Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 06:54
Static task
static1
Behavioral task
behavioral1
Sample
2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe
-
Size
836KB
-
MD5
2173b59db0d6a10aa1196f29bd0dca9c
-
SHA1
0891e25f21f65bf3735a08b587579e8bd1d1aa8c
-
SHA256
c26299aa088cb8884f3f71159795028d9c6f5fadd7f0d104950819d34cac76a8
-
SHA512
1d55c3fc226f20488d1fc500d7a17d32d22e7aacacbd4d334b3dd2fc3c0b70d3e81b029bcb9f375b09d1bdc55297d2c292f246f031c78d2e948716058e1f28a8
-
SSDEEP
12288:6YhYXfg/abPDjB+qdfMBIpB8jUWjpHVYcdpf44lvbiS84CACFCGuDRAmuSEWA+X7:6YhNPgBq93vpWqdJ7W+KUJ
Malware Config
Extracted
cybergate
v1.07.5
haxor
nielstyle00.no-ip.org:7100
1KG3RR2JG6MI72
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
osm
-
install_file
updater.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
password
julemand90
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{35P8HRWQ-4W3U-58L7-761G-55P5M656RGAQ} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35P8HRWQ-4W3U-58L7-761G-55P5M656RGAQ}\StubPath = "C:\\Program Files (x86)\\osm\\updater.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{35P8HRWQ-4W3U-58L7-761G-55P5M656RGAQ} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35P8HRWQ-4W3U-58L7-761G-55P5M656RGAQ}\StubPath = "C:\\Program Files (x86)\\osm\\updater.exe" vbc.exe -
Executes dropped EXE 29 IoCs
pid Process 2936 updater.exe 4760 updater.exe 4008 updater.exe 4684 updater.exe 2520 updater.exe 3912 updater.exe 2072 updater.exe 4900 updater.exe 1616 updater.exe 3540 updater.exe 4940 updater.exe 2748 updater.exe 1392 updater.exe 3708 updater.exe 1644 updater.exe 3264 updater.exe 2056 updater.exe 3200 updater.exe 2880 updater.exe 5004 updater.exe 2308 updater.exe 564 updater.exe 2124 updater.exe 4652 updater.exe 2572 updater.exe 1928 updater.exe 3520 updater.exe 5076 updater.exe 3108 updater.exe -
resource yara_rule behavioral2/memory/2248-12-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/2248-13-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/2248-16-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4992-163-0x00000000104F0000-0x0000000010555000-memory.dmp upx behavioral2/memory/4992-168-0x00000000104F0000-0x0000000010555000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ocm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Summaupdate.exe" 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4444 set thread context of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\osm\updater.exe vbc.exe File opened for modification C:\Program Files (x86)\osm\updater.exe vbc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2044 4256 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe Token: SeBackupPrivilege 4256 explorer.exe Token: SeRestorePrivilege 4256 explorer.exe Token: SeBackupPrivilege 4992 vbc.exe Token: SeRestorePrivilege 4992 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2248 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 4444 wrote to memory of 2248 4444 2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe 83 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56 PID 2248 wrote to memory of 3496 2248 vbc.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4256 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 805⤵
- Program crash
PID:2044
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
PID:4992 -
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:2936
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:4760
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:4008
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:4684
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:2520
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:3912
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:2072
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:4900
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:1616
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:3540
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:4940
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:2748
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:1392
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:3708
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:1644
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:3264
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:2056
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:3200
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:2880
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:5004
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:2308
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:564
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:2124
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:4652
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:2572
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:1928
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:3520
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:5076
-
-
C:\Program Files (x86)\osm\updater.exe"C:\Program Files (x86)\osm\updater.exe"5⤵
- Executes dropped EXE
PID:3108
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4256 -ip 42561⤵PID:4648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
224KB
MD53681cc395865dff9e1b0e2ce131e1b62
SHA11ff0cef304862c374a0ce4d2b5543e4b866ebd2b
SHA25652bb776684b9674aa1eec6c7c06a8a16bc6e6b52326c556877d0efa1a1183b4c
SHA5127528f6eaa8987f59ecd0b7f45799824a626711a1d755a351b1e858149850a45d95688d71b1d79e0410ffe3f6a43e487eb296e2e1c6c616ec043ba66469643959