Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 06:54

General

  • Target

    2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe

  • Size

    836KB

  • MD5

    2173b59db0d6a10aa1196f29bd0dca9c

  • SHA1

    0891e25f21f65bf3735a08b587579e8bd1d1aa8c

  • SHA256

    c26299aa088cb8884f3f71159795028d9c6f5fadd7f0d104950819d34cac76a8

  • SHA512

    1d55c3fc226f20488d1fc500d7a17d32d22e7aacacbd4d334b3dd2fc3c0b70d3e81b029bcb9f375b09d1bdc55297d2c292f246f031c78d2e948716058e1f28a8

  • SSDEEP

    12288:6YhYXfg/abPDjB+qdfMBIpB8jUWjpHVYcdpf44lvbiS84CACFCGuDRAmuSEWA+X7:6YhNPgBq93vpWqdJ7W+KUJ

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

haxor

C2

nielstyle00.no-ip.org:7100

Mutex

1KG3RR2JG6MI72

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    osm

  • install_file

    updater.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • password

    julemand90

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 29 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3496
      • C:\Users\Admin\AppData\Local\Temp\2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\2173b59db0d6a10aa1196f29bd0dca9c_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Drops file in Program Files directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4256
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 80
              5⤵
              • Program crash
              PID:2044
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Suspicious use of AdjustPrivilegeToken
            PID:4992
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:2936
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:4760
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:4008
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:4684
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:2520
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:3912
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:2072
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:4900
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:1616
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:3540
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:4940
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:2748
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:1392
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:3708
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:1644
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:3264
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:2056
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:3200
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:2880
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:5004
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:2308
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:564
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:2124
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:4652
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:2572
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:1928
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:3520
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:5076
            • C:\Program Files (x86)\osm\updater.exe
              "C:\Program Files (x86)\osm\updater.exe"
              5⤵
              • Executes dropped EXE
              PID:3108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4256 -ip 4256
      1⤵
        PID:4648

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\osm\updater.exe

        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

        Filesize

        224KB

        MD5

        3681cc395865dff9e1b0e2ce131e1b62

        SHA1

        1ff0cef304862c374a0ce4d2b5543e4b866ebd2b

        SHA256

        52bb776684b9674aa1eec6c7c06a8a16bc6e6b52326c556877d0efa1a1183b4c

        SHA512

        7528f6eaa8987f59ecd0b7f45799824a626711a1d755a351b1e858149850a45d95688d71b1d79e0410ffe3f6a43e487eb296e2e1c6c616ec043ba66469643959

      • memory/2248-12-0x0000000010410000-0x0000000010475000-memory.dmp

        Filesize

        404KB

      • memory/2248-4-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2248-7-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2248-8-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2248-3-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2248-162-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2248-13-0x0000000010410000-0x0000000010475000-memory.dmp

        Filesize

        404KB

      • memory/2248-16-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/4256-36-0x00000000001F0000-0x0000000000623000-memory.dmp

        Filesize

        4.2MB

      • memory/4256-17-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

        Filesize

        4KB

      • memory/4256-18-0x0000000000D80000-0x0000000000D81000-memory.dmp

        Filesize

        4KB

      • memory/4444-9-0x00000000753C0000-0x0000000075971000-memory.dmp

        Filesize

        5.7MB

      • memory/4444-2-0x00000000753C0000-0x0000000075971000-memory.dmp

        Filesize

        5.7MB

      • memory/4444-1-0x00000000753C0000-0x0000000075971000-memory.dmp

        Filesize

        5.7MB

      • memory/4444-0-0x00000000753C2000-0x00000000753C3000-memory.dmp

        Filesize

        4KB

      • memory/4992-163-0x00000000104F0000-0x0000000010555000-memory.dmp

        Filesize

        404KB

      • memory/4992-168-0x00000000104F0000-0x0000000010555000-memory.dmp

        Filesize

        404KB