Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 17:59
Static task
static1
Behavioral task
behavioral1
Sample
3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe
-
Size
497KB
-
MD5
3a2e879afde3064add0769df1f34c04b
-
SHA1
1c43b922786be576ea5923c8f5a58b866e73a70a
-
SHA256
e76752214cb7545481b53565666025da357233e8d94dea3b40451f618f6a0fcb
-
SHA512
66fe464466b3f1da8a9af99a55b7f78241b41037d7315b04ed57f2e0502c5bdb1846b916578d1e58bb241e0501c8f1c9742e92e9b757583dff5d504cfe377ade
-
SSDEEP
12288:LHeVQkTrvj4JcJabtrfFADM6eKUyww4IaziH:LKQkTf4+JaNfFADDdUywwiQ
Malware Config
Extracted
cybergate
v1.07.5
Cyber
gaberat.zapto.org:82
A714UCFKB3YQJI
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
winlogon.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\winlogon.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\winlogon.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U7LGV12W-36J8-27E7-7Q68-48U3GH57UQK4} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U7LGV12W-36J8-27E7-7Q68-48U3GH57UQK4}\StubPath = "C:\\Windows\\system32\\WinDir\\winlogon.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U7LGV12W-36J8-27E7-7Q68-48U3GH57UQK4} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U7LGV12W-36J8-27E7-7Q68-48U3GH57UQK4}\StubPath = "C:\\Windows\\system32\\WinDir\\winlogon.exe" explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2940 winlogon.exe -
resource yara_rule behavioral2/memory/3116-65-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/3116-68-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\winlogon.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\winlogon.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinDir\winlogon.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\winlogon.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\winlogon.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2644 set thread context of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3116 vbc.exe 3116 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1252 vbc.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe Token: SeBackupPrivilege 404 explorer.exe Token: SeRestorePrivilege 404 explorer.exe Token: SeBackupPrivilege 1252 vbc.exe Token: SeRestorePrivilege 1252 vbc.exe Token: SeDebugPrivilege 1252 vbc.exe Token: SeDebugPrivilege 1252 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3116 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 2644 wrote to memory of 3116 2644 3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe 86 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56 PID 3116 wrote to memory of 3412 3116 vbc.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1220
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1252 -
C:\Windows\SysWOW64\WinDir\winlogon.exe"C:\Windows\system32\WinDir\winlogon.exe"5⤵
- Executes dropped EXE
PID:2940
