Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 10:19

General

  • Target

    3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe

  • Size

    898KB

  • MD5

    3451d7d80ab7d8ba5c4b5360d5f95991

  • SHA1

    b2de34e87916a19cfb310304edd6387b888fa3c8

  • SHA256

    ff0a344bf3ab1be8a1356996af1afeb4d9692f1831ac9db11be596201ce15c8a

  • SHA512

    d0b084ed5c28d7682899f00b2e7021cc4f2f5d3d4a7e9e19ce9263930314c19aa5f7d79e10a907cce4322c5a8d37c967a5cc77b056d65cc4552078934ff3ce05

  • SSDEEP

    12288:SFNjV1tVJcGXNkdEj0CnGmQN6azCwTL0qVaHJyYcb/4wmcFkAQqOn1:OV9xoEBGLIaz3PJEpyYccwmcGfh1

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

m6nsh321.zapto.org:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    Win_Xp.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Corrupted file Can try to time the end

  • message_box_title

    Error

  • password

    abcd1234

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\3451d7d80ab7d8ba5c4b5360d5f95991_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\crypted.exe_v384A4DD4\TheApp\STUBEXE\@APPDATALOCAL@\Temp\crypted.exe
          C:\Users\Admin\AppData\Local\Temp\crypted.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2404
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Drops desktop.ini file(s)
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1288

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Active Setup

    1
    T1547.014

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Active Setup

    1
    T1547.014

    Defense Evasion

    Modify Registry

    1
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      240KB

      MD5

      d12e83fba2a1197b9090af6265363794

      SHA1

      49193d779bf5e6e279b833d5643e183caf294848

      SHA256

      3cbef4e9983edba5c851d4527975aaa19c7012e58663e82f93b35343e43ab0bf

      SHA512

      5a6b4bc7cd92a5a9fd5db3c0926408ee9b44458830c19bea43e839bb31cd1f96e51e459d55db9ada4dabb69e156ffbbd1514f25f51b98be6dd58e159e443dac5

    • C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\crypted.exe_v384A4DD4\TheApp\STUBEXE\@APPDATALOCAL@\Temp\crypted.exe
      Filesize

      16KB

      MD5

      52629171a155c13ef68d03b11e44a8c7

      SHA1

      2e17a37947ac21a5aa85eacc4fac1725e6218d6a

      SHA256

      a6bfb2307a0eb1c55a94eaff3820186b6f07998f2f77bc03ce9e8edaf8fd64ce

      SHA512

      0f4d7b7ab919f53d66b33603b6cc9e786836ec1598c7ade97e1958bd1bb857c5404f725e1e5cdc9510913c997be897601cfecd907c7c7734cefec14837762d8c

    • memory/2260-293-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-278-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-277-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-276-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-264-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-247-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-232-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-208-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-191-0x00000000774B0000-0x00000000774B1000-memory.dmp
      Filesize

      4KB

    • memory/2260-188-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-179-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-178-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-137-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-125-0x00000000774B0000-0x00000000774B1000-memory.dmp
      Filesize

      4KB

    • memory/2260-122-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-108-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-103-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-94-0x00000000774B0000-0x00000000774B1000-memory.dmp
      Filesize

      4KB

    • memory/2260-72-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-70-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-65-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-66-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-63-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-58-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-59-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-55-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-53-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-50-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-48-0x00000000774B0000-0x00000000774B1000-memory.dmp
      Filesize

      4KB

    • memory/2260-46-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-44-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-43-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-41-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-35-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-32-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-33-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-30-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-26-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-24-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-21-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-22-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-19-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-17-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-13-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-12-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-10-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-1-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-0-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-273-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-217-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-165-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-148-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-87-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-39-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-8-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-6-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2260-2-0x0000000000220000-0x0000000000272000-memory.dmp
      Filesize

      328KB

    • memory/2404-291-0x0000000000400000-0x0000000000459000-memory.dmp
      Filesize

      356KB

    • memory/2404-898-0x0000000000400000-0x0000000000459000-memory.dmp
      Filesize

      356KB