Analysis
-
max time kernel
149s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 10:19
Static task
static1
Behavioral task
behavioral1
Sample
3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe
-
Size
898KB
-
MD5
3451d7d80ab7d8ba5c4b5360d5f95991
-
SHA1
b2de34e87916a19cfb310304edd6387b888fa3c8
-
SHA256
ff0a344bf3ab1be8a1356996af1afeb4d9692f1831ac9db11be596201ce15c8a
-
SHA512
d0b084ed5c28d7682899f00b2e7021cc4f2f5d3d4a7e9e19ce9263930314c19aa5f7d79e10a907cce4322c5a8d37c967a5cc77b056d65cc4552078934ff3ce05
-
SSDEEP
12288:SFNjV1tVJcGXNkdEj0CnGmQN6azCwTL0qVaHJyYcb/4wmcFkAQqOn1:OV9xoEBGLIaz3PJEpyYccwmcGfh1
Malware Config
Extracted
cybergate
2.6
ÖÍíÉ
m6nsh321.zapto.org:288
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_file
Win_Xp.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Corrupted file Can try to time the end
-
message_box_title
Error
-
password
abcd1234
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.execrypted.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crypted.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML} crypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crypted.exe Restart" crypted.exe -
Executes dropped EXE 1 IoCs
Processes:
crypted.exepid process 2404 crypted.exe -
Loads dropped DLL 1 IoCs
Processes:
3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exepid process 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2404-291-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/2404-898-0x0000000000400000-0x0000000000459000-memory.dmp upx -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exedescription pid process target process PID 2260 set thread context of 2404 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe crypted.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
crypted.exepid process 2404 crypted.exe 2404 crypted.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exedescription pid process Token: 33 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe Token: 33 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
crypted.exeexplorer.exepid process 2404 crypted.exe 1288 explorer.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
explorer.exepid process 1288 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exepid process 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.execrypted.exedescription pid process target process PID 2260 wrote to memory of 2404 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe crypted.exe PID 2260 wrote to memory of 2404 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe crypted.exe PID 2260 wrote to memory of 2404 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe crypted.exe PID 2260 wrote to memory of 2404 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe crypted.exe PID 2260 wrote to memory of 2404 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe crypted.exe PID 2260 wrote to memory of 2404 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe crypted.exe PID 2260 wrote to memory of 2404 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe crypted.exe PID 2260 wrote to memory of 2404 2260 3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe crypted.exe PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE PID 2404 wrote to memory of 1196 2404 crypted.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\crypted.exe_v384A4DD4\TheApp\STUBEXE\@APPDATALOCAL@\Temp\crypted.exeC:\Users\Admin\AppData\Local\Temp\crypted.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
240KB
MD5d12e83fba2a1197b9090af6265363794
SHA149193d779bf5e6e279b833d5643e183caf294848
SHA2563cbef4e9983edba5c851d4527975aaa19c7012e58663e82f93b35343e43ab0bf
SHA5125a6b4bc7cd92a5a9fd5db3c0926408ee9b44458830c19bea43e839bb31cd1f96e51e459d55db9ada4dabb69e156ffbbd1514f25f51b98be6dd58e159e443dac5
-
C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\crypted.exe_v384A4DD4\TheApp\STUBEXE\@APPDATALOCAL@\Temp\crypted.exeFilesize
16KB
MD552629171a155c13ef68d03b11e44a8c7
SHA12e17a37947ac21a5aa85eacc4fac1725e6218d6a
SHA256a6bfb2307a0eb1c55a94eaff3820186b6f07998f2f77bc03ce9e8edaf8fd64ce
SHA5120f4d7b7ab919f53d66b33603b6cc9e786836ec1598c7ade97e1958bd1bb857c5404f725e1e5cdc9510913c997be897601cfecd907c7c7734cefec14837762d8c
-
memory/2260-293-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-278-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-277-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-276-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-264-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-247-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-232-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-208-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-191-0x00000000774B0000-0x00000000774B1000-memory.dmpFilesize
4KB
-
memory/2260-188-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-179-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-178-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-137-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-125-0x00000000774B0000-0x00000000774B1000-memory.dmpFilesize
4KB
-
memory/2260-122-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-108-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-103-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-94-0x00000000774B0000-0x00000000774B1000-memory.dmpFilesize
4KB
-
memory/2260-72-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-70-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-65-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-66-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-63-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-58-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-59-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-55-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-53-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-50-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-48-0x00000000774B0000-0x00000000774B1000-memory.dmpFilesize
4KB
-
memory/2260-46-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-44-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-43-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-41-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-35-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-32-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-33-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-30-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-26-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-24-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-21-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-22-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-19-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-17-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-13-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-12-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-10-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-1-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-0-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-273-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-217-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-165-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-148-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-87-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-39-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-8-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-6-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2260-2-0x0000000000220000-0x0000000000272000-memory.dmpFilesize
328KB
-
memory/2404-291-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2404-898-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB