Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 09:17

General

  • Target

    66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe

  • Size

    288KB

  • MD5

    66faf8e2375b44fd77895c5f0fad3873

  • SHA1

    42fc8b321ef7df3722ac23aa46c63a2132670ad7

  • SHA256

    b685bdd04753aa7ae2596497896c6d3bfd0314e81f6d03ab1fa189af0acd2397

  • SHA512

    8d2bc46b56d995628e1e6036574686d0a90064698f38dde4600537e59d29d518c734463c73ca1af2b10806839c0c206933ef0b308bdc1d65ac7640d35685f629

  • SSDEEP

    6144:S+s2FguwbkEvZ9+ZiKE4ZnNfqe42bzDtLFMI1fA4WMdE:e2gWEsnNe2bzL1pm

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

sequence.no-ip.biz:100

Mutex

T67OKP4PD7XRO1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    winlogin

  • install_file

    winlogin.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    tommerup

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2596
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
          3⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2668
          • C:\Windows\SysWOW64\winlogin\winlogin.exe
            "C:\Windows\system32\winlogin\winlogin.exe"
            4⤵
            • Executes dropped EXE
            PID:2456

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Execution

    Scripting

    1
    T1064

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Active Setup

    1
    T1547.014

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Active Setup

    1
    T1547.014

    Defense Evasion

    Modify Registry

    2
    T1112

    Scripting

    1
    T1064

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      224KB

      MD5

      efc16116272c74d95b1fa54f2e7b4516

      SHA1

      9f783f505bca4adfbe9d4fde95535a0b3e1cf107

      SHA256

      212c1c6962bfe12d6c3271cfdb213d92663a3dd009675b29cf752799481b6aa1

      SHA512

      7a063bc5d2185621bfb75ca5bc7be2bcc2b48d8ba44047c05994ae79c95804184ea4f9fb017027a0c455085a22901db57c8c33f0114de8f8ffca797ba5828928

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      9a633f61751a5aa3ec893e1aa0720640

      SHA1

      a3e495076e93150afbc6e01e653b9c1fcd97255c

      SHA256

      eb0d435d268969b5528fddeba3a4b0d265e19b2902877d842c89732f81729539

      SHA512

      0b7736d900f42dd030ba002d78023b4bde0fb6bc209ec2ca05d543d67411fd1b5e6dda26ac241c98f74333a2187ee7bd710450e1cc528deefaddea3cc943e904

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      40b1bcc66ba99b46da7419b5429604d6

      SHA1

      2303acbe25d12a7c9fd7d3aee290bce1827f782b

      SHA256

      05dd6f41ae3ea0a2fd7d2a7d14de0b0205d447ae6475b10f7d55b5ac977f301c

      SHA512

      247e235b4aa0490ee1fc7f6db17a140494a3cd298342be72a9b1806c76ad783205d8807d1da86f01e5e246afe379567c35db6f871d50b16f96ed2f8d12dea79f

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      6ff4144e3e9d5278d4e8e237334060e4

      SHA1

      24ce55526245bc4037a2a1c9d8bb4ae8ea23e4fc

      SHA256

      4403a89e95341070d5c3a6f30fe9729fb89df48e745dba5ed7e67d1dd8e413c8

      SHA512

      7844d7c0720b51dd34c184f409c199581f9d2f6cd1910ec0a9e6e146779d81308687d20930355add5bb394c46a0d335338b75d46908e36b245f785aa9d030008

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      b838a813ed6db0b843cd8dc219620131

      SHA1

      9c3064cfcffaa1939f80bca2104aad72e281273d

      SHA256

      6425481479ca0ee668558d54975bfa252f57c7b8cdb31b2a5a4a09dfb4ce13ed

      SHA512

      a1358f74e7ae3c35e8c5ad61592b146189d33830ba9722a5becddb842c9f192193f93fe83d6b0106414dcc29481432a0c9add18efdd505dab5963141406cee5b

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      b01300a895b4c7663bd82389a956ee62

      SHA1

      575ee65ee3061d62d2781041a91cf2d623be1bf1

      SHA256

      8610b8dc954d43b5e48d171b87f66c7601f449766733c5f7fff2885cdd7133dd

      SHA512

      c0d7369fbb5db4f09cbdef3581d154acbc319bea3d0d41df2dc7f938af68e9b542145a00c02b9e8bf4bbb38af9610d85ecd8c5abe161916e6fbecdeb41679230

