Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 12:54

General

  • Target

    67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe

  • Size

    872KB

  • MD5

    67acd7f3dc47920609a860f51fa80585

  • SHA1

    09cafd23dc43a8aad33d8bec70da9243736e9d26

  • SHA256

    f26c5e1fe485d48ad0a7de4e9598c2678cb633524208b315a7ba6d10334db01d

  • SHA512

    ff2d7c98443f0a7b2564e5f0488be3b796fe1d16fff4f2b31f0f59b8f5f8ea005cfde5018a9168abddc1c7989945c1230b49bf7db70146e6f98b855aff37d56a

  • SSDEEP

    12288:m2MmhmeUF8mpUY0Dxrg69wje84BbxS4PTaPoPQRzC9tVaiu6Ynw+jDGddSK2bpQh:mNM9iEfo2dwwiG/v40YS

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

mrfishy.zapto.org:82

Mutex

B64RW1O333VTF2

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    sys32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 52
        3⤵
        • Program crash
        PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2508-0-0x0000000074001000-0x0000000074002000-memory.dmp
    Filesize

    4KB

  • memory/2508-1-0x0000000074000000-0x00000000745AB000-memory.dmp
    Filesize

    5.7MB

  • memory/2508-2-0x0000000074000000-0x00000000745AB000-memory.dmp
    Filesize

    5.7MB

  • memory/2508-4-0x0000000074000000-0x00000000745AB000-memory.dmp
    Filesize

    5.7MB

  • memory/2756-3-0x0000000000400000-0x0000000000451000-memory.dmp
    Filesize

    324KB

  • memory/2756-5-0x0000000000400000-0x0000000000451000-memory.dmp
    Filesize

    324KB