Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 21:14

General

  • Target

    64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe

  • Size

    766KB

  • MD5

    64d4adbd2b34c0cbcdf01ecf62c3fa2d

  • SHA1

    357c15c7c98baa23f2e13bcfb3e0509c9830a771

  • SHA256

    33d1e3df5d208445164053583bc302842b65a192655ff115ead3890c5156eeb6

  • SHA512

    537c93521f6ab18b6a2d2ac8e4fd67545bf849b815d2298b962ac103d1e7b16a64b40e759167b5d05868e85334280349a15df3435f879d971b3268678bc36e6d

  • SSDEEP

    12288:HoaxRBxqjeRGm9IppnvVWHNJtkGhBWtiwkM2f95ByXJLR3aBA0cWonaNCfQF7G:Hoa0eVE1VWmGhBkh2F5IXP0c1agfQZG

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

spliff.no-ip.biz:100

Mutex

NA6S5AN2N33NYV

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    J1nsd0ntspeak

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Suspicious use of AdjustPrivilegeToken
            PID:1660
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1324
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2140
              • C:\Windows\SysWOW64\WinDir\svchost.exe
                "C:\Windows\system32\WinDir\svchost.exe"
                5⤵
                • Executes dropped EXE
                PID:2672

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        21b70ff91971ed271ea427f145e79bcd

        SHA1

        fa109706e017169637330c599e44453ab6955435

        SHA256

        b3fb948c9e8a2864ba1ccdd663c0246091da36cd6025d6204a730bced50b652c

        SHA512

        03e0503b1cc6ccf41536da22acddd85ce34de5e7d1f2f1bcd3a79d9b76b7b64a9e53522f5d699a14c5fb1dd2ba646a4a8564a9a4fd2130ca7f9fb44dd25696b1

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        87a51201222195209a9085eccfcf653f

        SHA1

        ea4f16bb2b2bed4035be99dab2f869a0d5efbc15

        SHA256

        454a8552f5a77e01701b256032a5ddf20d45e5f3aaf45dc56ebfc1562b67a8fb

        SHA512

        8692d3c1b99264e6fb5859d1a1e4a723b4538dc4a93cdd8ff7ecf3cc77a187f9daf28cdf318d6e5179d718b5d8174e063622efd7a0dae0b8580bfc347c06ccf0

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        bde798da1c9b836bd4044faa758938cd

        SHA1

        01e7025445b36e532d3c5b483536e965587ee855

        SHA256

        c395cbe66db8b424df2db956b707aa0eb10ef4774922baeda515a4ccfbd59c4c

        SHA512

        ab3d0f0c0cf8e82fca065539f579c682e82981fa9e9bb756a45c14fd8418ed270ed298d96fd9056866c017a2c2a648d43afabea3ecf31e5aab87a9347b90e4d0

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        09ca9bad05dd1e4ca85da573af37f4c9

        SHA1

        f5e52b6ff39c56e64005c66470f68d7081be6a5d

        SHA256

        1cea38e28d268356f6a06ddd3e4c45d193405edd00356820c6cd7854b2646ece

        SHA512

        0d45e8598261ff7cc588ee408d5a073d784087fcd0ba89d3986e2dfbf38691a742a92d7efc0760b252c07890a3fac19f69738f6c26cb15c02aef87789457c664

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8e7b1b032cb8ca6681888e7a4a5b989a

        SHA1

        f01b3dc6a139d750ce0503767bc6cc71f49b0379

        SHA256

        bf0261554e8f497d5c9c98082d9243861672a0838e2bdac69f97468d89258823

        SHA512

        938625413d3d839c5513ef9b118aa75443609980ed5b13a13da854a9d719d2ea5e4a3bd7a23151722e42d0045e3786ef5c671124fd664ad7a3427bdf9323b2ca

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        558965f3a26002fda11ef65b9fcec31b

        SHA1

        0780b1ce937d81a232360a8eeba303accf3b4f05

        SHA256

        1adf63bdcc51d8140606079014c6dbbcebf794948e6f56f7b9fa8f1f28d37914

        SHA512

        cd2c267523d23fed0f918fb7629e427e07c1e46f7336f8a99f264cf21a2a404f6618bd832d3f3191d9bffe101c86a8817aa0f004b7d5c2d4e6c65b3e93fa75b4

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d3412a296dbaa91cdeb68b30ee15687d

        SHA1

        86615199c52cab6a40174ebdb3c593505766208b

        SHA256

        d3ed829d50505e41d08f1cde8c3a4a50ecf3bbcd010bd97aff16f96761122770

        SHA512

        708321b3bd7a2ae9d372af4f1247f9e98e030188a4bfdcba4717b7451fd20cdd77d88f80e8ddc5a0ae0dcc93aa4995e86639434d25ef675ead1878102ed3eb32

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        6f4cc58573130ca6db3942c13e4c6a67

        SHA1

        0eaa55ac9a06c8f5c35791dcb9a2f433794bd60b

        SHA256

        dedc3ca6ee299b73e769c3ade0f3255b0066df223d3bb1022f085644699185a7

        SHA512

        980235b5e9dc1d9d06d53d824e0bc4a79850364390eb1b0e12fc14f588ed81911fc2ba2945f1a842ec45e7b91158e3ac42ff971ff3d683d6414d5b057c12018b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        132125ce1da9f40738fe3c595d5adbf3

        SHA1

        8b1aa437b301d8834ee9d329ac0407d5e023174b

        SHA256

        6aa4dbe4db9a2ca3b97d4b402716901ca1827bf312673c5d4b3ef3a3e220dd99

        SHA512

        e31077eb691104b9d65dcec017d461988faabe89ee5f9821ae93affaeada47fa853b3ae9e0d90231258cad40632eb2d9710e1b4f2dd279b33545ef79874b408b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        43eb145bacdeca45c6b90ad37493a487

        SHA1

        ccfc4e7840e5e183a6647d7e44905e1ae780694f

        SHA256

        b3e14d9f91b64027f59bce32e3805b4413fd6c24c9835d0a53f985484f8e66bd

        SHA512

        9f7f196f31eff6d26228c947a6eaa6125dd31ea6fb21a0221e9a4e216bbbf5883f5f60e05716e1147ef1e8665d8b3f1b1fb9782c338a51f5cc695f5f0b40b944

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a81b23a0bf4b7bd9a9eb71030298a8cb

        SHA1

        896d9a3b3549d85b30ea69a72401ec0b06e8e51c

        SHA256

        9d862ea34abef2ad973bec75ceb0ba6a8925a8ad606214e9af5732069360f0fc

        SHA512

        7d57aa2bc893ea8ab66a5af50373d56a6e85cef544067e415220f1a89025063ca7430ab667c15bdf5f523ab30017bb9ce33d5109c4da76048f2e7e9597dbd3aa

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        655f0795a2e858b75877d4f4c12a986e

        SHA1

        6405c03767b63520f17a6901f68e0f56581f9886

        SHA256

        c19c193ac052f96b935a13b6d465ee5dfa733f4d776fd5e4437c1b2a97743c5c

        SHA512

        afab06f56ede6113ac557e05f2557b5517da39a303e889ced00fd59037c6accfd7e036370dd1bb2d14a8297f8f3bd1954d19ea7ef2b99c9305225fbf4c8cd07e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        df49bbcf2aee2eced20620b52faac117

        SHA1

        cd04d278208b12cd5081b776327cbc1c708609b1

        SHA256

        579f4a5b3e32e7ac1d0bda8471e166f868899edb5aca8cf746c80d482f36cd87

        SHA512

        968ac7ce4acb799982ea6d2b2af2160a65ae3893f5242159fa64739c6b2b1acad4f1fe5a0465eca5350424bd6a33a5be4f6e043c0af10d20357a9071424a2d35

