Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 12:10

General

  • Target

    225afa7e2a39abb395ab610a888f2bd5_JaffaCakes118.exe

  • Size

    440KB

  • MD5

    225afa7e2a39abb395ab610a888f2bd5

  • SHA1

    b148905c142b5071babdfe9cf8263cf7d9c8bc72

  • SHA256

    31bb10fc6a6daf6516f02d7f9ebdf24434575947a5e7ad85b7b16a972dbe0cc8

  • SHA512

    ada2717430d88b95f281f1267e86d445730836132c44324418ded95a97e0a4cc1c795fa25ce2b6f305c4efdb998a911001e4df71188406253afbf318a9e5ff8b

  • SSDEEP

    6144:dZuuObR8sVImcyYAHVnuSmJgaDRvBv1sI4fVLdW3WJaz+2HNd62wiWrFuC6VHp:iV+mz5VY5Bv1sldIkBpiVPJp

Malware Config

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\225afa7e2a39abb395ab610a888f2bd5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\225afa7e2a39abb395ab610a888f2bd5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\MSN.exe
      "C:\MSN.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2116
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 516
        3⤵
        • Program crash
        PID:3716
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2116 -ip 2116
    1⤵
      PID:1960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSN.exe

      Filesize

      283KB

      MD5

      ff808f958e34ec3736fd8af03b62f67a

      SHA1

      c7c3a477e6262701f3c95a167844f2e7fae80711

      SHA256

      1bb759f0e2aee5670e5b8195736bab59f7d212bbaad745430f01c746b6b815e5

      SHA512

      dfe9adf4b34ee754b0c765e14445d74cba0396cd45c3fb05652ab91bc2a9e90a39480c31309b4be1752528f53a6dd74f7780a94183fe1abc3ecb4ae4d66f8ecc

    • memory/2116-10-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

    • memory/2368-9-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB