Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 14:52

General

  • Target

    639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe

  • Size

    591KB

  • MD5

    639ce84468b5b67681d9e3341b1446af

  • SHA1

    e9ed555487307f27784b70fe0641950eb06c7f51

  • SHA256

    52d84c8469d2288d1e072e39828caaf9b43911d5530a98d1af6bce4fa7addb8c

  • SHA512

    3bb85fa2c2d80bde2003f8238e10be39776c68eded52cfccbb565cbeb3f2c597d6ff6b0339764967d61e4c70be9284ff2ad1015b479196cbb659c01dfca9458b

  • SSDEEP

    12288:fukBmCK64RSGbBjtWEMm+ngXz9aO4bLlgOKT5LtQcuWrS7yf0F:GkSrjTXGitFcy

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

alcapone.zapto.org:30370

Mutex

ID4E61KU7ACH05

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Windir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3372
      • C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1232
        • C:\Users\Admin\AppData\Local\Temp\vbc.exe
          C:\Users\Admin\AppData\Local\Temp\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Suspicious use of AdjustPrivilegeToken
            PID:1844
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2824
            • C:\Users\Admin\AppData\Local\Temp\vbc.exe
              "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:908
              • C:\directory\CyberGate\Windir\Svchost.exe
                "C:\directory\CyberGate\Windir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                PID:4992

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        7ac4d9688725365d6b888b8a36d593da

        SHA1

        5917e2b1ebde71eb2b22e94e969eccbe915dc8f6

        SHA256

        693fd211a9ba5ecbe4041e9275e4aaf75e8fe1c30e46ac00564d22c0d9db53ea

        SHA512

        065a1c1503597129117a2c19099b6d2f16be540eaf273fb5ddc38f0692ace1324be6068e73624d5f0c48d009866d8e6c0bb6d60c8f716cd56562ead3237413ea

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d33a8b708fa612254eea6624b944caf9

        SHA1

        6c52b690ce0dd59f5ec1a87187c4a261e80c471f

        SHA256

        d8ce022cbd2bf222d3100b957469bc266bef6d077638ea5e94980af9d467cd7c

        SHA512

        d5f9cc0a343b53c1dbb15547150052d0938152ce1a6293edad85c5654347e9c3389e0212dbf7dc98a07326ea976438ea90767057eb71ff28038baeaf7b2575e3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        78e6bbe02344122824490c13631e5ffe

        SHA1

        b45279cc065bdb0b08331a75a415bf6b7a05f82a

        SHA256

        8c30d4baabf4b58d9e5aab2fae716f6fc15d5c5e7e67d824b2ccae1bdcb15a57

        SHA512

        a49d7b4a815ab3c759d9bfb6f8e6c31f8cc06c761fc158bf3008bd8e0b21eafa428b84791d9fd000e28e93b0c6d5626c2e8e136cf59272adcd0f3a0e345c14c0

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        be900d6b9a1da6c88081b18fa13b13c9

        SHA1

        a777f1980f37b675cfadfd4a9ee1633dc71de49b

        SHA256

        8e884d883b7e938ca53b3b306746a39cd43d8653b1d872fb4b8f57a4ec5cda0b

        SHA512

        7ca1efb3082deabf3ffdb377deaa09c53481dc7b4966b96800bf090010cb37ab00cf1bf8d5ee00b64506bd280390b0abcd802fb74da5204b5a0459c812821135

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8ea2cb89042822db6f2e54a8712641f3

        SHA1

        49b63bb1fee9e0e39e6bd5d7caf5891b9728012c

        SHA256

        821bf557fee51d3665551b77f67fec99bd642a1b8a33d892909d3e3ab2e1fa1a

        SHA512

        810d89b1c5df6a7c8ffe991a561e5a203e8656c7d0bdcfc875d0cad3032ad5429fb1add99a7c74ba5e89a93ec14ea83fa7085e56f02240b8f5494d04a3136fbf

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        097b1a5256653be9077f43a355e83d97

