Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 10:56

General

  • Target

    221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe

  • Size

    400KB

  • MD5

    221e346418983460f083918f7ae5c8b1

  • SHA1

    8374f92bdea380cece6ca3c8757b550afde10985

  • SHA256

    fffed4b522cd8effd6914c90b628fdf705862c0954705bd1ad3bc20413de2de5

  • SHA512

    d212a3ae8c9cbc2bcf4dcead64187884530b683aa2f6887d9481ef82d747f3077056f5f0ebc255305e03f58c9fc6fc83d8f93fce27dfe8c0145974d3fe12bd0e

  • SSDEEP

    12288:dIUfb4u+831O2HSu8XFXvYRl9FmTJybvsBNZ:dILuSn09FmTKvsfZ

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Master

C2

kasur.no-ip.info:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • ftp_password

    123456

  • ftp_port

    21

  • ftp_server

    ftp.t35.com

  • ftp_username

    khan14.t35.com

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"
        3⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
            PID:2576
          • C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"
            4⤵
            • Loads dropped DLL
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2592
            • C:\Windows\install\server.exe
              "C:\Windows\install\server.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:2560
              • C:\Windows\install\server.exe
                "C:\Windows\install\server.exe"
                6⤵
                • Executes dropped EXE
                • Writes to the Master Boot Record (MBR)
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:2656
                • C:\Windows\install\server.exe
                  "C:\Windows\install\server.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

      Filesize

      229KB

      MD5

      f3885c07bb0fca089e7a38c6df0e7776

      SHA1

      0d351c5f036b763dd1ee94110a9ca9639c7a9d3d

      SHA256

      f9c223a62d727ab28458f1eda6454577f2f38cc48be6e9ab4fb7d4a47d36b3b3

      SHA512

      37e8c84db2065e20d8a4f5a49e2def160ba8ccddde6982efc0ffb4f8b932715bc4fd64315390a0a2145adcf2db9f9d058abf84573eec925444f464c7df873ce5

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      488778771e62d2424bdff3b72b23b59d

      SHA1

      2c07c6d790f78cf91dadc70145fa5a771a70d7f4

      SHA256

      cf860cecaf39e3c2b26d395e816caa5354a8a5b833eff4517489d1514f5821d7

      SHA512

      bef3c23a02840930844ea4c14212e935966b9503ab228096ec9ff59af4cb7a1d2f450b0b2955fe2d08f607da55696a7a89518e8b97e87a719e8c897f67a9eca3

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      d49a39318e24bc685cdfbac4ee53cf20

      SHA1

      9e967cd55602e2f05b4a8bd7db3a10d626d7923d

      SHA256

      300d998afc6558928d343275b9dde9ba13054626213acc821a18544ae8b181d2

      SHA512

      3754756b255f66bfd3a78d8efae232efa02371c8960c7a8197b3f4275b574e55b9106b61cf892987a72f80f693803bc57fd8ae687115f543ac644dc6810b27af

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      a28bf5281aa07e18065c61527aeee590

      SHA1

      ab5f758c2d54c3ab1e659a1c5dbf810894567ff5

      SHA256

      17c21aa52bfa189c09489fcd1f6944001fc65829db8237e91b2deeba03a9a04a

      SHA512

      eedb817912c1fa53260a3be2e6dac995e612974dcc5db5f4db6be031b2c7bd2066fc925b5927a0384948678ade6a8e4d173c4f42683a1d4035a572c891e74f5f

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      d9a3f24f624a69db44cc7fedb100a301

      SHA1

      6bb3efa8d63c8002b8862d8c85093c49275ecba8

      SHA256

      575dec53e32ec346efc40f78a4a4b4d861427d4794d18f50e1890f2d895c6c0b

      SHA512

      c7562ab973c5f6e6457b82c9329d1462d82b1eff9e88b8e243acfe628dd949eab47fce4aa0c7848481756f948def5241408ae250158a42d1cac63bf643ebde21

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      ccd6e50083221d08c7514e0d05ba10cd

      SHA1

      42ffd0572d05001476f2827d8a06e1541bd0a634

      SHA256

      d8f5c6d36f04f293f3b56eec5181e4b188e972a239c9941134d04ce6be8dac8f

      SHA512

      1b7d2368dca70f33db52c4c08fc8f2d634089e7c8800256f1477e881b52eabfe0b1154ec233a400c8a9e0dfe867f8f65175dc30fdb8758d71b8afd1bbbd4613d

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      e440919eed160ffdfeeafb6e6001e074

      SHA1

      12c5d8bbba38b84eb6331d7ef0d12a399acc2a89

      SHA256

      5c43c26f0587a228146d5689803453718d2b47b4f6cd432683a4393ec2d0ee49

      SHA512

      517db05066f73423a33799f420c28c8857219cb4396d1dc6855f2378c726cc431ba6a5fbdb317b578ca709a820914ca6b97e4a0190b3c944a9955f71a88b7269

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      6c505a18e1bffc7efe1274f0e6d51e84

      SHA1

      939dfdff7356fef9c244fb0c88cffbcc1a352e61

      SHA256

      6fd46cf1b46a5d04ffee480ab1eafaabc0ca6813a730dfbb9368206505656e49

      SHA512

      5f893eb1f40050199408a6731387f06100ba8166fc265bbb15c55d7187a7c9a0335bcd613c7bc9b090f6b69bfbafe3419d8a0ccffa9af0da11d32b1574889378

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      98cb8a77527d82841d4b485278dffcd2

      SHA1

      088cde87e094721c03592682400091bc7c491739

      SHA256

      69133dd19cc5921b82c7b8f74f16e65f4877b7cfcbe3e87bc90685d27faa5cbe

      SHA512

      301aa6715ebf2f61dbb41f471fa5fdc9bedf84d0c91f96ef7dc085711bb032c3b92f8e11b80024649af688530e886dc431a46a16936c72ce56f77585cec24770

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      c03df24760e3fabd9e1aa48988c8fdbd

      SHA1

      e37302c6e0f3dee26b76aa61cf9b71c63041e702

      SHA256

      3e2178d21dcb6a1a90296b0369fc5baa3096ea4b543a9d4bfbe17e16c5bb2606

      SHA512

      3281d5b0e2f6650725dd3159ad0354343e6bfb222f73870ed86f201005b6417077d7ef2148616029a6ed8841914462043ca364c52712956b5da36bd44ba5b38b

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      6e6735136138bceec2f3ee7d16af9a57

      SHA1

      1f924c838f788fe9788c7218c036aadfa0fc16f4

      SHA256

      f437aded1052908ffb08d1e93a98427b91c330e9313f7e52e2a72dec4b04cb82

      SHA512

      f24839c0fe25efddc5488d3c100f14800d5ea63946b8e0aa8fb84b251d3c82b54dc1812aef521683a40f8ab8d5cc0327e40e385c15a5b2ae77a0d9c1ad1ef43c

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      8d2448f3983a5e845a527fbfee1d8183

      SHA1

      d00d84dc894b103bc574121c4d30c0a93a1ab48b

      SHA256

      7956acd25ef901c50554f47c65fbbddfc7a6b6836f7a1a138aef1a593089dea9

      SHA512

      225f9225aa5ffe49966a29a76c06dfaa85bb998adc2930b5af379001c380fd7d98fd4ba6b059380ead41baf2e26338c74dd5c5a166b3dff5bb6089748a638ee7

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      6e458969da40d42d4e51ab190f6de7e3

      SHA1

      120d333f07d881ecba40120bcac373d041698566

      SHA256

      2c8d8339502f70eed942aef51f37c2c3fa10bc2239f8c763e99bc0c370eb0883

      SHA512

      ef9b02ee8c3ce77537e58ef96fd456e9e702b0e3ae56c64937f5c28a6657fc039038a6d3f996c70392a881b5663c6ef533f6d28919aa5931d5cfbc99ae28ed70

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      10613439a100b3b4f96a46f439f5e069

      SHA1

      7032404d3e9e0f2201494fbab2e0d7657cb8912a

      SHA256

      1fef0880b22c00a02c869c25113884c55e2c22e5d33c65d44abacba7e118c72c

      SHA512

      6c76479282ae942c403f3b9c34f03ad19c5006d02eead1c44a7a501e9154343202bd4ab415ae5fa61fed38e77ce7385ff5e6fcfb9bef994da46655c49c4158b9

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      a178f68a05a5810f659e8ed1471b8508

      SHA1

      40ba948bf9f7665fd5baeb5f2a993ae412247f4b

      SHA256

      82923e3d5f7eab01a970cc2a3f6ba53f5bf65fb1a2ce8670d3f4e06dacddba36

      SHA512

      5affe441d6805f68368c72df8b6b89d7f0b63902a4b6f6efaa2f97ee34a18224cc0276ae0cf7c0d5759cfe4ff643c14fd9ec73abebf962ca503db4394af7499f

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      4c4f7358101587ed8906ebfdf7d76357

      SHA1

      574ab48f1adec445761d99f4ffe6fa7f8cec4030

      SHA256

      d233cc45f414df7023d8da5f35fe036938fe6f6e85acb4805aecff95dfe9899d

      SHA512

      99518a29a53ea820b24c3f2fd52bbeb6a8911be92e5fdfc4a86c5018a71fb864bb90de73bdacb3ac1c2d57e04ae553ddb231feaf1e9f9951c8a745f7d987280c

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      9b14edfebdf92cd6064b7569b7512ff8

      SHA1

      153662bb8e8607aa7fd7701382e7363485325871

      SHA256

      1448ac13ad786ebdece1e2258c4caa038c25a5e8db49e955fed58c0b022dc1b5

      SHA512

      e68cdb21a7283e242f2eb342f56776fad946355408b1b5f4a9330cee859eba03b9dc48b15bfb895c243104141c676ec864b55613a642de28433614cb0a3b5b4c

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      fbb6fae1df1d3855a29ea997ca79f3c2

      SHA1

      d774b34bc52d9c59d6e2895966dde1119125f14b

      SHA256

      076d9ccfca73845e10a0a238cffb607b0b5de99f56b37d08d678a3831c8e1d28

      SHA512

      778cdeeb318d786f1ad803043deab5915152640855dda6b517f03ccfeb924695c74af4428e13b54d13594fefe909a6e9f674f50978b556e82e089002f894ee4f

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      ded5f41f1f5befcdce394885aa43c56f

      SHA1

      b26e9bde71b2a09d9757888d25e543d0305cb57a

      SHA256

      8f511f4cd171c083309ded625b5c39508b37a0718b8a472aec0d225446dc0bb8

      SHA512

      ec43fcd8de765abe3f082a11820ff7727396e04015ff7a4e8c6b442964ad311513e6db0e87130a63c1a54ad09e46b7738a259a01cc731ca4c167c36dca570f30

    • C:\Users\Admin\AppData\Roaming\logs.dat

      Filesize

      15B

      MD5

      e21bd9604efe8ee9b59dc7605b927a2a

      SHA1

      3240ecc5ee459214344a1baac5c2a74046491104

      SHA256

      51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

      SHA512

      42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

    • C:\Windows\install\server.exe

      Filesize

      400KB

      MD5

      221e346418983460f083918f7ae5c8b1

      SHA1

      8374f92bdea380cece6ca3c8757b550afde10985

      SHA256

      fffed4b522cd8effd6914c90b628fdf705862c0954705bd1ad3bc20413de2de5

      SHA512

      d212a3ae8c9cbc2bcf4dcead64187884530b683aa2f6887d9481ef82d747f3077056f5f0ebc255305e03f58c9fc6fc83d8f93fce27dfe8c0145974d3fe12bd0e

    • memory/1520-397-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1520-392-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/2592-42-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

    • memory/2592-48-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

    • memory/2592-53-0x0000000000350000-0x0000000000351000-memory.dmp

      Filesize

      4KB

    • memory/2592-62-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

    • memory/2656-391-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

    • memory/2656-379-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

    • memory/3056-32-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/3056-25-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/3056-41-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

    • memory/3056-37-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

    • memory/3056-31-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/3056-337-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/3056-33-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/3056-34-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/3056-22-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/3056-18-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/3056-20-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/3056-30-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/3068-29-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

    • memory/3068-2-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

    • memory/3068-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/3068-4-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

    • memory/3068-6-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

    • memory/3068-17-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

    • memory/3068-12-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB