Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 14:52

General

  • Target

    639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe

  • Size

    591KB

  • MD5

    639ce84468b5b67681d9e3341b1446af

  • SHA1

    e9ed555487307f27784b70fe0641950eb06c7f51

  • SHA256

    52d84c8469d2288d1e072e39828caaf9b43911d5530a98d1af6bce4fa7addb8c

  • SHA512

    3bb85fa2c2d80bde2003f8238e10be39776c68eded52cfccbb565cbeb3f2c597d6ff6b0339764967d61e4c70be9284ff2ad1015b479196cbb659c01dfca9458b

  • SSDEEP

    12288:fukBmCK64RSGbBjtWEMm+ngXz9aO4bLlgOKT5LtQcuWrS7yf0F:GkSrjTXGitFcy

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

alcapone.zapto.org:30370

Mutex

ID4E61KU7ACH05

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Windir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Users\Admin\AppData\Local\Temp\vbc.exe
          C:\Users\Admin\AppData\Local\Temp\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Suspicious use of AdjustPrivilegeToken
            PID:1792
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1536
            • C:\Users\Admin\AppData\Local\Temp\vbc.exe
              "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2584
              • C:\directory\CyberGate\Windir\Svchost.exe
                "C:\directory\CyberGate\Windir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2764

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        7ac4d9688725365d6b888b8a36d593da

        SHA1

        5917e2b1ebde71eb2b22e94e969eccbe915dc8f6

        SHA256

        693fd211a9ba5ecbe4041e9275e4aaf75e8fe1c30e46ac00564d22c0d9db53ea

        SHA512

        065a1c1503597129117a2c19099b6d2f16be540eaf273fb5ddc38f0692ace1324be6068e73624d5f0c48d009866d8e6c0bb6d60c8f716cd56562ead3237413ea

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        73d8877056fa6c02f7dbc36a5c2fb755

        SHA1

        40dd80a171d0b3401870efed85bf579b0b68cddc

        SHA256

        ce18491c84a7faf78d725e8253077e71fee3972a9f055f09500b285e7584ae7c

        SHA512

        1283d7a8b9b2716a38ce2e94f22ddc8eab47c04c0b9323d4407e83530566e9579cb69624ece1343f13ba41e0001ee6203ccce76d6bf518817b59af1d5708ea67

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4b8ed7a89f2994cf5c431b2c8fd79e0a

        SHA1

        59c2928b947d921b5b9bd5346e652f879a0ddf05

        SHA256

        fcb3a1f1dd9fc740326c6555f30517b23a8d4b5ba8686f97d9e3361e5f79ab25

        SHA512

        208da970803c8de10c5e6d51c28551be7d11605bfa8291a6e934fae9a38ea83e804ca20f10fe70d16d2055fb65fb9d5dd69acb57bb9e0aee28c2004ff7657a11

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        488ab729c58706f62cdaad81596794c9

        SHA1

        7f8203c355a58ad8cdce555a70942edc341b51dd

        SHA256

        b0cba3a22e522997592bd005e6eb075bb3906baa818469a009ce4245bbf3ab73

        SHA512

        aa59c585898d99023144166e9d358f21be838f3966f6170d72a6acd6559a9deb32712356d39a50f77de2149cb097871b59243d5b76c219311db9e484ee35d5e1

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0bb4a35619ae64f316f5fc0c963fc969

        SHA1

        95583356379219c2d57dfa6594d2b4bc1230ac8a

        SHA256

        b1fec2e29c54ba36cff4eae099a227397496d14122dbed354a354f510a8d46df

        SHA512

        6e53821b34abb563ae9bad795b7a9fa29382f4970f014d493e9eb5e95a68df7949361b80891ce6755bf1b644f34571715413161df5a56b0ae13d6e5237dc5617

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        202ac6731f99e0609425d3014eacfa31

        SHA1

        b967772c1b7c9ecd9bcc8a9d1bdd1e8a3b159e7e

        SHA256

        ffbfdcd80fea7a1690197f9659360c72a25ee81162c551419e22c4ac47375d44

        SHA512

        e787abd9677e174f98f607206b9f7f051c5edd16e3aa2db1a35854de8225dde591f93b49ebe1dad15467c799d595311cb37a8137c413c9b37be20d34ba80e1a6