        SHA1

        6b6bda394cc59ad0ccaa92c7dd76a87b127e1329

        SHA256

        d610c5a7489d5fc368469be86d99879187e60de26ef4b1adb6ee1db9aad05f81

        SHA512

        dd7c381d90b8f338ee82cb721fedb3c35ad7c36e3d9888b24bd4da95c09376341b1e6aca742b4829cfdc24eeac10bf5559c3f85035f95605692e5ea0392a97f8

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3fd8997d9d0ec5cf5a5fe0123bb112fa

        SHA1

        b9045c229ad13aa2abf9d0588cbfaec1ca73ec19

        SHA256

        006a58b64d807377bb373622bac66e9ed4bfae70f826359ce8f7530355d3fb94

        SHA512

        4af5db0deeccd0fa9e377d8491bcdbb8dd3df38fea73102e5d86aff9aee3f2edf1c26c81e073cf871766de23b945a3d7b971fb68eb7bb85c6e5a6f21e96a1de8

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3e9dfd370b6a1942e02cc7cb0d415743

        SHA1

        1df92d6ea83f103a95494248330cb80aca5538ad

        SHA256

        66a5095f2cda950b6d68a946b8e12508421b060df02b1b95f9a53ead277fb312

        SHA512

        4f4262b3d776a12571f2e8924c31f44a5abab47f85e6552572ea800d9170827211e9ac75edb5e41207b913f55f79508f704e1a17a851e49ebf3a3774d91a9cbe

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d3d038996f3ab99b2195323e51aa9149

        SHA1

        5e94ba756a1a2ab370451a8eb28bbb65e9bebf4a

        SHA256

        d8215c76d2e1af91701c2b24b71f066e466f70b5657b7e9aa38299c5f9d158c1

        SHA512

        cb0ee6f98980907546a87b59ab87035f16c36575eca6e9f98e1552df4810c0279d8c238036ce23e28133a4220d416cae329e823006a8e33aa0e4b4667beb9c8b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d0319f6a4be461d4e04fc3e76de43c64

        SHA1

        8c967550404a27d1df795ad36df29e686a3615fe

        SHA256

        b163312dfefebbea0d71e305c1508d104663731b1c587cd10dcda71915a9d39e

        SHA512

        21dd52e9276ac7f4f0eb0c3e4af4b3e1b1c47bf4e150a338dbc832388cd0752aa4c774f76b571b90d12b6937c7fa5e3f33810af6de2fb3b66fb9820c7d7c8a29

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3a06350f3aa7f469f1923ec45458e9c9

        SHA1

        aa3b5e6abf0c92ca31b6a9fe8507136820ae1c35

        SHA256

        2fd79ec91065317f3f9fc136f4c7b313291b202d6956f38d703f51015ae0a80a

        SHA512

        9d349b93581539783cffa1ba9dd26aca5152af249bd441395668ba4c8259b0ff950177914f01fe79cb9a7ad1a1b344c65bd80e1650ddb13278bbe913d5973c67

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5832412353295ad33bddb87a78308958

        SHA1

        c9df18a3b5c38842c1c89bac5c5d781cd30440fb

        SHA256

        a559f8d55bf31d60277f523ce3ce22c35c4cae269fc99172b1ecf822f3bfdb4e

        SHA512

        5f73d77bd4ef87ee29431947f349e1dc342dc921e06dbc450da7889e189ea620895cfb7f351753480064258b56f2942bf52e48465f3f1375aac0ae71b9b8fe01

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        882246894b3feeb57881bb15f02b4fa7

        SHA1

        4a8e1963eeeadaf0646cb312e99500a8937fe227

        SHA256

        771661779734755f73849e7c95aab995c8ecdf98984249be8677345f55d92afc

        SHA512

        68a297e70c38b04bc1b1aed2805c0d64ae30518d3c4796bd02b6f6e3467ea75b8fd3c9c68ce82f31faad9e8feb8b65e8c3ba0e053bc508a31916b82def54c494

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        2eb1ee046602c3be0e6e4dc9910159ce

        SHA1

        84c17a60f8edfbd4ebd2a6ff02dc7f34f3abb0f0

        SHA256

        fa3fd05a630997c60255494bbf378799bfd4572a31d7a05ae99d6be9486d76ad

        SHA512

        8c5816c697bb2fdf494a5e59e268c72a0f02a891e81e0743348468fb7a6bc0c5ee25ceed88387652a47a3759b54371e0748d8cc11ca7d61b5fd6fb2638d28658

