Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 20:52

General

  • Target

    64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe

  • Size

    924KB

  • MD5

    64c47fdc5b4d63fef7792d57a1dfd082

  • SHA1

    a763fe7f2e293549d05d02108b70d46776147621

  • SHA256

    f0f46eed0c64f5859af3b95bfafcbe559ac6ca27af868f32ba01927790f5f412

  • SHA512

    26a170bc9b8aaae70006a2f334fdbbece10b3ecf7e2bc44296020fc41d935d52c21d10058adf29a14286405ce5755df014f9b0b8046b4dac67b7d1139103edc5

  • SSDEEP

    12288:IfI3nYmw+UqNd7iaw56TLuKaC9LUoegw+Nqvl33zApr/q4rMaxULwA5qHPQNyYwF:ionc0eNNB9PEvRc

Malware Config

Extracted

Family

cybergate

Version

v1.01.8

Botnet

cyber

C2

kikiriki12.no-ip.biz:100

Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:1460
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:5068
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:3300
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                PID:4360

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        221KB

        MD5

        3f85d6ada96258b4203844a721a09cac

        SHA1

        67e3c8c732be978b4063afa58b1af1574be50b0c

        SHA256

        42e052656e517d2332a499d5e39222ada138818f6aab55fb35634ed5bf98a444

        SHA512

        a2cc0fb3ab5a16936bac7b3659a65bbe4731c16018928295edcf92de24399bdec03a4dc10831da31badf402ec89d038e196fb29660645dfc9aee6fdfa12ac9d9

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        4baaaa32f668f756af1c1dc7446eb3aa

        SHA1

        b63b17160d6287fd444b0df89b5f565378baecf1

        SHA256

        2cddddaa45ff0478a6ac2b7fe5c0361bad160a22f933c29623a8d1c0706e920e

        SHA512

        6ae585ee52e613517ef162c6e45e3a27b22356cd9d4bb3e984f68a45e82980804240b625defbab3e920226bb9f34e344293c732b6a9eca7a0891339f880fb8b0

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        5bc9420e23e559eef94396977768796a

        SHA1

        431c9695a6f254b7a1faacb05dc6bfe7e0b0a918

        SHA256

        5af533b99f497c2096b4dc2abdd5ebb7fec015860ed4c7875abb5b6b1c47e98e

        SHA512

        5704d9febac8475c1450698e712a3a4a677984900f213506f82357ad42e197fc01552336595f2fc51fc2152f24662c9b7aee619ab5cc1bbb6784358c97f9439f

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        1fbc3ac0b29290615844239bc48b1e19

        SHA1

        c1013395ccfa3d8a1925867f840822fd401d338b

        SHA256

        0805a15e2a483cb22d167194a0dcb936ec9a7092f7c4f2d394cfa18b4370288f

        SHA512

        eb4d03f93c8e0e1f7746ba6e4efb73019e9912fb6f99b2f16ad08e8e51bb2a6398222a5ecccc83675bbc13ed6dccbd444faeca1682ca58d9e978e0788eae8bf0

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        793b5d6efb7c0319f9e06131ef61ff35

        SHA1

        9ed2cb87965658231eee03106a0fac3e4b9f5e6c

        SHA256

        8e20a632dcf7f7fb0fe32e5a602d2373bb62979367c93842a12ce1063f0fc9d7

        SHA512

        5ff85c9ec6d7d1be97bd699c0421165e4a328bc7cf7caf4ffbe302f86fcdbe91dbf16aa2916685c7d8d800ea21b7154f67516bdf07c9bff4b1549af35c6526d6

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        f9b05e65dfa5eab88deed43d1f82d478

        SHA1

        d01571613b25dbf9d6b08fb0c640d779a541a938

        SHA256

        94ce0c752efe7c0fd3fb2a26192847f3d3f62424a172040fd08445eff0fdc6ba

        SHA512

        e8d653d4c62a6fda564eb4d0da328eb5817b5660dff66a1c02a0fe1b869424f824b67700e56d7defa1c3c76486cd9f56fa80e3b3b6f0d415d5f0266991a40ab8

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        3420e27847c7212dd01ded6620236c9e

        SHA1

        e7f56df3d1328135cb5bc7f1a1ea6ad3b3ad6765

        SHA256

        01f70ba735f4cf54b82c061ba3df13aec5dc1e00322f9fb61f5f726ab38b8125

        SHA512

        7254aaea6b50acd84395f94a0495995207d3b26ed4245b406cb3f5f830c3f68aef9c6c4842ad543e51c04eec00cf57eccec45084b2ede748de02a6a083fd2ff7

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        598dad6b9267fc7b6685418515dc71e1

        SHA1

        64e7708dd0095b4c4bbc9f8fd976fc09e21d4ab1

        SHA256

        3a627bd0547e30652546547a2bb0eea2f269c942a21369a54a2fbbe0bee91f0d

        SHA512

        c5e903d657601bb5648e50740d1246d1833fbc0cb8cb4b0cfad3b61fae22170f9861c2c8ade7699f6c3283a67faf8153219749b6be72300e41302543afa8deff

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        d8fe358def1210477f31a46638175e30

        SHA1

        03fdeef10f843b1711ddcba937e42348054c2f97

        SHA256

        a915321a12ac79d1fa0b3171555e919495a05efbe53eadab96b4b5e7625e85ff

        SHA512

        ebcbd2eaa993c681f47d1a523e4bca5eecd208dcdae8c9d89ffc4d54460185b110837e357a8ead0990b3d79df674f8d07b06821c4cef3d28193638e839b13ae8

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        25eb1adba9723926d5b4fa5626c602e7

        SHA1

        0a8e521af3bd18fa6e45cf60775ac0bf3a0564e3

        SHA256

        ca14d51285290133ed38b13285859a866c91b24a3f76ef5cdf2d53b3e27193f0

        SHA512

        1b4096ab0739682dc7b6f0bcfa4ae7c52d43f5cce51748ce304b31c56390364b4b142d2758c28b8d50b69daaa81eb7772fb0544c807aaccac62438116a222082

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        4b61dc342d68130356559d81fd99d48c

        SHA1

        84b205430b15cc241a032e19874ed737a77923aa

        SHA256

        61c7f3aa13eb454c8d2478ccd2202814356cb4076d0c955997e30c8ff5d4adc6

        SHA512

        61565363cbfecbbc8fe4eb03e433ba5e9379d188af11e16bc3235e6b8cfb168c7ff7f649bd7066d78016d68e1aa8eb60ab7f7bc2e2846254d3f321c29cde420b

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        d7a7402cf0c850e4d2a408ecd61c5091

        SHA1

        e219536e37ffde60f2d379c247a0c95d414e6c41

        SHA256

        7f4befe93931f3981312df5eb22f35e980977d06668b4883994023b2deee3a2b

        SHA512

        daa913c63dd12fea9a6586432a91c4da2a0427831b18390f5691736098af55d197b3cbd8bc3955cfbacd23c74475b85d2e04c7e1c02ede3e36eebe00185be600

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        be792f73bc44efcb66d5de1ac07817cc

        SHA1

        53d7db3baa83d3f725ee2019c7418613f82dfb94

        SHA256

        52646e6402337d3f1dc68812e898d0e68ae672913c6aa67532d1680ee6126eba

        SHA512

        2a0211d3970136caa7c15f34480c6a627ef3f1a51bc0fd54450abe17d60ce42a98cc955ae8997c6562f30ca0dedd9a37cfa7d044ec7f67c0b7ad3af4eaccad3d

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        ab223117bfda5d1e33e97d1c55732ced

        SHA1

        127f7ced6c0533c16136cfa120db62ac66b044a8

        SHA256

        adc77a409c5a464f029b895605c51898e9e2a40d12c632cd84da913b82fa4a74

        SHA512

        9149b2c8ee36339539580fa68a2c08082b6ed759035e867e5a1c7f6cc81dc69d3dfbe127ec8eeac4d48ec8d7b65f0092d5da9fad3002377da67541468848fde8

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        4fafce406b7b7b1f595a8544cf720631

