Analysis
-
max time kernel
138s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 12:54
Static task
static1
Behavioral task
behavioral1
Sample
67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe
-
Size
872KB
-
MD5
67acd7f3dc47920609a860f51fa80585
-
SHA1
09cafd23dc43a8aad33d8bec70da9243736e9d26
-
SHA256
f26c5e1fe485d48ad0a7de4e9598c2678cb633524208b315a7ba6d10334db01d
-
SHA512
ff2d7c98443f0a7b2564e5f0488be3b796fe1d16fff4f2b31f0f59b8f5f8ea005cfde5018a9168abddc1c7989945c1230b49bf7db70146e6f98b855aff37d56a
-
SSDEEP
12288:m2MmhmeUF8mpUY0Dxrg69wje84BbxS4PTaPoPQRzC9tVaiu6Ynw+jDGddSK2bpQh:mNM9iEfo2dwwiG/v40YS
Malware Config
Extracted
cybergate
v1.07.5
Cyber
mrfishy.zapto.org:82
B64RW1O333VTF2
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
sys32.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exedescription pid process target process PID 2592 set thread context of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 set thread context of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 set thread context of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1564 2648 WerFault.exe svchost.exe 4528 4672 WerFault.exe svchost.exe 3476 3972 WerFault.exe svchost.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exedescription pid process target process PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 4672 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 3972 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe PID 2592 wrote to memory of 2648 2592 67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\67acd7f3dc47920609a860f51fa80585_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 2043⤵
- Program crash
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 2043⤵
- Program crash
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 2043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3972 -ip 39721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4672 -ip 46721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2648 -ip 26481⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2592-0-0x0000000074C22000-0x0000000074C23000-memory.dmpFilesize
4KB
-
memory/2592-1-0x0000000074C20000-0x00000000751D1000-memory.dmpFilesize
5.7MB
-
memory/2592-2-0x0000000074C20000-0x00000000751D1000-memory.dmpFilesize
5.7MB
-
memory/2592-7-0x0000000074C20000-0x00000000751D1000-memory.dmpFilesize
5.7MB
-
memory/4672-3-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4672-5-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB