Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 09:17

General

  • Target

    66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe

  • Size

    288KB

  • MD5

    66faf8e2375b44fd77895c5f0fad3873

  • SHA1

    42fc8b321ef7df3722ac23aa46c63a2132670ad7

  • SHA256

    b685bdd04753aa7ae2596497896c6d3bfd0314e81f6d03ab1fa189af0acd2397

  • SHA512

    8d2bc46b56d995628e1e6036574686d0a90064698f38dde4600537e59d29d518c734463c73ca1af2b10806839c0c206933ef0b308bdc1d65ac7640d35685f629

  • SSDEEP

    6144:S+s2FguwbkEvZ9+ZiKE4ZnNfqe42bzDtLFMI1fA4WMdE:e2gWEsnNe2bzL1pm

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

sequence.no-ip.biz:100

Mutex

T67OKP4PD7XRO1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    winlogin

  • install_file

    winlogin.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    tommerup

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:724
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
          3⤵
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:564
          • C:\Windows\SysWOW64\winlogin\winlogin.exe
            "C:\Windows\system32\winlogin\winlogin.exe"
            4⤵
            • Executes dropped EXE
            PID:804

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Execution

    Scripting

    1
    T1064

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Active Setup

    1
    T1547.014

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Active Setup

    1
    T1547.014

    Defense Evasion

    Modify Registry

    2
    T1112

    Scripting

    1
    T1064

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      224KB

      MD5

      efc16116272c74d95b1fa54f2e7b4516

      SHA1

      9f783f505bca4adfbe9d4fde95535a0b3e1cf107

      SHA256

      212c1c6962bfe12d6c3271cfdb213d92663a3dd009675b29cf752799481b6aa1

      SHA512

      7a063bc5d2185621bfb75ca5bc7be2bcc2b48d8ba44047c05994ae79c95804184ea4f9fb017027a0c455085a22901db57c8c33f0114de8f8ffca797ba5828928

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      06678dbabcb61e40b99b00a1d82a5ae3

      SHA1

      643ab20a9258d9eff5c11e78d887679a8ec4f85a

      SHA256

      dee9054636e5f50a995e91ae04cbf9f9f655e60ca85f3e5b42757c1b69da4495

      SHA512

      e54a9d8a5f5d743627cbdfb2938fd6a158a4be6216b16250aa2f69e31ab86f7a3262cde49b2ed5df05c5b93619a24ce1a6a2183af10bbbb2d567a822e40a72c5

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      894773d841729486fde007f5923e7b35

      SHA1

      083b5a97d257908ffad04d471ae1e58406733f1f

      SHA256

      ba569a8b0ae8f0e5ab4925b47d475f05864574bb3d37b84a77a00bb802ded921

      SHA512

      a89add1c0d62887d58c9775d2de6fb1d497510d636bd98e53802f733949094df603bdb481e8cfddd74e0feb55f08f6994f1b5fe37bda026d73a27fda802f4e4e

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      17c24eb2385c9d933e7d3bdfdc516f30

      SHA1

      7e3919575f9691be2b5b5350c83791fbe515315b

      SHA256

      c7e1fdb7edf1fe4feda7be790865a53f3a6ee0ba942ef28af30144f598d0eafb

      SHA512

      e36ec456a466d339a6598e9326e1f456082d98f330b1873ec5519779266c09f0d1d6586b480938cb8ba052baf912bd7d4628ee6331ef284d1c73eae34c5aae7b

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      c7a5f1581ff9c94e85d672acdafb7f9a

      SHA1

      913b4c5cf9a10ce8a96ff8f9d046cc9b20867c97

      SHA256

      76c7982e708af2917b07bc50739466eb5fd0a0612a608298f75517bbc2cbe05e

      SHA512

      9a4a0b158347c1e77b4e6ec795bc3db76b35e81e4313b87ced28abd9f3e2a9682e19ec675badc91c6f8078e0d3c2ab49894186685598ec3e4c2fa526460a1a8b

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      c3ca31158c01605276693e8840b12c8c

      SHA1

      a9eab290b7301d6ec3834d211a1e74a65963f808

      SHA256

      828f391ab588b9e6e00848169f6e07883fb6484b63514d22c6a30105954b9dc1

      SHA512

      3278f5d869a8626cace5ccdc60a902f1a623b5577e589cb19d0bc7a3b1ab4463d1355a5bbd8c9a06f15d6b905ec5b27936d7d8139342aa30cec0f789fb4f23c0

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      9d592cb605ac5a45202be154a3b6176d

      SHA1

      e97404bdd56a1a14439bbce22a9206e209ba23a0

      SHA256

      424ff62a66400959fea14d26c742328195dd553aef456db5b917f66973e5a6c2

      SHA512

      491b8c6a9adc343f4cc9e7c86387ed5ad58df399926607c2845b6ceb6e588420e0d90b5d1db1fd55a508a2544865a19048d6669b22921cd702b155ddaac8f102

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      790a83b1ff8d065c3509de81a10055a7

      SHA1

      6bcd38ce86229d9d9ed39b2d0293123694d68d16

      SHA256

      b008a6e5c3fe98f33ebb1bf559e83b3ca49ef94513c7927f4dfec47874b987e4

      SHA512

      a852d0df44b1b7daefe5e1edfd444f8f102029d0829de1a97d2c927aba910e9f3b08911e049a1253730344459970b95dba2cbc86bd13a33a11c0e3d38c696068

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      19a2f2a790da1dd05165025327a0a409

      SHA1

      c85d194c386b577b6c6dd4b6e4615053bfedd525

      SHA256

      927c56c1c68d377d0d9a679e1f9e0304662c96219117d2c450cf59c2002c9cb3

      SHA512

      9822ecc47dd59f5a3f59d5e024698b5f53d705775682b699ecc082ddd0c0c81de53aa188735808cc89201490ceaace8019d0874e1f3fff7c0de4615ffa459e47

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      2214555e1f368a9523856fd8ff3ad849

      SHA1

      d4af9cb42b90c94bc75d67a0e61bed7b51b76558

      SHA256

      acd156d8f0c20691cff1093ccaf666c783d736dc2b8c701bad503d88794994aa

      SHA512

      67470f0334ba3bf15a86faff2a598f01d95c90664f80eb7297fa8add374022ee6ff906a3322ce52df6dcc1decb21ab2b7e54dbaa31b028f6d93058cc174eb4e1

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      c92318d24038a56b673f85b8beaa85fa

      SHA1

      2f31eac1ed20df4a8c526703bed101b6407b3830

      SHA256

      4fd4d7685172c82a3f2cdc52a0500034c03de2e46c3d4c493997be2f702b1c42

      SHA512

      7249fabe0b49466dd9ad47bc9dcdda3011619aef2816d9dc046b6051bc7229d2b7095ce72e8f48cd6b325600bb031a9105334b0f48b3a321995529ee13050055

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      c8f5637c610b6c9dc475c33d8e057533

      SHA1

      f7df0b3547b0c889653a2b2704a93ca814ca6cc4

      SHA256

      e337617ffed683c3f5b58c2fda8061bc51a659d6ffbbbe394b6c395c1503eb68

      SHA512

      6a51ff4a215ccb45f422e3b8b55acb7e9dfeb45258dcc8dd5dab2ee4bbd252784c57be9da017faf877463e9c93a8c6e5f60746ab5fd6f72be5514cca245f7304

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      25f3e66b8034e9d021ba54f317bc092b

      SHA1

      2977ae44f268a6da3dfba127c46a67009ecac282

      SHA256

      d2fdc213b884c68e32f3fa3b8b5eb9f5c8251628f0272b2fc47475bfa31e7617

      SHA512

      97a642c5d1df717da3356b88b2340d17a7d2b3b0993a63a1ffcb22afc8b0674a8d627a06b7c97cbd6231226392c6239fb964897ec9033fc79520b8267f0ab453

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      4d531347451bd6a15d7ddf451d7d87da

      SHA1

      37b738a8fc015921eca6e5607b067fe0358006ee

      SHA256

      91f949eecee14ffec8da85aa0bec40150f8ab8b8e9084a5fde25ded5c47f1987

      SHA512

      147da50f6df0fea03fe85d54a200334225466bd1f9e227897976aa3c2e95acdead6414846d9a625dc973b0b0a155d74b0d90349da9d6e7ec8d40dfd6115bc458

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      392b8755868360bc1bbedcd6da618f0b

      SHA1

      14d82a5815c3fdca7d911b43e5ce84bc21eeaede

      SHA256

      c66f1efa5eda342d4ba6a1eaba7f554950fca6c7f42fc4ef4a743227dc0c3c7e

      SHA512

      f13e289f521d8e8e698dc0cfda9e6dc144bfdfb3f40c74bdd5c74a2791425e59d3b04124707fa6a28f39c3cc7f4ba60d200a029854fee45eb6e97c7e3ee1cc77

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      9bee6751ac57d84f4d35cb8ff32cea4c

      SHA1

      2d88e5d09037ae7f12da25ee6b4e157413e372e9

      SHA256

      fcfaac6c9144fda0a173a9908879b0c18ae25343f8776b935b703a7332660846

      SHA512

      9f4a863c52cb2e81a5ca40e168b5b9e6aef83bd3110a189a53f52a53e23dbba5ef7f932a161ab6f85529d8388a9217802c73869d4993bb9c432d13c858e384b0

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      7c768daa8a3ce501f6106e7419d0c762

      SHA1

      13bbbf5ca5bb5f2e517eb1cb67f099383218514b

      SHA256

      86247a0352b55e2ceeec970f63fb8ae726e0c7332230d5641cea2635402c8e03

      SHA512

      b26bf912281278ef12be75dece10ee122a31cac83b6c43867c993305f7441d210467b17bae6beee7879512716855467a94d94283399048adb7039554a9c5e4b6

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      0be71ead811028c04a911f3c7dac5c5d

      SHA1

      a8cc58807afd14d182408d069e42ba125f617d01

      SHA256

      f973da8d3dffa0a316fb653062644863c5aa1c480cebd2f899761987e91f2c8e

      SHA512

      7f6f11aba6e69f442324a60b3f5b657d6b4c33e6550fe429fb9838202b2af9ff66c0870695d49fbead57195ba635124c81aa4ec048d5fc85b82dbe50d41ab214

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      35cbf787c31ecbcf47ab3190180dddca

      SHA1

      5ea2534936a370ac878cbba1d39d77fd07cb6520

      SHA256

      284778eb5ea1af99bfd459f91a48ebba760bc7082401d65f63b9644c45fcfaa0

      SHA512

      9141e750d4542a0d47d4ab558c4d31fa0427a49e19241619f90988b0b90d8b6053d78abeb99d925be322279dd9344f329c4c5e1d206ca89228703a3ed13f187e

    • C:\Users\Admin\AppData\Roaming\Adminlog.dat
      Filesize

      15B

      MD5

      bf3dba41023802cf6d3f8c5fd683a0c7

      SHA1

      466530987a347b68ef28faad238d7b50db8656a5

      SHA256

      4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

      SHA512

      fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

    • C:\Windows\SysWOW64\winlogin\winlogin.exe
      Filesize

      1.1MB

      MD5

      d881de17aa8f2e2c08cbb7b265f928f9

      SHA1

      08936aebc87decf0af6e8eada191062b5e65ac2a

      SHA256

      b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

      SHA512

      5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

    • memory/564-20-0x0000000000400000-0x000000000051F000-memory.dmp
      Filesize

      1.1MB

    • memory/564-17-0x00000000001F0000-0x00000000001F1000-memory.dmp
      Filesize

      4KB

    • memory/564-18-0x0000000000690000-0x0000000000691000-memory.dmp
      Filesize

      4KB

    • memory/2028-0-0x0000000074672000-0x0000000074673000-memory.dmp
      Filesize

      4KB

    • memory/2028-1-0x0000000074670000-0x0000000074C21000-memory.dmp
      Filesize

      5.7MB

    • memory/2028-9-0x0000000074670000-0x0000000074C21000-memory.dmp
      Filesize

      5.7MB

    • memory/3616-7-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/3616-6-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/3616-80-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/3616-4-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/3616-12-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

    • memory/3616-13-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

    • memory/3616-3-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/3616-2-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

    • memory/3616-16-0x0000000010480000-0x00000000104E5000-memory.dmp
      Filesize

      404KB