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      150cbdaa1d6f804a06f25e39cf21ebc9

      SHA1

      167d20a9eb35edc9004673cb14cd0d8860a5fd94

      SHA256

      6c669413653d9c8ed4ba88155d2e3939189ebbf2cd22ec70a898ef301ab12ccf

      SHA512

      7609bd61a981d47076a0123865afc595635a0282a951f31ec22a8d00c869fd5c98e82dcbcd2a3e7460453ce4ef4fe43aa326c31e888b0dbafeec44781da9a11a

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      fa34dd0e05b9140ec9674d7c376950dd

      SHA1

      c9dacec0edb03e7dad8158f144d749ee44a29bf5

      SHA256

      9f26b54f72e14bfebff24ceb40d1f1a1496bbaab951365f459b1044254c22609

      SHA512

      2c40458c96f9bb5e3fcc1dab3019ad62cf25fbb4fa68574db499fd6cace2245920ac41a081142202c5b191cfc937bb6eef54637bd9dbd6daa31c27e623edcb89

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      419f53578fbead61cbaca2a2d838ab33

      SHA1

      cef5f9aa4ab8493c92c9434a45a6b061b776d6fe

      SHA256

      799bda8fa187f3042fc0e201af5b95bb96fef576adb4d58664cfbfbe91225a08

      SHA512

      6a5df2d75a7125bb372cfdb2faee8209e5cb31832927ed6d2ddbab6a6847b86ea025ffe3b7610c84d675fc0c7d2e78e8008dc1ed186f03774fcfac12a8d23e21

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      3a2e39a6dd4154274b418fa168d86d81

      SHA1

      298cbabb72a263d9b2e6360a919fe3626a376a41

      SHA256

      a78cd220f5d2edce76698b57fc13e034661fb70d91c65fee0a764b33fc013e24

      SHA512

      c9bd82f57037b047b650d900d0e4ac527ebf66259e0c75469e7558cff32beee76be9f25ba199aa9df4e522def24387d52422738a6a280240f24707fbdfc8f338

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      cdf69d6d2ed42dd985c6e3cd3d17f902

      SHA1

      cb55213f229f411051d1fbdde2cbf8428b55e300

      SHA256

      173d8c2b776b01446a87edd00fd79850570ca300a4e8134028f9823b636b7477

      SHA512

      a0692ad3f23fa30387c47c6180377a9e27d5b7957862263158d78afd5d15c32383a4399baad9cd4944107fb3148573ef8b3a58c8a5e52b8a46b2334807102afc

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      849894f33c3700323159af80a6240514

      SHA1

      6f6e89e7d9151c6d0a8e27d4eb1fd8e074bad34b

      SHA256

      2744daa3cef465564c51aa9b0db7dfbe677efa83e112e55c5bc4c138bf5ff646

      SHA512

      498b6eff5ff2ca39c58f4fc0d6358c69738c08a7c1482d9600e471518025f4795868415f66509fd1fc4b189b43a6cf3aebf5c4fe1acc22dd585a50ad68fd0e3b

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      ea686625310033538bb428094f9a53c0

      SHA1

      c578796af3156cef6cfdd8f51f2fcf4a8fc9e0d5

      SHA256

      107bd67c640387d060f9f33896f389ab2216aad880ad391aaed0ff289241f3b0

      SHA512

      1db8b6ce9ae96660e431a3fc417b7cc376db5589648d32328fe07fc0a1e8fb27d162ff6df65a8c3f03f0f0827eb6bf48d6728cbf6d948a2fd365e4f36325d7fd

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      b6fbe0244fdde9f8ac49fbce935a01b5

      SHA1

      c7bfda933124941d0e67c63e16fa52dacfcdca0c

      SHA256

      ca4c211162a560e3060f1567b8fa9308a2f57c4054ff6327919c3f85df9715fe

      SHA512

      cefa8baf1e5610e7009f0245f9c3d5f364820c1210465a77f90637dffbfcdf77610f96fe30c917ce82c6784b1dabae3e691835964acf1059c68c3332afdbaeb5

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      271027e94b8794a40a62591b9424bf02

      SHA1

      bc5ca0cdc52c1b178aa044b9753697dd9777ee7c

      SHA256

      38fc881825c1dcb7078d086350e817c9d50412d27dffe67f758eb3c365a73b9f

      SHA512

      5d0cec9eb7a261e314c4611307f5fcf9340bf12a78d961155eedd75d3161b6e777488d50fb5092cb8bd47d410a573cc57a2cda642262c14d643531046e715b8c

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      9947a32e1a634939b04a832b9f50030d

      SHA1

      04304b097434d29d4aeed16b4a39649b32ad4ff5

      SHA256

      2eaac5d4ff6fd507acb04f18f5ed1181878975d4501cdcf380ac4f040e08b83f

      SHA512

      3351496355aa8b3eca6b97d5523888cd104d7e032d93572f624f92f6148c5fada0ec8635ca55028ab6cf97f02980522579683b61f7c3f48025d853a48bb0996c

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      d4e7bf80a251911e4dbd9cb6a3df4f41

      SHA1

      1c640a2da865fec458cf9a407512031d1c1370a5

      SHA256

      d2c9c172a02ba85fa6efdb61eda04a5140c9168fcb54cb73f759819f06898c53

      SHA512

      f1a0fcb89818440ebcca87a85f353e02fcd4a7087830b5b357985e60ca087bd79243459bfe63a0a8403df7c459903a9ed1cf7b20876e97d683a0907e70e7cae9

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      f350f0f8b29a0fd2eb4c6b703aeefd80

      SHA1

      fce52193fb12cba1e255d899485e7cd8da0cf271

      SHA256

      17f262d38844cc097920ee9dbc4610b71f0b9d8d70d0ef9574872b302cc317ba

      SHA512

      50f9c450b7e6f999138b57be9ba749a6cb1f2868f7f28eae1728f3433cddd9970d3c3b9c0e589403fc4f6c6433060fdb7461cc889f2ac11630a771c1addddb66

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      cdccdcd3ac4f0db57c2f54835e978ed6

      SHA1

      b90c42b788594951a9f92dac852699d7305cd793

      SHA256

      56c486d59795bbe86c2e158c188972254dd53fee694bd7ef3f5aa4d1e51ba01b

      SHA512

      2491f016f41e5e05fa6d44ade9c14c445ef1c7f74ad03c6a8f73d1c1af6f0aca7339f9ba3c19376c3894d18c4c79622fa32ffab82c6648fb738b14698121d8ce

    • C:\Users\Admin\AppData\Roaming\Adminlog.dat
      Filesize

      15B

      MD5

      bf3dba41023802cf6d3f8c5fd683a0c7

      SHA1

      466530987a347b68ef28faad238d7b50db8656a5

      SHA256

      4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

      SHA512

      fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

    • C:\Windows\SysWOW64\winlogin\winlogin.exe
      Filesize

      1.1MB

      MD5

      34aa912defa18c2c129f1e09d75c1d7e

      SHA1

      9c3046324657505a30ecd9b1fdb46c05bde7d470

      SHA256

      6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

      SHA512

      d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    • memory/2668-33-0x00000000001C0000-0x00000000001C1000-memory.dmp
      Filesize

      4KB

    • memory/2668-39-0x00000000001E0000-0x00000000001E1000-memory.dmp
      Filesize

      4KB

    • memory/2668-44-0x0000000000360000-0x0000000000361000-memory.dmp
      Filesize

      4KB

    • memory/2668-89-0x0000000000400000-0x000000000051E000-memory.dmp
      Filesize

      1.1MB

    • memory/2752-10-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-12-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-32-0x0000000010480000-0x00000000104E5000-memory.dmp
      Filesize

      404KB

    • memory/2752-28-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

    • memory/2752-3-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-23-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-24-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-5-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-7-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-14-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-11-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-328-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

    • memory/2752-17-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-21-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-22-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-20-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2752-18-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/2884-0-0x0000000074D61000-0x0000000074D62000-memory.dmp
      Filesize

      4KB

    • memory/2884-25-0x0000000074D60000-0x000000007530B000-memory.dmp
      Filesize

      5.7MB

    • memory/2884-2-0x0000000074D60000-0x000000007530B000-memory.dmp
      Filesize

      5.7MB

    • memory/2884-1-0x0000000074D60000-0x000000007530B000-memory.dmp
      Filesize

      5.7MB