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD552d2a013fe5c7ab4fbdaf34d49fed165
SHA10a370633cc11593b901ccb126f6b186864e98041
SHA256ea1d848e830424211480dbfc285657393a2cdccc4bce05abda9a4bb22e6b8011
SHA51263e506fbe1a2228cd7ee0cceae1f0268c4d11144da3573e50b6fbc150b56f36ea31cb95a27eccb759085403be1a2ccb159a400849475a17a72b3212b5a81dc47
-
Filesize
8B
MD5f7df9b3cc6fc0e3b96af5e508d82fb08
SHA19e11bd6ccc7e5916d1d4ee9d9dc320887a2e76fc
SHA256745306a34b025eef31bc67c64e0a6595d2dce8efbd5b8bf13b91f0343eb1a60e
SHA512d64b5e200c2cf8a472e4bcd53e18804d4e38af025213555fc2f6f17ca95c819a17512291daa10c9f2e539dbbe51751b8615fcc12f2a283b3592d8f9c68d5f308
-
Filesize
8B
MD55cbe6981da565480e1b49f243cbbed70
SHA1adf7156c627d962b5b25e905175b6b4ec3a97758
SHA2565d62740d666511b99bfaf86c7301ae5efc54d2cd37db1fa16e6def298684c190
SHA512b57798c12588db10620dbb22105fd17ad99ae10e72f40f2346c3c6ed9770941562565b3351f5b19bf7ba298545f4265ecc0c4ef13c3a7e2ba355f5e69af3a3c0
-
Filesize
8B
MD5b676c6c40f9f33fb892993aebd85e8e5
SHA155b525d270b2293c0d6cdc771f9ce0e55203fdad
SHA256adc2a5bd54574ec345e8bff7a967f3d7c8280d566306bc51f1320dfa5b86162c
SHA51291bb7efaa36cd2df9d25be530f3ed1a96643b38b19d30a0fe06475feb8a48e36882830ef7148d5b93d6bcf3b33203caa6a608649ece7b9fed549a34a3baf5108
-
Filesize
8B
MD5818ec1837f6e1dee83b7bd070f4613ed
SHA1150f6e818236d28749fb737a089628ab35915187
SHA256ae027e614ef965ccb3385ed08ba278fc644ae4f390be50b43ec026f363accc51
SHA51294a7761d1dd55051637b88f66972521cf9f7bfbea9f00f8c66fad2840dcdc94f6d460d9a21c0b994a9504ecb1ff739c76b5dcc923c7e7b8fdd5f3ad4ce397fcf
-
Filesize
8B
MD542c08a8a22f9137238d5f57be4b73a8e
SHA1e5c5a5813b9f1d4e5c51d15ff25ea01df9dbfec9
SHA25691991ad0b9b952a18b7352a39d752bab51e9d8e06c1867ec53192306c62dc494
SHA5121f84566a24c00e9c6aca20e9852bd5ddf00e84806c21921d7bce39f5ed5ee747e7b9c17750e67ad59df06eded3e1a92019b444c9251bfe935545ebd64f1c2442
-
Filesize
8B
MD5e5c55e80eae535cc03ece26b261616cf
SHA1ab4eb36d11c24f6649af63a246b47e11d6cc91e0
SHA256bd1b1ee2a5d7d6a7da9cb5af5666a54743a05ca139aaa70c360e30f80a0b0c95
SHA51239450160d379ce9e0dd14bc10ba9b859154f05538619abdd8b99329188861328db9f77cf9bf709c8726dfe07d7c7aa0e41511db93ae90af58a5f379e72c0a91e
-
Filesize
8B
MD5e3e8185f32b282d88c22cf050c32c737
SHA124482e8d8ee561ee5a3af515b67fa398e5a3436c
SHA256dbbc204556edb14f0729a25019b67a45ff9210d59dc5d48a9bb46517ec873f1e
SHA5123a0100d775b300e6358ea473171618c91110042a1fedf38f9a6e21bdd7928f3348bc3470aafe3c57a3587bba7e09010894e2f7ce99d1f1917c184a36169ca4d1
-
Filesize
8B
MD5b21990522b2f23dc0ab584b991735a6a
SHA1346b7b13f79bec163f53a0cb22fbfacf2d10ac06
SHA2564142539953431f33547427e05910fb1eab64ead3b2e2d39cf890dee3747e9f2f
SHA5124cc1c12a01a83895b6d5b4f1fec352b2373784e849aa3c250b7119627098d3f2c17b18131c2dcb80d89b9df4ecf07fe51bc0d288c663bf82230b7eefee852ea0
-
Filesize
8B
MD5271410838614574183cce9290d607903
SHA104e2c21b3a1fab8596cbae56b2be6b6bba954398
SHA25695f03cbcd51b2ba53a110b2ae81b7ccb4ab6b82c1028f357531064bfd0c93fbf
SHA512bc17b6839a648d056da84ffc206f1c0c008c0f821d6255e2c1fc824d1fda476d4573bce2ea8a139970332bdf010bbb620b4dec669ede1177cbf2df79eab37acb
-
Filesize
8B
MD5a303125daee46e7e56965b57865ff01e
SHA14039ba8416e950fde24d14982775af64d97297a0
SHA25695b347ac08d3db0cf926d843b77bf606cad21045de6631cca99c2454f0916ccb
SHA512a8c0fe7632ef80026672b07e2f2c19096dd3d4157bcf71bf57428aff9858f55a45aea1455627b8f20d958c894b06fda7b88e732f8c8d6617d8cd494bb03e3ed6
-
Filesize
8B
MD51ca0bc18ba0cda03b52219e1b21252f4
SHA1aeae6e8b87443940b026ab664815c48dd82ff261
SHA256c8f8d08f266d11d222f111af06d1b7e133b02cb9a403e12705b4e98affe3c758
SHA512219529e952c4fc44fc704e13a6f4dfe2709d15b7c789f1b4490cfa2ee8f2e9af6afc3f324068251663a3d858eaeadedadf72e4e7af6a8060510f998b7fb9e773
-
Filesize
8B
MD536b845c0779bcfbe0b3dcdbc225f991a
SHA179b58041d5b9f5a0ee4cba11944dbf0066f3feab
SHA256fe7bf5dac222f59563beda1ac1a28ab02b06589a272983ff5926594c36156a2d
SHA5122982c6415829b092baac71b01863b802a70757d53248498347bde656cf5b6f6fe4d2a7a2e984194d61fccc577a360bf9ec5896a161b404e64e921f057db5de1e
-
Filesize
8B
MD55f384476a4ebd0839f631059dc7d29a8
SHA119d298094c978d9749c1c5acd18beffef1d0aaec
SHA256b1775ad2d4d4d5e8b53bcfa740da81add8afd732a6f4c43221ce400881f87d15
SHA5124e8bc93013d2e3a22bf29e4451789525efd17c5f02b3855dd371458b4387f254825954e49f418e25c6f2302435931e944e5dc74859219c1f9aa43eba550a1a15
-
Filesize
8B
MD51915fbb8ff351c1f6c26b3cbcca3ebe3
SHA15f45854fc94e3c69321f2148b16c902a00d334cf
SHA2563f14e73e458a7bf98ecadf4b4171635c43def8542066b2f3b0ee1247fcd508d7
SHA512e6931797c7a8ea355adc1a94b34674fde25a43110affc5ebd7b010a2d197a838999c26f5b206ca54fa4c2993bcccc282afb6529f984594205585aafc219de9c9
-
Filesize
8B
MD5efc96d2ace4549c7ea774cbc49e04849
SHA19b6e4959f85bc0c968f3716c23fa80b17f8dc721
SHA2560c07abfca721add1ff6fef983b49bb2091083a8684065a041803d0208460c180
SHA51213abac1b79e4da318314adbc0f2e4dbe40a8c726bc641b95d8f4ecd6642101fc0f849fea0cbce48aef3d4a0eea77c7097dc05b51e17fad71a499a8534efb5bd3
-
Filesize
8B
MD5d593e1f224e6695faddd8cdb86c84779
SHA1db5b5e6ea2c3e696224fcbd05bd4575bedb6bf9c
SHA256bdd93821ba263e33a9962f0b21c6858aac5d5a785592abf514479111dfd87090
SHA51243f846e759e4339dc5bf7bf0eca728f98860f277f0a86a46e5fda6a3f6b53caa8d3b2567958918e3eb69d2e97f11ac3133f2b6c6ae17f768a183516174f0b916
-
Filesize
8B
MD52d4514c05f8f1754bc1c0f8319f7618a
SHA12d9ef4eb958151cda22659ebce302afb6a933c59
SHA2565e38db628f04610518287a8148ba99203541fc10ea6338f43b43411286883c43
SHA5121725e1f9133e17ce2f6d9f85ef1e07325ccd60b3ce29e08f0daa6a423f94cc7ea4361c875269ef982d4b0ad94bdc770617895228fbbb6cf58e98e1b0a9438f5c
-
Filesize
8B
MD54b29fcd89898016b8a0d29468c8eef8c
SHA1894ce5b7266a396804d46183480e13f029c3e48c
SHA256cc131e692575867f52ae42466b32019408d11e5fb20b7918a6140c28094f07d5
SHA512c176874fb8e9d636f72f321df85071ede20c9f8b0c0893e75d7607203f02311d4f05fc7799077dc93e5cb28fd25824e6e8d39173d37540382d884af9f17f9004
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34