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        05581d56f06b1fb3e63892f03410a05d

        SHA1

        e210cb85d551583774e94407324af98d66226f43

        SHA256

        6b281d4ff49c287ff35271f23f1e49d72c914ce22ae6de56c6c1f43d66c42925

        SHA512

        db15e10ae681387e2ec997a2240a2ba976ade7a3d19345390258e0f70ad468e5e7cfbb15966a4b2978f7108dac1e248745c8a527dd4f86e3aabd51e9492540d2

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b9d89ad9808246a7c8a7bd6d79255e46

        SHA1

        7719db3a2fee7f25b671f91fca43dd27006aedb9

        SHA256

        fad8dd62b469a432fac34a53659e878c8f1c3c3299f6c5a9af5fa4513a8e2d85

        SHA512

        69c51389144d9cd50f1bc57c91987a0b9d6b3fa816151a4276e13318b7c8f9eb98ce8342f8c3320becc2c9868f8e5b503694c64d7d159263795d1e95a6a6852c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c4393114dd3e51eeeb7978a406ab6b47

        SHA1

        ee2180629d1030a4c630cf5ee2ff018652f52153

        SHA256

        9b1d337263866d5bd7c9645c996af68bd986428ece4e8ad47cec9575c76ca2cd

        SHA512

        4b9c32a5e105e352b464268785c961981e324d008d6f9747f2676abaa293a32ba76ad3109499aaafbf4604afe01fde66b811cbe8dde97a89cb0a9c643134444b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        43dd2449caffb2b374d57f5e1cf6fb55

        SHA1

        b3a7664633b35591087c64310fbe5f70d5d3bd99

        SHA256

        910fb941f6aef46ecb7754d52a830f30d0c9ccf21cc18fe18c493cdc671c3753

        SHA512

        cf779adf8b934fe14e3ee64ee55e82d53614c3f112547bbc496f2283562fa5ceefc8af0ec499b4d51fd9affa919a0dae755ba828a557579019668289d4afba78

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3df1b9beaf63d7448861684726c94f5a

        SHA1

        ed1221f644d068e2659f431e22dcd756d07c8807

        SHA256

        5ddca14d3b2ea257d9b8987c687620c11e6b594dad14048bd989abaee18796a1

        SHA512

        23f1c42f214bb29b7deabc121c5e0f4bb44df34170c20873c3813152afd530ab3172659e64ee8ca4c1ad1ac36d394380c37c7e20aabff676f3f8f207a16cb11b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3142fa1a281841974f08f362ecbee87c

        SHA1

        f8c1033fc9a0f2a2f6471113991685466c87da95

        SHA256

        d807bfefd8ca48f9ddee1cc02e203fe6c8cf0fcca89b7dfb6abd797e14a88270

        SHA512

        cd7b0bda0071064e04106bc25784e66826c347acf4f5deeb4d25c863ddaad024bf90f7bf9139f71ede5c657335e024ed77dbf1ab7cf8290da82bbde35bc214ff

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\svchost.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      • memory/1208-20-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
        Filesize

        4KB

      • memory/1660-551-0x00000000002C0000-0x0000000000541000-memory.dmp
        Filesize

        2.5MB

      • memory/2316-5-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2316-7-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2316-3-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2316-15-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2316-14-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2316-8-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2316-4-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2316-13-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2316-6-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2316-881-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2316-9-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2316-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/2316-12-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2976-0-0x0000000074441000-0x0000000074442000-memory.dmp
        Filesize

        4KB

      • memory/2976-16-0x0000000074440000-0x00000000749EB000-memory.dmp
        Filesize

        5.7MB

      • memory/2976-2-0x0000000074440000-0x00000000749EB000-memory.dmp
        Filesize

        5.7MB

      • memory/2976-1-0x0000000074440000-0x00000000749EB000-memory.dmp
        Filesize

        5.7MB