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8a8eda76044871f48da80b999eda4e03

        SHA1

        7ecdcdd54d32fdb0ff914d9ebf4fa9a88674c965

        SHA256

        ed6d535ef68434839e13f2a5a79a0fc2da132407ee2c11d7f2cce3dbed2db1bc

        SHA512

        3994b00c9d599e4deae6d90e9903a5e1152129ab2d268762756f814c4958671ffb1d063b55f8a936abe55f44a5a4bfbb78077ac2bef0ad94ec1be5da50cac680

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        bf7e308d3569b49ac4f4a80ef3aad483

        SHA1

        0fec73928ced39b8feda9d31974e2c1edd0fb67f

        SHA256

        0790142fce5bd70fb5196c5fc39717231fd5e1af860d7451546b55908f95441a

        SHA512

        a00fa41af4a5d7a1da847c8e70efb65a10b7e905c395a0f528835b3370f10292c8f41e5cf34e21329b174b95699d39f420a7bdc5ad5e8592e88258dcd8bf9c9c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f32ca196de348afb0443021a05dd18ea

        SHA1

        111306149ac7905caa6a68a0c02d95fc0a071839

        SHA256

        90f18b5831ca8080b029275a51ed5b66fb41f80d85b79272e2e1be755ccde2bd

        SHA512

        5db8cdf342273d1eaef412cfec4cec90577d68f22e115c8ea0fb71b74ad6ac4c994fce6636f274b35ee85295b4bb3c868831187a9d3354432261bdd697dae600

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1daa1cb04df7515ceeaf96174d5c975b

        SHA1

        d38504a2cb57cecf44aed6136276c5dc5c39bcc6

        SHA256

        b6ffcf4aeec56e46f1349dc535e066eef75db15551ffdac46982ba585aa97bbb

        SHA512

        330742ff951b3b378928c50f8bb7541e48e1cd059e79b56b8894cbaec514963508e48e4dcbebf4b17e53d866f8e3c57ccec064591571e76eec67d09eaf54c032

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        08b7a6cfafd78af4002296e30532544c

        SHA1

        18181e538cc4f73d5f2f5e158ea08b0b77770e20

        SHA256

        1e92e25e15c31b7dd5bcbea1b039b90ee98414e0b00c411627cc80dc1591f002

        SHA512

        ba6c85093b3bc7334b0071647644913557c725fcf2ae93428163fd376abd0e00d941c4f330c7397db3ab64dc3cf7c1f351ecebce8bb3f7dd7956af9dc75ca58e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        272ac3e46a143147fa6570d3a706e8ea

        SHA1

        61c171c48c652a10d266e2a59417d495e5a1d1fd

        SHA256

        8c2d17aa4924bc3eb844ddf01970808b4ce733ab79870f878c41d5b63d41ad67

        SHA512

        5b8d5f11375c9673cf45047ddbd605ec8e40927d6424fe59e0b95215226c548c27aca509eae6fa6a512d8146db6aa621c7c637251d589f7c88c3e5aca7cd50b7

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        2ea8269242ffaeefcfd04d59e55c4e98

        SHA1

        7c3093e66324be60a10cc9f046c61acf33b89e22

        SHA256

        7a4676a2446a9bdbd64c630af715f61d0e870aa8621ff952985a86abaaaeb18a

        SHA512

        b9563976f0943eda06bfad55f6aaf0be2312ef8885148355ffb30b2aa6e6378e9b7b06399d4efe2d1e9f61f445b1ded5bc4f8712882b8dc5c9b788c23c45d959

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7dce213baa964ba0c5f8b9e059d10fa4

        SHA1

        fe3b76d0362fd20b35d326f0fcfa195f35314c32

        SHA256

        11c39ca776c7986b72fae73f6bcb7c55983e0e39481bc7e8d548e686616dbfde

        SHA512

        21e02a00bc0b25e25e05c77eecc54a79eaea7d3493aa4a73e1d635eb8959cd69e413067c3e78bc694026637d94dc4ebf654c13d43ddbd51cc281eaf3148d2ebd

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        2db5de88d10659148417a46d7384d040

        SHA1

        a0a04ebed6092a06fc144a4bf60e1e509e1aa387

        SHA256

        aaf5db80ddc79ac2fcecb2160ae4f8766f261278d2278ba3b148d4749a8d531f

        SHA512

        dbdc29406cc7173ca26eba1450151b4b268703652c105b57837e9bc9448c2b58ba3e45d29953db3832ea5901b680ee715f532f0761a7a2ae3550236d19413d22

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0350e45ee7aad9eb572a73b1ccb9a5e6

        SHA1

        a23464a166977ebffb2ea5b3875338ec24787218

        SHA256

        58879fd4888503b89c477ec0c8654210e76b4f381132f3194dccbc9ea5a1e1fe

        SHA512

        a38506f83a56a179403d414c3e6feb4cff1512e871591b82c7742ec85dd6a685563688b513c4ecd3c42a72aae75293b4d8dfd0702228c95b4081f12103ea1230

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        85a65a70633ae98c97d9900526f01e05

        SHA1

        735b50329e16f2bfe92fb1a7396fcfd7a91c4394

        SHA256

        34bb399f3f712588826eaeab72cb80651de091ce0bd8e0de74a3daabfcaa8889

        SHA512

        151fe1ee38eccd6628b3229a5a4447e20375a94b750dcc2712cd48272aaa0e2a74bb0693a449c0b6b3543f137d8ee3ae16aa5277a59539faf8812bc6753eb169

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d380f9f14cf43eb5ebb5f050e8dfdd9e

        SHA1

        1eb5d72249911d54668f86108bcaff31909b5b12

        SHA256

        5e92fb020a75950695ae5da9d645fd46de53827b1951cdbb2023def347aa6d3b

        SHA512

        9661ebba288548f2b3062106687e7a81db1c7f15b142e7b53fb38784da8b4452b46f6ffe610a023144ed993902dfd7e740046416662ad64652375ad5588b3009

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1869db0614db8a6a57b7500e41546c60

        SHA1

        6edfe2714cdf932a134ce47b01b93371596fd7e7

        SHA256

        ed4b85b7474ac1aa26a48c97a3bb71a650b86e9f83b3a4717532085238b2d46d

        SHA512

        02c46ed34554815d3d04afa91283a49dcb707554a842e1c9bedf7d6af5383da7377c0055c41c09ebc3eedfe1c1b90462d032924d6ab2679781972ddec1f8bb20

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8d874ca6e0c6e29799e6b2ab0fe122ad

        SHA1

        0907c829b00955ec11b2e4d788567f161e553095

        SHA256

        4b60365a64b7741ed5bbe8ffd872f5073748dd50cf3994341a6b347c6cc32956

        SHA512

        b4385c3907b5eb3b48d7333384d95dfa0e636e7d70f799aec8bc6e6a0614878a94b6482853c67c7ee54492d1665b6198f02b39afd5d5f38c94ca2bd3fd6932d2

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        6e09166e10fba4e8dd2b78b7947656d4

        SHA1

        6bcb882dace55d3fcee03d24dd4c1b55c3827845

        SHA256

        98f8a09611912e74ee91c6cf92011e127e95dde499cd2fc245b45a43dfa299ba

        SHA512

        e55b2bb557083b45d7e90bdf964469ef93649b5dfbce2625e21700428e39ad4296c6ebb4a235dbe872d6a4af4611fa0dd925be6e1deda000a65e879ec9bcd54d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        50c6fc433cb5ae0cda7fd79b7237626c

        SHA1

        cd25fbfc9391554fd0fafcdb63ac71f6f26a0ac5

        SHA256

        2c3993f184c8ec6f797e1ecbc26ab7ec02b062a945fc8cd4671c2236a125b44d

        SHA512

        9ce389c75818b39f36953d4057981a674678524d118120055bc8871969f517d5d88ec8754b925ecc855e6057a4da374c9c521c5ed6b3fd85b35478ec32132fad

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • \Users\Admin\AppData\Local\Temp\vbc.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      • memory/1204-54-0x0000000002EB0000-0x0000000002EB1000-memory.dmp
        Filesize

        4KB

      • memory/2012-13-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-45-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-947-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-31-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-33-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-35-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-37-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-39-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-41-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-43-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-47-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-50-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-49-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-53-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

      • memory/2012-7-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-9-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-11-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-26-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-15-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-19-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/2012-23-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-25-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2012-17-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/2052-0-0x0000000074482000-0x0000000074484000-memory.dmp
        Filesize

        8KB