        SHA1

        a8070e3729216e578f4611134f86f756b734263d

        SHA256

        d60f069aa8969e379d603840f1c900be13c6cbee6180f997e13813d0dc620817

        SHA512

        7dd6f947a22b1c144389b16aa17c1b35afa27e580c65b67b6e3cd78fd6b228a175e27a377a14bfc7eeea22e758ab16ada52a38030f4b6cbb2751974c24033211

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        cbf553618491a6b89bee4ce8b24df012

        SHA1

        bb31b646467b92a628dacb3636c470e83725529f

        SHA256

        861dcf746e6699ccb746f988bf429ed9199defdafe864444ccc873972b85cfe3

        SHA512

        36671bd8cd1ab42d43756ece49188d89af9f773c496742d8d50e631fb441ca5866947437da16fb23327140bb2b5fb9b092d6c7d1ab5069a6b6804f57f31b0419

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        2c560d8af7e3caef423926e95e8f4554

        SHA1

        44425c978786dfcc6dbb7ba699136955d335edc9

        SHA256

        94d1e0ce6087af9ab91c40f1a42d82c54dbc77d7e49e9330ab10eceb848360a8

        SHA512

        cf43f00f061e50da5e3d4c67ded749717f8c64946da1e3a087183bc7855725f70e095c91d37a4c50b29b0fc5b65ced2e5dd291efd6bf1f7dd74092eee567e08c

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        15166e4154067ed195356aa7e728f122

        SHA1

        0dc5bb26812331192ce98dbb9a1c95dcb1e640c4

        SHA256

        eba4989d407f4bf940093712cb30478a0674cfc0c8aba54f45c8c3d7bf9da80b

        SHA512

        ad44325d990200bb178ab16416208d16eb4a9945770245c48babc74f14606dd0eb867750baf0ca90a6e39277383e99be60ea06149e4aa82b3c213468014d0467

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        08dd70337a2a7b0015e98d8acc41eb0d

        SHA1

        72ec33b9e998f0c65affc23ac971e671887f7a8a

        SHA256

        b2a005c408a999a36760d69ed4e88a0dee51ab0e6b61c95ca60a6ed784a1a2b0

        SHA512

        d0824bc22adec6a66f44ac844ce314f594cb24a423a13d9fa80468c2fb96b36935b94f96e3b453b0c04e0749caaa6464cee1cbe2fdd22f2521ade338f20dee5b

      • C:\Users\Admin\AppData\Roaming\logs.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Svchost.exe
        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • memory/1460-1017-0x0000000024070000-0x00000000240D0000-memory.dmp
        Filesize

        384KB

      • memory/1460-17-0x0000000001040000-0x0000000001041000-memory.dmp
        Filesize

        4KB

      • memory/1460-16-0x0000000000D80000-0x0000000000D81000-memory.dmp
        Filesize

        4KB

      • memory/1460-77-0x0000000024070000-0x00000000240D0000-memory.dmp
        Filesize

        384KB

      • memory/2480-6-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2480-13-0x0000000024010000-0x0000000024070000-memory.dmp
        Filesize

        384KB

      • memory/2480-72-0x0000000024070000-0x00000000240D0000-memory.dmp
        Filesize

        384KB

      • memory/2480-15-0x0000000024070000-0x00000000240D0000-memory.dmp
        Filesize

        384KB

      • memory/2480-4-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2480-3-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2480-148-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/2480-7-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

      • memory/3300-149-0x0000000024130000-0x0000000024190000-memory.dmp
        Filesize

        384KB

      • memory/3300-1453-0x0000000024130000-0x0000000024190000-memory.dmp
        Filesize

        384KB

      • memory/4532-1-0x00000000747D0000-0x0000000074D81000-memory.dmp
        Filesize

        5.7MB

      • memory/4532-0-0x00000000747D2000-0x00000000747D3000-memory.dmp
        Filesize

        4KB

      • memory/4532-2-0x00000000747D0000-0x0000000074D81000-memory.dmp
        Filesize

        5.7MB

      • memory/4532-8-0x00000000747D0000-0x0000000074D81000-memory.dmp
        Filesize

        5.7MB