Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 22:09

General

  • Target

    6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    6cfa6163ab015c7716ba8bcc7017ca91

  • SHA1

    6a48aa87c6cda963efb6a9d7bb386b7931ec2543

  • SHA256

    a76fba3723f7ca56efbf3955854243ebc2a05e277726cdb96a727ef0822bae63

  • SHA512

    38207df6143f0524412761942b4926aedc4a433bbdf02fec82b02d7ca1e811465974c9f745401e961f442f4a32f0ad4f50c8fb81f449e280226f4e4ed7236b4f

  • SSDEEP

    24576:PwU/UwhWZH4KJsbh/Kc7KeZH8GnBDT4XZpSRSJo2xJiEUb/OoJFUde:PZU8WZHLJs758GBfKgSesix/OoJqY

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

Cyber

C2

trollfacelol.no-ip.biz:1604

Mutex

GG436Q435DF3BF

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • ftp_password

    hejsan1q

  • ftp_port

    1604

  • ftp_server

    ftp.drivehq.com

  • ftp_username

    falken208

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    Successfully loaded! You can now cheat everywhere! Dont forget to always start the undetecter before starting Bunnyflop.exe or you may be banned! Happy hacking!

  • message_box_title

    Successfully undetected

  • password

    qwerty

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Users\Admin\AppData\Roaming\7za.exe
        "C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2340
    • C:\Users\Admin\AppData\Roaming\Server.exe
      C:\Users\Admin\AppData\Roaming\Server.exe
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2808
        • C:\Users\Admin\AppData\Roaming\Server.exe
          "C:\Users\Admin\AppData\Roaming\Server.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2756
          • C:\Windows\SysWOW64\WinDir\server.exe
            "C:\Windows\system32\WinDir\server.exe"
            4⤵
            • Executes dropped EXE
            PID:2824

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Active Setup

    1
    T1547.014

    Privilege Escalation

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Active Setup

    1
    T1547.014

    Defense Evasion

    Modify Registry

    3
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      219KB

      MD5

      9aa5ee67a5bd087e97dfa33ef6b43eb6

      SHA1

      24bb7733caeac3e295849a7f04b24ad148769d53

      SHA256

      2bd8f39d14f17cdb6f318e3b1a3fe261a159a11591ff68876eaf11bd25bac5a7

      SHA512

      fae4d7ccf3cf2bd0b314b7ccc75fefc37ba1cd62c762d2d6398e5cfdc4806d0ca0f86f61eb8d2eccf8d479d8e43ccc291ee9dc8d8d5e8fcf86b7178f5074c946

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      63ddf9ce9e89cf20ff8ef2a5e35c37fb

      SHA1

      95258782120c620cdd2f61d845fc16eda98809ad

      SHA256

      72d0a5db4c540dd46a6d2644e4f5703d0e6af7d25ef6f9b51fae3d1b1ef4b8c5

      SHA512

      e9384e39e9b9b93261e387ce2de0e3021547704bd8e17289e2407b5c98e4d414493ad5cc46418b01419c92280c729226fde0cd2e6aa0f76fc49bfd7464e1e4f1

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      9c4940df5fb176d2bfa101145ca043c3

      SHA1

      77016de684d868b49b995c517f5d6200b2ef9dd6

      SHA256

      5010bfce59bef537b061aae670bc876f00ed224b0df6dd6ddb5176c67401e2d4

      SHA512

      8ae977c822bcfbcaf8c7dc1f0e83c72fde6a7d24172a143bc9f10d1825ca6e28da1de5bba4cad05f613bf885adf8d71806c1a960363ee751e87a32864d5b29ef

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      fae7799711c543c319cd7f5326186d20

      SHA1

      25561311dd56c78af5ad6d3d52decfa79f0e66ec

      SHA256

      ee391200a40340ad949745bb6289cd41bfef091f8ad94db8e6dea1d91b95f1b7

      SHA512

      8e4d61e3a451f99ff6be919b76e1831138cb25f235d96794b1dbbb6322598d913c1abbe501b084e61f93a5807e2931472cdc9c8f37c75acf20526d8316dab5ac

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      ead123d36eb9c26c81b5c5092d5d4c04

      SHA1

      b6c0bb3a1177e4be3bd96a6bb5b3057917493c8a

      SHA256

      bea4e7d31419bbc69d9471cc961cb7fa69c91b9d31bae814f55733b58aa5458e

      SHA512

      832d793801338fa7f0a81bf36bae9a416dc12e851e1a329b7491e4aae4cbc0a65ddbec0eaf46c9f6644ebdd8f8c7b9e504d52a4926c760215b6acaf5ca32a6dc

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      e3135f94e006e13fcb39ffea14fabe55

      SHA1

      4984a26108173ec50b604931654acc6943622110

      SHA256

      a80132e9bcf515deab7ab919ee1c2ff6c14ee32fa65e42a65028b9399d763b24

      SHA512

      1e33a4eb60170a7c76e0c5d2549553f241cff280e3bc0f0783854f4d0c871253a412e3ee26bd38040cbb1c5d23336c658eed1b0c9155d0ec8cbecc724e2c90c3

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      c43f7d24c5eafe6de317101b87a94220

      SHA1

      1fb7e37760e3513c8d2d09cf3a969bed28da929f

      SHA256

      d679ee132d6319f599d4153a13bd673ac58827b4d80d3dc6b8103d54751fd1ad

      SHA512

      703beef03cdc5db1cde1d91dde10b4b96f1f28f1e725de7c7833ab4eac6b20acb3a53cb391f6b6489222e2eac2af4663f761fec8956488dab847165b46f9a3d8

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      b8455d1bc06c4c34ee8452fd02985537

      SHA1

      e1fa585a706ffeaf8b6686b5ab230f7f57cb5b8e

      SHA256

      408393a0b478d573f351e807ab4a135b0039de517275cbc55b3c38934e3acc87

      SHA512

      a6f584be259b8c92b08bc3e160135e4a86d81922d3bf77f2c83cb7dd01e733d3f5fff33c1c83a7f30a4457f5637af05a2e3a57ccb0b7acad4475115691327b7b

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      231befed527e967b3b4186f70e4fcdc7

      SHA1

      16e7932dd9bcdae8fb715fce535e2151d7e30379

      SHA256

      8465f2023ecfcfc8644a7cb4aa51faeac815d8285aa54dd849709234445ee5e7

      SHA512

      02adf730e4976152672fdea6809901f7b7572aaed8a1684e11db79048b6645a79b11e2a005871f624d1772ca472e69989f172566016a53cd707c3b9d35d527cf

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      f94f584f878e710b2fa47040d99e06a9

      SHA1

      0db5b0302497aeafccd3f6692d413e2256732bf4

      SHA256

      508d930064405e18e8b8cdc80683a21c888b3404503901ce7726d7be27f68565

      SHA512

      020b85c333dc31a5c86750f607552af23c9fcc8083e72e53e249a8d4f368d265a285b53d6ec147c18a71e52c575ec1b51181840ae32a50b9d14106b345c6ce03

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      1e33b76c7765a702e1e3c23a561c0580

      SHA1

      d7513a78964c5d6d1fe0e983fb8d91a01893a46f

      SHA256

      f680c2c456f96b45822795bf236af77dfd031c70a74239f217dc6fcbe51de3cf

      SHA512

      8f574eff11cd9b4145cbedf96aa39550f25f160e75b56afe1eedfeb63bfe7373358087c17a06af6dce7266969d96d64dc2d31fc334d016e98252ffba9d404c3f

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      0be95fd092ece4037b27ac5555f356ae

      SHA1

      f2c75c0489d9480388444c370cbde17d791600de

      SHA256

      1dc627d25b9b08d71e9647ce3f1bb1359d62241768cef733616d8e37c7234fb1

      SHA512

      b1b5c8dd7b9b70a87e1c5143da7fcd056a68f4631a9c318a2c3335953fe1a3b90ac89997421b0348c2feffe3a7dd4775ccd1b02b0c9a1c719c15a0d7fe93c3b1

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      3e138d5fc1b36e4e5389dc4298bda9d1

      SHA1

      e5be70d9304f00db65c122d8ba71bd8c88d5f343

      SHA256

      d660cff6211c4e718227a68dae2f08e75d3bf9f1d86f9e8a65f608daf8ef5749

      SHA512

      afd19e22a7e7777edd7f46cc21c67419bb225fe3a31ddf4fa3bbfff36217ff449537c328f2e879e6c562d4ad92b45c74aba1337e1b3f836420e6b6e7b85eb947

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      c792eb5a216e3d36e9bb2285971a1f0a

      SHA1

      d8ac2f1ee74c8bc3ada8dd0cd32b2d697e062c03

      SHA256

      a8fda5da63e87ca2a4827926163e60d3f64753e2b7abdd2c4374e9eadf0419ff

      SHA512

      a55a554d57e99c813c3bea448bfb86adb1e4a2239295ee7469e14f7288ee6c7a0c0f4314d88bbe21159de33b6ffc8766a8b69bf6c99b189e78d8e8f081fe7796

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      5a0eb696937c3984fdabde034788357d

      SHA1

      99f8736c0acec650dfcd3d1f86b3a79d87f9c387

      SHA256

      42ef3ed12a188ed236522c4bb2d46598b036faee0105b8c6dd11ac6c9eb81c14

      SHA512

      ec806d034ad6a09b0319a416d0a7a28965fe617f755c6dbce18b57bd1b42f4b20e6aa50f240d2f8082da664ebe15986397626379b9fa92ea7ab9849159159b52

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      6ebbf6182cbd7d91ed9800249ed33360

      SHA1

      1d80dd2a9e6b6f1fd7972d9072474981ce34dae3

      SHA256

      7c772850d305adde377ae81920db786a6c684b747ea5cba892531637c5fb2557

      SHA512

      71873ad295ac98bbbba19268e8fad69ea6ca827b46a2d5d38a5907111ead384090014e0ddf6b4bdc72a2b71b8038036008e1a7d9872b2e29ca179daccc444da2

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      daa0f98f17e4a0c751ad3f5273a7bfee

      SHA1

      de81a9e218aabdeb1369c2f8ab184ae676cae82f

      SHA256

      a3051ffdb62e3051069aa0dfea27036d5e65e253dc95a6f15a6ed3cf25c8b92f

      SHA512

      44f2c6b187bb2537c9d7fba17d25404a007a112e152be8dc4571b8fe74ab913a7255d52b450aa6d1e40c1a9072c44a53106cce18f596623943f196e0d5fb90a8

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      bf4edd9ad7e3271429a590f7b3baaec9

      SHA1

      2e02341512f8605afe1f066e004ddece58ddf9a1

      SHA256

      d8c9c6269600e4437eb83e8b926f0d6f0b763e08cc237c5795acaf8673d6f810

      SHA512

      59f154dff3f373a21b63595927458cd11d042b221b1a761f1fbf7dbfb6d31d708135ab627c375fc9ef0a4987d22cabd3d95f7e2ba8ca20b3d236bcfa0a99acf1

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      08f55f464d5a899bff3e968e3b957aed

      SHA1

      a0e31f17958e514017d7999b393ef0c9ebb85775

      SHA256

      b9642cd8050c3ee223e9847071cf460f9c556a15790ac2d888b6e8bf7eef737d

      SHA512

      3d20ea1ab7fb37d36f507b4176d18a20a5821b70ae2694c99b559f510aae4849763df37d245999037ebe4836123442d06a8afe4ec85c5ff6fa58feb91327ffd4

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      0cd9e617178251efd49889ef660ef764

      SHA1

      a388dc19e1d188574bacdc1e9eeaf401f45dcb69

      SHA256

      0b073c67ee5b4b2e8a433e14fbc63e4bdf7de33b00d2687c1244f93cef5e308f

      SHA512

      3e0faac7e7247157bd4e517e571726241758c3ee150aae33ebdfbedc28e4c4f43235dfb7a42fdff673ade045c71e41d1f95afb61a5af6f4218284b82e5002a0a

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      573f45df392d4a00ac71ef3c2d845a97

      SHA1

      d5546981c540480535fded947c5089f0046373ee

      SHA256

      88996b7cd643b8bffaa12a3121d15f4fd263e30585a909dd2559cd97a74aed02

      SHA512

      6b938cd9d3e445a790695f01b2914f73770d6612fc3e2e6a477255172f60f2b821fd90e58ebffe292eadf7b7286b4bbe97620ed521c1ac1747d366ceec1fcec9

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      2928330f0ada0ec8f090c1cc413b1851

      SHA1

      7b8b668da85d0bac5ef670a8dfd12dd62307d4e6

      SHA256

      7a6fb7fa0cde3e7c3fdbb1ca5ae64e0a836f2d3bebd808b9d3bf94e81cb3b16e

      SHA512

      38735f985e0abe92b8615f393b09004eaf4a38ad5f675aa0e7d61062123685b1302ae7f10c1a938f4e94d0d048301a5e36a8d61a911d365604a65569bc311350

    • C:\Users\Admin\AppData\Roaming\Server.7z
      Filesize

      237KB

      MD5

      ddd9d0d3cdda3902a869f6a84ac2eef9

      SHA1

      6f069bc0105017aabf6e678946ac5e6d7a752e41

      SHA256

      64086acbbb720217891d0cddc7b5b731dd51e2cb0aee4c4f46944469c176ca89

      SHA512

      83c2ab68c2e836098f3db12be3db46043a811823269e2eb1e1d5ac3519c0ec92727e8865e7b5e00068fb8a33c92ef71039a96bd2671009bf083da12e8238bbc1

    • C:\Users\Admin\AppData\Roaming\logs.dat
      Filesize

      15B

      MD5

      bf3dba41023802cf6d3f8c5fd683a0c7

      SHA1

      466530987a347b68ef28faad238d7b50db8656a5

      SHA256

      4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

      SHA512

      fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

    • \Users\Admin\AppData\Roaming\7za.exe
      Filesize

      574KB

      MD5

      42badc1d2f03a8b1e4875740d3d49336

      SHA1

      cee178da1fb05f99af7a3547093122893bd1eb46

      SHA256

      c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

      SHA512

      6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    • \Users\Admin\AppData\Roaming\Server.exe
      Filesize

      558KB

      MD5

      e3f31fe5eca07ec9ac1b76f5690583e2

      SHA1

      72c45c5377ca38ab978f7969eb9619d5b41176f5

      SHA256

      64a956320b0bc4462dcdeeb326a151f3d1ba9f1f88b91db0c9df84d6f690d896

      SHA512

      0091cdfaf07f19808e6991d8494d4548027c7852e620aeb4af2f9ec69b60e15e3969eae9dee1a6236ceaa5b518bbf353bd9fbb17a5c3fe1158f11bb00204d373

    • memory/2240-26-0x0000000024070000-0x00000000240CF000-memory.dmp
      Filesize

      380KB

    • memory/2240-22-0x0000000024010000-0x000000002406F000-memory.dmp
      Filesize

      380KB

    • memory/2240-320-0x0000000000400000-0x0000000000494000-memory.dmp
      Filesize

      592KB

    • memory/2240-19-0x0000000000400000-0x0000000000494000-memory.dmp
      Filesize

      592KB

    • memory/2544-351-0x0000000000400000-0x0000000000528000-memory.dmp
      Filesize

      1.2MB

    • memory/2544-0-0x0000000000400000-0x0000000000528000-memory.dmp
      Filesize

      1.2MB

    • memory/2544-18-0x0000000002300000-0x0000000002394000-memory.dmp
      Filesize

      592KB

    • memory/2544-15-0x0000000002300000-0x0000000002394000-memory.dmp
      Filesize

      592KB

    • memory/2756-27-0x00000000001B0000-0x00000000001B1000-memory.dmp
      Filesize

      4KB

    • memory/2756-915-0x0000000024070000-0x00000000240CF000-memory.dmp
      Filesize

      380KB

    • memory/2756-1032-0x0000000005690000-0x0000000005724000-memory.dmp
      Filesize

      592KB

    • memory/2756-1034-0x0000000005690000-0x0000000005724000-memory.dmp
      Filesize

      592KB

    • memory/2756-345-0x0000000005690000-0x0000000005724000-memory.dmp
      Filesize

      592KB

    • memory/2756-322-0x0000000024070000-0x00000000240CF000-memory.dmp
      Filesize

      380KB

    • memory/2756-33-0x00000000001D0000-0x00000000001D1000-memory.dmp
      Filesize

      4KB

    • memory/2756-39-0x0000000000350000-0x0000000000351000-memory.dmp
      Filesize

      4KB

    • memory/2756-47-0x0000000000400000-0x0000000000494000-memory.dmp
      Filesize

      592KB

    • memory/2824-348-0x0000000000400000-0x0000000000494000-memory.dmp
      Filesize

      592KB

    • memory/2824-346-0x0000000000400000-0x0000000000494000-memory.dmp
      Filesize

      592KB