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        2eea62f0655640a001605c30ae329301

        SHA1

        7058a686e80ddf7a29deffdfd80c3180fbdcd569

        SHA256

        5858a8214b2f0404d2bd54d8a41d108f726fd783a44a7397d5b866fe963d3336

        SHA512

        cfd531775d6f249363dbcc607254970c6f24f3310689c463e1c1854f0dd05ba6db16bbc5f638dcdeffa2808a8120d317f439b7c1c2b765483717aef11c92b00f

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        386dfa2db01951cedb24cebfd2ada017

        SHA1

        58b8d05a6134c177ae574b9959097f2c3a89dd11

        SHA256

        4dc7930d675efba611df76121dd1dc177eb27bd51909fb5b1a90f8dbca22c1d6

        SHA512

        9f09535a025e4730078ed8777db0180b5e375620d0c7138b944995ef58e4852324f6e449cf9da2b3a4e5bb8f1d714234d187a742384032f7b4fea510cddcbeea

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        cfab339d5296aa94dc36b5d107a73ea9

        SHA1

        3aba0607264ca52d5058bb11de8a5aa39461729f

        SHA256

        bf3bf0f893ad42f9bf8027fec2eaa6e990565b0debd143fcc15a55ab47afb619

        SHA512

        378cb314bd459679485d69b5e0a12f762494cc68385d1044a2b83d9603e25ee26e7fc0d55f6ff1f17c8b4789c7fc836e3773d25855030e7d462fecb4d960d14f

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1bdb492ec54e03a36fcf07834d5c0d17

        SHA1

        1b55fbce3203e86bfbaba2511f06c717af36e329

        SHA256

        ef5e195c29ba3f00e8b567da5acd7eeb760e2449a8d75942d4d92939ddbf7883

        SHA512

        8352b09000615d2b0428a300a922bb976ef035fa86044d073b031a6b3065ba6a9c75ec80ac0f3dfe8f0621fe6017fe12fc914bb8d65e662015adef48e1d8a316

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        da971e9e739f9b18677c171b2461db17

        SHA1

        b66dd3243ce828dfb9738bcf93100146c8ec1988

        SHA256

        ce6604c4dc93710de45e191129dbddc1434bcab8f99fd823b0562c137252d056

        SHA512

        e6cd02b6fd4a5f5ecd97723165abe0fb0c7bc0cc5d46c45e22f0485422794ec1f3a233222f62eb03980ddae6ca8c7fcbcb991430b772938cd62c15492b071ba6

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        16252ca4713c1edbdf2b975ba97b1892

        SHA1

        eefbe4956dde4dc66444a87f5bb0d2d533df71b6

        SHA256

        8b7b2b501f616ab5380542978df9d31277f9a74b114c6636c37bbd0935ef7491

        SHA512

        07a346df32c628f4fc32345c3ca36983312682c9959bd25e5d8ec5fcabc45898c29cc2b21690dfe263257bc65aaf7bdf1e0d339f7c590870bfa95cb45c7a4d51

      • C:\Users\Admin\AppData\Local\Temp\vbc.exe
        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • memory/908-1448-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/908-156-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/1232-2-0x0000000075070000-0x0000000075621000-memory.dmp
        Filesize

        5.7MB

      • memory/1232-13-0x0000000075070000-0x0000000075621000-memory.dmp
        Filesize

        5.7MB

      • memory/1232-1-0x0000000075070000-0x0000000075621000-memory.dmp
        Filesize

        5.7MB

      • memory/1232-0-0x0000000075072000-0x0000000075073000-memory.dmp
        Filesize

        4KB

      • memory/1844-994-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1844-22-0x0000000000700000-0x0000000000701000-memory.dmp
        Filesize

        4KB

      • memory/1844-23-0x00000000007C0000-0x00000000007C1000-memory.dmp
        Filesize

        4KB

      • memory/1844-83-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/3068-12-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/3068-7-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/3068-11-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/3068-14-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/3068-18-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

      • memory/3068-78-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/3068-155-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB