Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 08:04

General

  • Target

    21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe

  • Size

    856KB

  • MD5

    21a38605343548f2a186ef927892e4cf

  • SHA1

    776a716eb645ff0b2c15e49ba01c457524eb8ed7

  • SHA256

    c36aba246a8713f48a21515a9f5999190d89219299f3309f57bad8583765121f

  • SHA512

    1087fd151313ecf35fa65c4d9ab5a8bf29bd428b04f06b9912f92a8c69ce11047119662827d689b8fba412da087ec227de82e50916e734f6d928ca722a610c2d

  • SSDEEP

    24576:zKdeFhhvo3wHe8fAIwgw4lAAx9BhmroA:fHe8fAIwgw4lAAx9Bhm

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

pelegbar

C2

pelegbar.no-ip.info:82

Mutex

7H3BHP01O0G7EJ

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    gprhvnvn

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3408
      • C:\Users\Admin\AppData\Local\Temp\21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\21a38605343548f2a186ef927892e4cf_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1792
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:4940
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2192
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:4276
              • C:\Windows\SysWOW64\install\server.exe
                "C:\Windows\system32\install\server.exe"
                5⤵
                • Executes dropped EXE
                PID:4172

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

        Filesize

        222KB

        MD5

        6d96c0550723f2e821f2a1c718e8a5ae

        SHA1

        5724fb890f79cfa85f6e8cd86add9cf25cd61cde

        SHA256

        a86cdda1e895a52f07aed278fd5c627a51a557d3af61e68078895cc268d3dc07

        SHA512

        ce7a441b63457970002741ff8fe1d27ed84f20e579aaa4a08248dc5a4a08a4684826a8443da9659c5a08d8dd3b3ca65207a018482194cd828813f5b1e69b9018

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        ad69537bc3ba9642915bc00d24edf91e

        SHA1

        5661ba46a12bcd7c069593089bcf2e75abf2c641

        SHA256

        b12fa6c6b14256b073623581e6df19c3cab1d189343998f8f45a28b10d422492

        SHA512

        96bbc4a1d005e4f33b20a642830458a88386e618c6f69e49ce1fc79034fa61d34e31951150f0ddddd47476d9f46ca54a1a7148c2a658aed1eb041802ee60eced

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        1adff5834fc5ce504dbe869b853c6b56

        SHA1

        987e06e089673e297a9439cf02ff7f8ea4751bca

        SHA256

        3599bdf2adb08dafb683ba2353a25ea28418efadcbc0998bae09066fb1aed793

        SHA512

        35b294c847c113c27038fb580ddb4d1a3389d75d1367c535c1f48b7d06d5b11bdfa5f8e40603921652dd71b8bb806bee7475483180152f3677d3e4feee54a8ab

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        76610dce580ab59c5bc8832b2600d854

        SHA1

        58ab995c934a32e6507de5bb18ae6d1963626826

        SHA256

        b2b4da3443a7fb7d140d4774b36e01e1527be4b4dfc8d98e4a14c88f203df944

        SHA512

        49416f850f3587ce74aea91315d991cededd041dec280dbfe789b29094c0819decd8114142afe81c9b905311987e6a1d9d127b24a9a2057735b5adc834253793

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        e15c95dcaaf721bf0645ae5d8127ca86

        SHA1

        4e9ca966b27cb4e85f1d7b028842b10def8fd310

        SHA256

        04084f2261dfe754752d58af301a699b81095d3a99f7147e229609dde47368a8

        SHA512

        1ff387f2762e2b27035fe2cf727677ab82df76a7ef4a9be146a3696c0d412d284e0f2248f47ee7bd00f4065c636b8073346e9aa44a4d613a37decc7875ed94e9

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        280b0751b9da46d3411055624a51bd7d

        SHA1

        ab154e068b0dce8e3e93f83f22657d5f6e4f3c5c

        SHA256

        6aa5bedfa7735e5dc6786e405d3aa77915ab5306e66200073024a998de28c5c1

        SHA512

        19c939c20b614144e45ef45e48764f90c2a3bce8dd3d5ac9940177f359a45ef59d580b55c4de480238065d18acf4f0d58b3690daf012409495226104dec92d47

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        d6289e9a4f9eb4a407eeb47b494c11a1

        SHA1

        13a29e426084fccf480a9145580868d93bdcd52b

        SHA256

        7bc15b24498d505e1863744d7255db0eadf0b3c76ffa5d0bf8de74cff3619e42

        SHA512

        48bc355447b82020d010dbff7eb3bcaf6ef786795dccfce708269d5c10686329328fd8532dbb1e64c1d0ab9b57fd6eb5fdd91ee5cf80408c2b758b69b1bd1e6e

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        a60db2963c8219b90bb8d3dab37406ab

        SHA1

        157d64cecc973279b45a2ded8d7fa58acdba2162

        SHA256

        d4311700580dbee567f5ebaf9dabe553bec92cd97ff2f0cbd8c5f9b210aecd5c

        SHA512

        978c8dbac02b03e2dab04dff10926020a4c5545d7df37b4d9b1c66db2d51088190f6788859877aa2248ec5b75d219a0a7475fa9adad628c0cb98e861b683a7bd

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        bf90e46e000a011d4d33b13a9c474010

        SHA1

        f32beff68150f0a898c4244b39e539053a999e36

        SHA256

        5f7a7c766841e73ab443fae5ffe1d57d90cfc7629f0120a03dbdf0f858038876

        SHA512

        2e800d512679f327f7aea268c2c93e26c7ac839179095a76e5f74111f90f0c4865bdc1aac59bc732b8a0ad33584acda222760f0156152b0420bea6b9a6c2f2f3

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        3eb337a2fedea184bd171b3c54f49206

        SHA1

        c15b8c0fc560b310b1245c5f75470eaa8b7d78f2

        SHA256

        ac7233cad0e94e26a3dc29992af4bfddff224b5e48dcc649448837381baccd77

        SHA512

        189197c1f1d60473c89c7c5406b1c279d9d90f6bbd868573567e7967e73c81a90d99e63b2f099ca9bb022464d6280e7637b60f3103ffa5a715726548db960f95

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        4aee01b2fd666067365e5080202a20e2

        SHA1

        8aa800358957e402926dd86d3eca196dceb42f0f

        SHA256

        669cfc75dab9899ac246ce993eb11060d3ee35b2c71cd0f3bc5632980c7020ca

        SHA512

        2c5e5f4a89217741613c61cc858510c9a11930c15c05ede5973dbd57e3811de0b2189ebb4fca70f8301e0bb826c0dd3eee768fa04fab3e5e98330118fb899f0a

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        d5ecccb42c2ae44b565a11fc489f76b3

        SHA1

        b8fbea9e8e93442f43c99980cf0ba80d4b8969f2

        SHA256

        c993520fac991d96fe81afe2406973efedf533693d2cec2fdae6bb07692219c7

        SHA512

        d76bc5b25f6527a9a77aa360aa75e3b90b69951143d514fce73def101f85bebdb28ba0693408a6eb8327c1ba70636bcc73855565eb886153d3b0c17deba8f7b9

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        b0dd264238c3920781f0d63ff20b8922

        SHA1

        1fe0b740ef1ed2f0cb4f6665b81cf7c17c8c7350

        SHA256

        3a6fc3989130a9f70e84e5a890ea72d5076ffc9c5df77d70f934f738194c093e

        SHA512

        2e0351dab8a972b946442c389719346ad8cdad6489e4b7a606d1036c7e7ede54f633a704c2bb74d30cbd58498e91094978664e83f6a0c7aaaf841eb37c47d259

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        1540fb4ea0c8aaf4b237871be1549983

        SHA1

        79c76a782a467f44390950a746dccd111cb9d89a

        SHA256

        d61bae7b69cf8df55b1eca72ed8fa67fc11d53f4380c89a840661c750d0e0a23

        SHA512

        d738e2a84aeb71489cb27b87f8d5b754cfed35b8f803480bb7b15672ecd67e06bd6d3b524a3b280b96f01ec0f564df4e554b655f3564a5afda2a81ffdcb1de6a

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        c3e95b4f74b8810e0e5cd4108d47bd40

        SHA1

        df2ae57b0021a8823de421ee72ecb9635ddc4284

        SHA256

        8b7d06234ea75559d19b58c42bb013ddd36e1e96a24e39ebfb513bf09b5f6bef

        SHA512

        42ee0235eb464d88dde8934715d8ada088cab6580338644555474dba29ec361e12f252785e1c09ad796af1e68e5ed972fd76c4513ecf9c491d5580a17cf1eabd

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        eee093797dfea11ef79c858893214f4e

        SHA1

        3f458ab26751ac816371f4a1a26e89af27abdae2

        SHA256

        4639ce7f9df771c6611003d7f82f4904f32336e0367453eed3f66bdb2c6ea5b4

        SHA512

        8e7c0249306f30c41a41b403ac68cec4decbfdb8a151d9b7cbca2d110263ccbc20926e604c895855dda9a827d86b41544273ef044aa91bf15b037d82221214bd

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        da265a02fd260a166206f1c2b42ac697

        SHA1

        17862f6c3023dcd443da03e47c2a08e1bcfcb6c0

        SHA256

        cb44a228a86aeaca5ea94a53cf3a374698bdac63fa8916a9a2d1f66ef15734f8

        SHA512

        a38fcb97de9c12efce6c86052f9b41110e9cc23453100284993ce337914323b66511ddeab33cc70f0a9cadfcf4604ac60ad82f23791f3751af9d6f08beacb123

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        21e8c7143796043df0aa4d9efd7a1dc8

        SHA1

        57f3d85a4a6da7e116dbcaa12c2f2dda408b9d25

        SHA256

        36ca9c0778f2ac1bedad77292351ae8a52211496cda5663b2177b2aff7a3918b

        SHA512

        ab67ae135ac203a453148a96b9393debebc5f2cac8275928ccb30ceec2be9b21f494d5ce5f51739dd85f5518fd5969c504b0bf6b99c72c30f40949cf2c2b3f59

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        0d5a0b2413aa01f57514b072ec6271ba

        SHA1

        eeb6237dd664d7f97b2f1e66560ae7097fcb05e0

        SHA256

        0882ef606acfd1bef4c3a5920bd09117c27f5602ff63ecf4b396f26fcdefc04e

        SHA512

        1aa8f563942fda00466c00342a98a2d4999eda9e1bc08c8c68dbc1a7c66ea86cb4ff250a460b8ab846c311eacb34588f761ca911e9058aa858b0845009a81495

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        a909c23b08305bbc4b02e4dbe56bc809

        SHA1

        6acc2cfb2d5707967dd8419ecf280bd45cab1dcf

        SHA256

        0388c246a7d1decd95ec85a010948da0bfdbdef785ae84f79a9fe4dc193c4f56

        SHA512

        6c72bf07bf56724dbd7f1eea34e6a0767df47e83fe4260a79aef6ab583662276a33a97d40f33604ef212cb2ab47998c169d03924d5bb69e041b44de6713f6fd2

      • C:\Users\Admin\AppData\Roaming\cglogs.dat

        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\install\server.exe

        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • memory/1792-7-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/1792-8-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/1792-6-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/1792-12-0x0000000010410000-0x0000000010471000-memory.dmp

        Filesize

        388KB

      • memory/1792-14-0x0000000010410000-0x0000000010471000-memory.dmp

        Filesize

        388KB

      • memory/1792-16-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

      • memory/1792-148-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/1792-3-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/4072-9-0x0000000075330000-0x00000000758E1000-memory.dmp

        Filesize

        5.7MB

      • memory/4072-1-0x0000000075330000-0x00000000758E1000-memory.dmp

        Filesize

        5.7MB

      • memory/4072-0-0x0000000075332000-0x0000000075333000-memory.dmp

        Filesize

        4KB

      • memory/4072-2-0x0000000075330000-0x00000000758E1000-memory.dmp

        Filesize

        5.7MB

      • memory/4276-1469-0x0000000010560000-0x00000000105C1000-memory.dmp

        Filesize

        388KB

      • memory/4276-150-0x0000000010560000-0x00000000105C1000-memory.dmp

        Filesize

        388KB

      • memory/4940-17-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

        Filesize

        4KB

      • memory/4940-18-0x0000000001260000-0x0000000001261000-memory.dmp

        Filesize

        4KB

      • memory/4940-1003-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

      • memory/4940-78-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB