Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 20:52

General

  • Target

    64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe

  • Size

    924KB

  • MD5

    64c47fdc5b4d63fef7792d57a1dfd082

  • SHA1

    a763fe7f2e293549d05d02108b70d46776147621

  • SHA256

    f0f46eed0c64f5859af3b95bfafcbe559ac6ca27af868f32ba01927790f5f412

  • SHA512

    26a170bc9b8aaae70006a2f334fdbbece10b3ecf7e2bc44296020fc41d935d52c21d10058adf29a14286405ce5755df014f9b0b8046b4dac67b7d1139103edc5

  • SSDEEP

    12288:IfI3nYmw+UqNd7iaw56TLuKaC9LUoegw+Nqvl33zApr/q4rMaxULwA5qHPQNyYwF:ionc0eNNB9PEvRc

Malware Config

Extracted

Family

cybergate

Version

v1.01.8

Botnet

cyber

C2

kikiriki12.no-ip.biz:100

Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:916
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2420
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:1652
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                PID:2508

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        221KB

        MD5

        3f85d6ada96258b4203844a721a09cac

        SHA1

        67e3c8c732be978b4063afa58b1af1574be50b0c

        SHA256

        42e052656e517d2332a499d5e39222ada138818f6aab55fb35634ed5bf98a444

        SHA512

        a2cc0fb3ab5a16936bac7b3659a65bbe4731c16018928295edcf92de24399bdec03a4dc10831da31badf402ec89d038e196fb29660645dfc9aee6fdfa12ac9d9

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        7e5acce0d5e255186e1876595cb0d515

        SHA1

        63ca3bb092f7f8b9d5b0d82304535eb5be552f5e

        SHA256

        308674b9b0c65fb3e403797c4b4c9009c4f47e549e01f883c439fe50b7a6e1f3

        SHA512

        b396aa81f9b18f79040cbf236f5b4674421c5fd17759133fdd41d2a886679bbd830d5ebfe5a8a9bcd282eaaa33abbbc7eafdfd09811af20fd03f3221fc5679e1

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        211fe23039865cc513d8733a07dd334a

        SHA1

        f9c3713b490231b121c5da9a5b25dd0d205b5015

        SHA256

        d243eb17242aa15ef1dbb112d3d5f49e9378bed334ecd1536fcc5d1ab59c6dfe

        SHA512

        902abc454ad8dab226d203eada105028abf92637718bd34ac0b84d3be1722ead5a19f3ea42aeed624df2f5ee5bfa22ce92682e2745d3e6e01457f76ffdc1cd24

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        dbcd7ad5d61ac6124e79739fc3eab3a9

        SHA1

        d9fa95d28e88d3b6f34fa9ecbda6911be5ba8719

        SHA256

        d1b2595282f1a03dad544ced2ed2026cd83dd28005742d9b3babae3992d7ce22

        SHA512

        ab30719485ac6cbbb1909b0ff19f5a9271ffffb4c8d8c54c772bb2b7792492ddae05a424cf9dd8fb98068d1311553c304ed5fe95348501d677473cd5322dfffd

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        bcbf156f289dbcc8381ccdb4321d43ff

        SHA1

        e7986a9980dafed1d7547ccd129bd065c7616d90

        SHA256

        ddbc4304cf5698fda60b87e394873bb4b37d3016477d355cb2d3cf9661351235

        SHA512

        5b9029501a9f6a4ffda8d06c4eb4175f2fc6d33aa6936596863392a1b96a1bd53c1981197ec3b76a1c71585cccbac8eb3be4b3a592b90b88b1999b418fe56f24

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        77fc2b0e3e55bd701ce7ef4c55a26ae4

        SHA1

        aaf89974e9a7a82b742bfef2217b84bffde0e735

        SHA256

        c3c0be7bd9ab3f2ef6d05af8ed444b11fdc7c776e78c1379aafa8984c2facbd3

        SHA512

        eb39932da095b9445a15e84b6ed30e94a4582484f1368aef241d5508ea5ae7799b2b60eaeb1111f33de72c330825af17756498e4e68c97394e5be9d148e5592f

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        d1da74f674b4f714895dfbdfcebf0b03

        SHA1

        760980a8423603bf59b109ef21aadcd87b87cd37

        SHA256

        c045cb1ca86c8bb2e82d377d0ddcd2aaf19b8622c45617f173449570bb3de1a6

        SHA512

        e41a79d8a02f0b0192087e4db1dd9bd4e97d98e2e95535972858a529b005ab58fa0664b4dc2426911fdaed3e6c1c632e993b0d300bdeb69219c111441a605200

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        723943b2da59d382e8eb931528b88b6f

        SHA1

        1ff7b69d839a57e7da695a420a66243e73030d82

        SHA256

        6e8731a1f18f24a5c3699e57db3510865722e832b5a37460abac2a68c6b686c4

        SHA512

        0f42e16cf061faf659b18e12611f9984ee7fad84f65be768d330f4814b96c1c2418bfa710fe374641c6b1bc3249c40f0054d48398502ae5060c0b951a4ce24c2

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        df6504320e7307a684816f5eac88f5ab

        SHA1

        a0545ec66b44de03ae4f63541de652d52e84dae5

        SHA256

        0731ad225746ce26b1b08c94b1a078bcf25fe09d0c4939853f331438ad767fac

        SHA512

        41e5eb1ba335275552cea7d4d60e0840a29c9ec0370ba323c00739fefd28ff6727f68254a05af8e452373d19909f0db08cbca4b02cade7f60fe5002cd976ade6

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        6cdc3d3f2cd07377f130c5962930ec19

        SHA1

        80c3a30aa14d150851c3f2178b4f6d9ac9078865

        SHA256

        e83897d0d33a37fa4b5604e5c47343208b4fdc82a1e601ccecb9924c4a0bfbab

        SHA512

        07a82206a2f7db961c510cd1924f29bf4a05a2e6abad11158067bf15f7946ead80300c9af45b265708dd6b684a4f4e8348d3a65dd612b97d30e3f123580c4635

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        447ef357cda3bd64b873dfa23ba79bc5

        SHA1

        f6ba16f4894a14e6f106d8a659f5a60508ac4060

        SHA256

        5e9bc10433ccba6a777bec680bfba6a4a9868e50b82105f9ca0b5f8f8b75c41f

        SHA512

        3d85220ce2a299a97fdfc1e8a799f38f47a10e0e137f609bf3ef230766aa7792e95763b6e8ec841d07df60804fdc3b6b8a092097bb8b1bf24e2c46c22308fbf5

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        d7071dfd2e9324aacdc9c58370c7f85e

        SHA1

        c3950419475d0be1a1c4221ddaf3ad1fd18513af

        SHA256

        0e1f9d7e940c1df01c5905f29c7b9fb69d56149b81b319e28b170bfb29b466fd

        SHA512

        189248a01396466cf20ca91de018e57c22d9b69f714df6259cfbc0acc26ee0dff834d0c9d4c297078d3cd34ac64e579acad89fe001db904759a21e5a714dc67c

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        df9baa422bf8e3a7a33a3d3902516bdd

        SHA1

        1a3b0dde67eb97380a29d4fb792e25d330a3dd8c

        SHA256

        a40623c4d2aadd4e2d9229daa2cf03467dab931a45d94012498128437e54e3e4

        SHA512

        9a2babab00a6f163572050d46bd954802ddb7d990dee6b16cd4d845fe3bd840723c9e3ae48806c006dab4d90f1c4cd72d349a409f69eda5083d247daebbaa192

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        de415240d664ca672c3b6b1c02598159

        SHA1

        e27ed8ad06a0f7e82ef8a21e735a5d40fca878f2

        SHA256

        df405d0f87228d23c19eaf71089117b87ba2a1d5cbb620d30e827e0e3bf342fd

        SHA512

        6ab8a3b6d9c9930b6d736a7b1c0753c05fc00c2a4f205c3febecad345b67e7cd479ec69f05cd49c586639be6f439244929efaf8dedab1fab4a18446de751d015

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        89d2d6248f633836a049c9f44299c9af

        SHA1

        d7217cc3d6184cbc0a36d19e6793048a6ab6ee74

        SHA256

        bca5aeebb4d595a9b14ea6f23a75f98c15889b40d57399cc9d52ce18ea2ec384

        SHA512

        cd3def98ec38a7276376622909de6651c523251e6832a1563167f02bc699e570fd762ccb1bb904316dee960ddb2f9a183ce31e08ca84c93b86066028c6096a67

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        d897e51effe26e8ae35ab7fec09d6f8e

        SHA1

        3071cce8523269ffec8940097c7d722de488030b

        SHA256

        e975c78c6c16f0d3231de30650e343e4582828556955c19b1d002b5671286be9

        SHA512

        86de7bbea585c5240789a0ea6a8673c4fcfad7d091e92c645c3fd174d0c739bdef198dd539af35f0fe17564571371b76cf3803a2a1ea7af6214865cee9443645

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        31f1654a6f8982bde02d356538c390f3

        SHA1

        4b5da00d03f9d378527a2a6056317f92deeae6b3

        SHA256

        238026f16dce56de4e77963d8083c18e9b3dc2c9fcba9a1ab4f6b41c3a8f3349

        SHA512

        23baea7afd8b001b492674bdc421d3d15e05fabf5db54c4c5e9e174a524d1fcf6ea39070dd6c778232011ccd141a287e4627959e7e368fbecce1041d83e8f193

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        ecc4873512b026f9db822e06023e21ad

        SHA1

        53c472b9e8f7691955fe1fa33c7c447772e57c65

        SHA256

        4fd78119461b5a9d37c88dd5aa07d8b35bc0de90d17c3094e16ac3e718719327

        SHA512

        b44c9419f833c4afa7095480a7c55abe5bf284159ab7ee418d0ba711ee96aea174592cb2d00039fa714b2fee9a1a2f49c20c7abad852842916ec7f1199e17a58

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        b5c135be264c92a6977720a75a227ff4

        SHA1

        3040fe52e26a52ec061e7625e03213d6b4a0239e

        SHA256

        8c87d4215d662b542ed55996b5d0e36948af23638d8c56ae08760c248b8007db

        SHA512

        6b2c453d239e316f410a4d5aff659b17bae4d9831266d17e0559ee92a7d5293ebeae3622439e266951de676c4e12da4eaeecc2f2faa331693ad6838c01baac68

      • C:\Users\Admin\AppData\Roaming\logs.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Svchost.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      • memory/916-540-0x0000000024070000-0x00000000240D0000-memory.dmp
        Filesize

        384KB

      • memory/916-312-0x00000000003E0000-0x00000000003E1000-memory.dmp
        Filesize

        4KB

      • memory/916-300-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

      • memory/916-1442-0x0000000024070000-0x00000000240D0000-memory.dmp
        Filesize

        384KB

      • memory/1180-20-0x0000000002A30000-0x0000000002A31000-memory.dmp
        Filesize

        4KB

      • memory/1652-1563-0x0000000024130000-0x0000000024190000-memory.dmp
        Filesize

        384KB

      • memory/1652-870-0x0000000024130000-0x0000000024190000-memory.dmp
        Filesize

        384KB

      • memory/2704-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/2704-7-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2704-2-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2704-3-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2704-6-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2704-4-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2704-16-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2704-11-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2704-14-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2704-19-0x0000000024010000-0x0000000024070000-memory.dmp
        Filesize

        384KB

      • memory/2704-8-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2704-869-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2704-12-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2704-5-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2760-15-0x0000000074B80000-0x000000007512B000-memory.dmp
        Filesize

        5.7MB

      • memory/2760-13-0x0000000074B80000-0x000000007512B000-memory.dmp
        Filesize

        5.7MB

      • memory/2760-0-0x0000000074B81000-0x0000000074B82000-memory.dmp
        Filesize

        4KB

      • memory/2760-1-0x0000000074B80000-0x000000007512B000-memory.dmp
        Filesize

        5.7MB