Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 08:04
Static task
static1
Behavioral task
behavioral1
Sample
21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe
-
Size
856KB
-
MD5
21a38605343548f2a186ef927892e4cf
-
SHA1
776a716eb645ff0b2c15e49ba01c457524eb8ed7
-
SHA256
c36aba246a8713f48a21515a9f5999190d89219299f3309f57bad8583765121f
-
SHA512
1087fd151313ecf35fa65c4d9ab5a8bf29bd428b04f06b9912f92a8c69ce11047119662827d689b8fba412da087ec227de82e50916e734f6d928ca722a610c2d
-
SSDEEP
24576:zKdeFhhvo3wHe8fAIwgw4lAAx9BhmroA:fHe8fAIwgw4lAAx9Bhm
Malware Config
Extracted
cybergate
v1.04.8
pelegbar
pelegbar.no-ip.info:82
7H3BHP01O0G7EJ
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
gprhvnvn
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15O6T2SO-L2OG-RF42-608B-XSP42S00U461} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15O6T2SO-L2OG-RF42-608B-XSP42S00U461}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15O6T2SO-L2OG-RF42-608B-XSP42S00U461} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15O6T2SO-L2OG-RF42-608B-XSP42S00U461}\StubPath = "C:\\Windows\\system32\\install\\server.exe" explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 360 server.exe -
Loads dropped DLL 1 IoCs
pid Process 3032 vbc.exe -
resource yara_rule behavioral1/memory/2556-11-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2556-13-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2556-7-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2556-5-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2556-15-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2556-16-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2556-14-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2556-17-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2556-21-0x0000000010410000-0x0000000010471000-memory.dmp upx behavioral1/memory/648-541-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral1/memory/2556-872-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/648-1845-0x0000000010480000-0x00000000104E1000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\install\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\install\ vbc.exe File created C:\Windows\SysWOW64\install\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\install\server.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2164 set thread context of 2556 2164 21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2556 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3032 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3032 vbc.exe Token: SeDebugPrivilege 3032 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2556 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2556 2164 21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe 28 PID 2164 wrote to memory of 2556 2164 21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe 28 PID 2164 wrote to memory of 2556 2164 21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe 28 PID 2164 wrote to memory of 2556 2164 21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe 28 PID 2164 wrote to memory of 2556 2164 21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe 28 PID 2164 wrote to memory of 2556 2164 21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe 28 PID 2164 wrote to memory of 2556 2164 21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe 28 PID 2164 wrote to memory of 2556 2164 21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe 28 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21 PID 2556 wrote to memory of 1192 2556 vbc.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
PID:648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2720
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Executes dropped EXE
PID:360
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD56d96c0550723f2e821f2a1c718e8a5ae
SHA15724fb890f79cfa85f6e8cd86add9cf25cd61cde
SHA256a86cdda1e895a52f07aed278fd5c627a51a557d3af61e68078895cc268d3dc07
SHA512ce7a441b63457970002741ff8fe1d27ed84f20e579aaa4a08248dc5a4a08a4684826a8443da9659c5a08d8dd3b3ca65207a018482194cd828813f5b1e69b9018
-
Filesize
8B
MD5685a4767cdf1c26e9a8db17e213a3596
SHA10ba31fbb8ce9868ad86bfb8a15e6394af4fd0ae4
SHA256310648b0df9a5b13f210f96d81e9c10357e22f7e8a1425ae7861f2d941e348a6
SHA5128e6983493a89cc38af99a1f8f789bb7dc48264636e70de34432225aeb7e202b1ee26ac0751d5d411cd6e93886ed4f590e2a0fe5bc0de9ac475d1603b9309a2a0
-
Filesize
8B
MD51adff5834fc5ce504dbe869b853c6b56
SHA1987e06e089673e297a9439cf02ff7f8ea4751bca
SHA2563599bdf2adb08dafb683ba2353a25ea28418efadcbc0998bae09066fb1aed793
SHA51235b294c847c113c27038fb580ddb4d1a3389d75d1367c535c1f48b7d06d5b11bdfa5f8e40603921652dd71b8bb806bee7475483180152f3677d3e4feee54a8ab
-
Filesize
8B
MD5280b0751b9da46d3411055624a51bd7d
SHA1ab154e068b0dce8e3e93f83f22657d5f6e4f3c5c
SHA2566aa5bedfa7735e5dc6786e405d3aa77915ab5306e66200073024a998de28c5c1
SHA51219c939c20b614144e45ef45e48764f90c2a3bce8dd3d5ac9940177f359a45ef59d580b55c4de480238065d18acf4f0d58b3690daf012409495226104dec92d47
-
Filesize
8B
MD5d6289e9a4f9eb4a407eeb47b494c11a1
SHA113a29e426084fccf480a9145580868d93bdcd52b
SHA2567bc15b24498d505e1863744d7255db0eadf0b3c76ffa5d0bf8de74cff3619e42
SHA51248bc355447b82020d010dbff7eb3bcaf6ef786795dccfce708269d5c10686329328fd8532dbb1e64c1d0ab9b57fd6eb5fdd91ee5cf80408c2b758b69b1bd1e6e
-
Filesize
8B
MD576610dce580ab59c5bc8832b2600d854
SHA158ab995c934a32e6507de5bb18ae6d1963626826
SHA256b2b4da3443a7fb7d140d4774b36e01e1527be4b4dfc8d98e4a14c88f203df944
SHA51249416f850f3587ce74aea91315d991cededd041dec280dbfe789b29094c0819decd8114142afe81c9b905311987e6a1d9d127b24a9a2057735b5adc834253793
-
Filesize
8B
MD5bf90e46e000a011d4d33b13a9c474010
SHA1f32beff68150f0a898c4244b39e539053a999e36
SHA2565f7a7c766841e73ab443fae5ffe1d57d90cfc7629f0120a03dbdf0f858038876
SHA5122e800d512679f327f7aea268c2c93e26c7ac839179095a76e5f74111f90f0c4865bdc1aac59bc732b8a0ad33584acda222760f0156152b0420bea6b9a6c2f2f3
-
Filesize
8B
MD53eb337a2fedea184bd171b3c54f49206
SHA1c15b8c0fc560b310b1245c5f75470eaa8b7d78f2
SHA256ac7233cad0e94e26a3dc29992af4bfddff224b5e48dcc649448837381baccd77
SHA512189197c1f1d60473c89c7c5406b1c279d9d90f6bbd868573567e7967e73c81a90d99e63b2f099ca9bb022464d6280e7637b60f3103ffa5a715726548db960f95
-
Filesize
8B
MD5d5ecccb42c2ae44b565a11fc489f76b3
SHA1b8fbea9e8e93442f43c99980cf0ba80d4b8969f2
SHA256c993520fac991d96fe81afe2406973efedf533693d2cec2fdae6bb07692219c7
SHA512d76bc5b25f6527a9a77aa360aa75e3b90b69951143d514fce73def101f85bebdb28ba0693408a6eb8327c1ba70636bcc73855565eb886153d3b0c17deba8f7b9
-
Filesize
8B
MD54aee01b2fd666067365e5080202a20e2
SHA18aa800358957e402926dd86d3eca196dceb42f0f
SHA256669cfc75dab9899ac246ce993eb11060d3ee35b2c71cd0f3bc5632980c7020ca
SHA5122c5e5f4a89217741613c61cc858510c9a11930c15c05ede5973dbd57e3811de0b2189ebb4fca70f8301e0bb826c0dd3eee768fa04fab3e5e98330118fb899f0a
-
Filesize
8B
MD51540fb4ea0c8aaf4b237871be1549983
SHA179c76a782a467f44390950a746dccd111cb9d89a
SHA256d61bae7b69cf8df55b1eca72ed8fa67fc11d53f4380c89a840661c750d0e0a23
SHA512d738e2a84aeb71489cb27b87f8d5b754cfed35b8f803480bb7b15672ecd67e06bd6d3b524a3b280b96f01ec0f564df4e554b655f3564a5afda2a81ffdcb1de6a
-
Filesize
8B
MD5eee093797dfea11ef79c858893214f4e
SHA13f458ab26751ac816371f4a1a26e89af27abdae2
SHA2564639ce7f9df771c6611003d7f82f4904f32336e0367453eed3f66bdb2c6ea5b4
SHA5128e7c0249306f30c41a41b403ac68cec4decbfdb8a151d9b7cbca2d110263ccbc20926e604c895855dda9a827d86b41544273ef044aa91bf15b037d82221214bd
-
Filesize
8B
MD5b0dd264238c3920781f0d63ff20b8922
SHA11fe0b740ef1ed2f0cb4f6665b81cf7c17c8c7350
SHA2563a6fc3989130a9f70e84e5a890ea72d5076ffc9c5df77d70f934f738194c093e
SHA5122e0351dab8a972b946442c389719346ad8cdad6489e4b7a606d1036c7e7ede54f633a704c2bb74d30cbd58498e91094978664e83f6a0c7aaaf841eb37c47d259
-
Filesize
8B
MD5c3e95b4f74b8810e0e5cd4108d47bd40
SHA1df2ae57b0021a8823de421ee72ecb9635ddc4284
SHA2568b7d06234ea75559d19b58c42bb013ddd36e1e96a24e39ebfb513bf09b5f6bef
SHA51242ee0235eb464d88dde8934715d8ada088cab6580338644555474dba29ec361e12f252785e1c09ad796af1e68e5ed972fd76c4513ecf9c491d5580a17cf1eabd
-
Filesize
8B
MD5e15c95dcaaf721bf0645ae5d8127ca86
SHA14e9ca966b27cb4e85f1d7b028842b10def8fd310
SHA25604084f2261dfe754752d58af301a699b81095d3a99f7147e229609dde47368a8
SHA5121ff387f2762e2b27035fe2cf727677ab82df76a7ef4a9be146a3696c0d412d284e0f2248f47ee7bd00f4065c636b8073346e9aa44a4d613a37decc7875ed94e9
-
Filesize
8B
MD5a60db2963c8219b90bb8d3dab37406ab
SHA1157d64cecc973279b45a2ded8d7fa58acdba2162
SHA256d4311700580dbee567f5ebaf9dabe553bec92cd97ff2f0cbd8c5f9b210aecd5c
SHA512978c8dbac02b03e2dab04dff10926020a4c5545d7df37b4d9b1c66db2d51088190f6788859877aa2248ec5b75d219a0a7475fa9adad628c0cb98e861b683a7bd
-
Filesize
8B
MD5da265a02fd260a166206f1c2b42ac697
SHA117862f6c3023dcd443da03e47c2a08e1bcfcb6c0
SHA256cb44a228a86aeaca5ea94a53cf3a374698bdac63fa8916a9a2d1f66ef15734f8
SHA512a38fcb97de9c12efce6c86052f9b41110e9cc23453100284993ce337914323b66511ddeab33cc70f0a9cadfcf4604ac60ad82f23791f3751af9d6f08beacb123
-
Filesize
8B
MD521e8c7143796043df0aa4d9efd7a1dc8
SHA157f3d85a4a6da7e116dbcaa12c2f2dda408b9d25
SHA25636ca9c0778f2ac1bedad77292351ae8a52211496cda5663b2177b2aff7a3918b
SHA512ab67ae135ac203a453148a96b9393debebc5f2cac8275928ccb30ceec2be9b21f494d5ce5f51739dd85f5518fd5969c504b0bf6b99c72c30f40949cf2c2b3f59
-
Filesize
8B
MD50d5a0b2413aa01f57514b072ec6271ba
SHA1eeb6237dd664d7f97b2f1e66560ae7097fcb05e0
SHA2560882ef606acfd1bef4c3a5920bd09117c27f5602ff63ecf4b396f26fcdefc04e
SHA5121aa8f563942fda00466c00342a98a2d4999eda9e1bc08c8c68dbc1a7c66ea86cb4ff250a460b8ab846c311eacb34588f761ca911e9058aa858b0845009a81495
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98