e7b9750009c35fbf060216066b67c0bc52

        SHA512

        72b90185f64a3d21e5ccf31177d8b964c25487ec39f91d0c749de55c2e3eaf5c5840d41e125cabead9c1050eee312cf2ed37f7ed80dec2c83983befd7a590261

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        f5d0b3b61b467d7b07cff1b07b7f1cf6

        SHA1

        fb1b65ce2a230348b0f447c6d56085b5d2291548

        SHA256

        19438404eef36770d1b8f924b4264b487994fb4481df23c3a3d0e5ee0bf0d624

        SHA512

        c20af9803bba6aab408e375249041aed756ba09fdc34ba3fdce7ca335f5ffc66f05450dbcb53b72273fa59eb2350e6ff8cd6500bd6654c473d600cb9726740c7

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        e5f0e07656c56300cd1ac9c045a81bae

        SHA1

        f9353ee3ac1a82f1abda9743f2bacaa0fee7a331

        SHA256

        50e791de56f4c97fc68ba1d79d2f4ae3880dc892b702b47a832e0285b652c652

        SHA512

        b769217f9eb2447a14f43762a31b16e2bc59d35483106d3c0bef99cbdaa0ef42f309bfc2fe717de137675a938d305d7c12e615c894763b8f0e378c14f19b0583

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        09a238ab1a1fa15b363fe84016737cff

        SHA1

        c98b9ca9723471457100a319b383afc04393543c

        SHA256

        47ce9eaa364d7a882279fe4181c94e5db25bd0aa08a840c2c94986ce63523fb2

        SHA512

        436f4929262d7ba8948a0b853b88a1dd566f9bf015927f6d81704ed11eab24d58836955c339e7faa370b61576e72f63ee73cf5b9e4b1a5468c284a02fbff4b29

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        1bf16f8fd43f88ff434cb3c3b7975e0c

        SHA1

        58914f6131fc5aefef3ca402601ee11f1fc2ae95

        SHA256

        6fa3269d54c12f828f569913217b46d288c7ab4690d7b8fb9ecf0d311605368e

        SHA512

        c469abb491da2d39b1955b059b9b69cd492330dbcc70d01e7fc6cc71d60928d8c0505e60614ef24d5131222d1b712c7b14455b3c3e7a265fca1255c5468249b5

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        f385d6298a3c5d7f4013745c9be0da9e

        SHA1

        6cf9979dde39fc8682753f641f6dbfb9b315adcb

        SHA256

        7dc689f6dffc88220474b5de5647b8e4fca8c3a12561876ee3a6fd4fa9c3aae7

        SHA512

        77dc9acac2c660881e1747f254247551f2c52fc54b53f281b7324bbee3f9a26013f3580b205e1a4fb15f466020d92c23eafb5302d3f1780074b58443c1e5fe60

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        1addaee59a010815f1930316650a1ab1

        SHA1

        b7ae8546777ccd209ee5f520bd48da5dead2d313

        SHA256

        bf1339b21b41639ec9f3a75fb1296d6110bced31d9a2d5d06c8a6fb53558cdcc

        SHA512

        999e7f8c131a83af48cf8830e9a4e91e8c3b8febe361d7317da0dc4f0f6955715310b9259048b84e1cc90c6ac20119cfc5a46c18475124f8fbde65728b99e49a

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        8618755f0351fed6fdca1cef0d6dd5b7

        SHA1

        0a36a34b318d29db08446cd5615bd38a508bff7a

        SHA256

        49ee05cad6396ac55b0163d4e6933b4665fb2a41953d11a7702e9ee486b76812

        SHA512

        9a6468c59fc7b7a59bce3c084b8aeed04741a737a513b555c92649719993be2c1f2d71fcefd65f89dbb7db515d045d76b86a040294aacb51b0e2b84bc28ac5fb

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        fabfdc27b3aea547efcae8aad8661a9a

        SHA1

        dd1094c0c3c0c9898c3ed2e9c5e8c77e1611f614

        SHA256

        b1f47a10dda668317b89609dcaff23f0a641749d0fd45986cd247ee0d9e9d687

        SHA512

        9788dc3b0a5d665e782696fb5562ca9e989ca671b539491f2c62146c53428075646b7e58e05cd56e08bdaf95c7eefed3e8abe5dad51efdb6be358ccd2fc49510

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        d378124399d212c91b5d36d99e020a8a

        SHA1

        03f2f30b1c79164c8068dc6311dbcf7acc2bb9d8

        SHA256

        7a3697d77a35682dc45dd8240125ee95cf4b8d751f2507d2c1846270c9a6f19b

        SHA512

        4f6cc55e6c1c9d6df28b06644c2c581a01b7b9df02898f35a699237463e267f6c93f817a5dba04af42ccb952f550b025abe64566f868238e735e6fe481485d24

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        0893e81d0fac229f6cb55e3cf714e73b

        SHA1

        243eefc8efa9d2c3e7370b199e152392974b6696

        SHA256

        a9fe8a15502f3446161abe7e4f4db56fd13d5639c45e5ec860c1990ba564de85

        SHA512

        706e23ea61de907979acf3765638709d8265ecee5f7b60929c7dafff36f87ee3a187e33210d19c502d9f0d2ca0abdbe15fb509277428746f1207c95c876b025c

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        d2617c543acbd8b88b1b73e628ee25fd

        SHA1

        1cf75e0bd0f70b2ff59887d67f4ffce5cd754ac9

        SHA256

        504ec191d54fbe2adaebe9a2418e292bee4a67823d35a6528a5f494285820144

        SHA512

        ba0137e74fcdeae335b2842b9c88f2fdc5c95ff4cb89607a714830812948b6b9f94333144f93bb91ee23f6e0f708037f546040c7e0ee316b5501aefd52f7ba09

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        169cb7198d7e2822c25d65c011da59a5

        SHA1

        f48706ec2779bede3476296dfa08e6e9c0d4b783

        SHA256

        2b52df05f3b1bc8e7d242144464662a9c36aed0ae6766311405eb07c318b8b66

        SHA512

        df57268a78bdeb5f772ed520f6ce0b94b0910cd9abfd6a5126c58538a73533cd81dfc92acf5446b6811152b4274e9721cfa2e3a3deeb8244eed024a766c49608

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        efd9fe096de716b1725b06651fd86f5a

        SHA1

        b3384e23fd08d4f365d80893b98486721ab14220

        SHA256

        accb52605dffa08acd51a1f9e983c1ca95b680a55c776bef0e75bec436f8bd47

        SHA512

        97244ce184dfad380d0cbc1d126b34c40071c4e6f80247422f879ce19bb70a1b6b01b0da76f572ae5361263af88f29eb732fb146fb51a4ba3a022df2447c2cfd

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        50dd1afeb488431d9e26da6c1138dd41

        SHA1

        379e901aece1a4700b10fd7591dde524405ed75e

        SHA256

        fc5412eabd49d7d289031b649ac8739d524d2c400e0c60b8837930d44951a6b6

        SHA512

        d30f650cc684148f9332e34df96200740ee9691a05dbf41d106f7e5e5ab98639eecb922847cf172685b7378ccfc2ab496d06f0079b7f194fe56e0e3b05c3b6f8

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        e2074a6332543f5e74a270ee6aad6d77

        SHA1

        e28ee6505dd6b1954bf641df648b589827f83b6e

        SHA256

        9607426904ed03cf1ecc7aa392008d92d2af10100552842e4756e0308d471e10

        SHA512

        963dea0f15deb86eb804db92fa7dc1b124364ad59a5848714af7487a5bd6927688b346ef3f7be7ca96ce14cb9c61b0f05b1e4735e4a45c241d6b4b9b8f68afdc

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat

        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • memory/976-1179-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/1740-156-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/1740-22-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/1740-19-0x0000000010410000-0x0000000010475000-memory.dmp

        Filesize

        404KB

      • memory/1740-15-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/1740-14-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/1740-13-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/1740-8-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/2976-1474-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB

      • memory/2976-157-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB

      • memory/4048-24-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

        Filesize

        4KB

      • memory/4048-785-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/4048-23-0x0000000000E10000-0x0000000000E11000-memory.dmp

        Filesize

        4KB

      • memory/4048-84-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/5076-2-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

      • memory/5076-11-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

      • memory/5076-5-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB