Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2024 22:09

General

  • Target

    6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    6cfa6163ab015c7716ba8bcc7017ca91

  • SHA1

    6a48aa87c6cda963efb6a9d7bb386b7931ec2543

  • SHA256

    a76fba3723f7ca56efbf3955854243ebc2a05e277726cdb96a727ef0822bae63

  • SHA512

    38207df6143f0524412761942b4926aedc4a433bbdf02fec82b02d7ca1e811465974c9f745401e961f442f4a32f0ad4f50c8fb81f449e280226f4e4ed7236b4f

  • SSDEEP

    24576:PwU/UwhWZH4KJsbh/Kc7KeZH8GnBDT4XZpSRSJo2xJiEUb/OoJFUde:PZU8WZHLJs758GBfKgSesix/OoJqY

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

Cyber

C2

trollfacelol.no-ip.biz:1604

Mutex

GG436Q435DF3BF

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • ftp_password

    hejsan1q

  • ftp_port

    1604

  • ftp_server

    ftp.drivehq.com

  • ftp_username

    falken208

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    Successfully loaded! You can now cheat everywhere! Dont forget to always start the undetecter before starting Bunnyflop.exe or you may be banned! Happy hacking!

  • message_box_title

    Successfully undetected

  • password

    qwerty

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Users\Admin\AppData\Roaming\7za.exe
        "C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2348
    • C:\Users\Admin\AppData\Roaming\Server.exe
      C:\Users\Admin\AppData\Roaming\Server.exe
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2272
        • C:\Users\Admin\AppData\Roaming\Server.exe
          "C:\Users\Admin\AppData\Roaming\Server.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2904
          • C:\Windows\SysWOW64\WinDir\server.exe
            "C:\Windows\system32\WinDir\server.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2448
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 228
              5⤵
              • Program crash
              PID:3644
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2448 -ip 2448
      1⤵
        PID:5080

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        Filesize

        558KB

        MD5

        e3f31fe5eca07ec9ac1b76f5690583e2

        SHA1

        72c45c5377ca38ab978f7969eb9619d5b41176f5

        SHA256

        64a956320b0bc4462dcdeeb326a151f3d1ba9f1f88b91db0c9df84d6f690d896

        SHA512

        0091cdfaf07f19808e6991d8494d4548027c7852e620aeb4af2f9ec69b60e15e3969eae9dee1a6236ceaa5b518bbf353bd9fbb17a5c3fe1158f11bb00204d373

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        219KB

        MD5

        9aa5ee67a5bd087e97dfa33ef6b43eb6

        SHA1

        24bb7733caeac3e295849a7f04b24ad148769d53

        SHA256

        2bd8f39d14f17cdb6f318e3b1a3fe261a159a11591ff68876eaf11bd25bac5a7

        SHA512

        fae4d7ccf3cf2bd0b314b7ccc75fefc37ba1cd62c762d2d6398e5cfdc4806d0ca0f86f61eb8d2eccf8d479d8e43ccc291ee9dc8d8d5e8fcf86b7178f5074c946

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        7f88ac45f28613914a9f2c2e457ae878

        SHA1

        33dd7ba3f663c97d0b8c5db7db3181b9c5673e76

        SHA256

        1b0e2e07f62e3f92d8c569ed366368ede72209a143495bb9ce78ba5eacf676a2

        SHA512

        9203612e8e7dab70c25b08c849f8e057e2e10c872e0fcccdbd10a0a8722a139abbc6420b702059bc74ca7fc8a37c79771fcb0611f15c4bd8ab6b75fd5c8c57e0

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        75d7509f1e0cc715e80b7873ceec5888

        SHA1

        0cefdfe34832a6090bf6475f01a2ecf875455520

        SHA256

        86740633c5bf45d975343a2250498c2af95e8af1fe2e3b0487cc59edab2ff0f9

        SHA512

        bf16c13334274239262931ef9f689a19ccc083a9694674ef56f01312b0f607b31ca034c1afb13f0935868a53f16567c3361fe75561394cc5a26a8ad8f85a0c47

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        f58807ffb50ce6c9780f4c4a482d67bb

        SHA1

        f3f774272fead0fb24298dadd674df273cca7e2b

        SHA256

        7509a37a3d83850150d76197314326c8c0754b39987f2b3f8eb84e478a7c337c

        SHA512

        216d4dc2a3affb5dfb970e93991407a86d649f1e54e8315d50774faf75a44e50b9fd23c655919feeedd0ee1ca2ab26fdb194b5d17323722ab0a3f4c76b53d158

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        96bc1c24d516b31e17d82329a9de096e

        SHA1

        2f9cdf85050a683820b2b74cf2d253c1fe241c9b

        SHA256

        6ae8822ba0be486f7eb11705849293d6b33468694adc323d5169a2b1cfadc24f

        SHA512

        ef98cc0a635faf5bfd4ff885d54dd40e8a1ba4a63fd681ba24965d2a2167a63296214abb713bbeb66fb53cd318e3a49339f5b1811329d045053b83d5cd5907af

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        966825d176946023299e76fb5cff4b9e

        SHA1

        00d7a47596744d061f7a2c295a3250e197b4ffd4

        SHA256

        19d37cc4acb97e7cc98f68e044f4582b16783ced76e7baa1796081c14adf937b

        SHA512

        b8962288ff52ebaa1bc5e24cc1b2e8d669dfb9339638cd423fcc8004c7c5cb552c81aebc1bac1bf8377bbc00fdf672a17433591a00b2d9fa7d53a8eb21c6a123

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        2fd6d1624b5647dcc9148b36a4ffad97

        SHA1

        2c756dd35532d1f5a0b97834b1585edcd4862f2a

        SHA256

        eef26019d6d4eabec531a2229551b63b6eb4b7f27494689e95769e94b2f67d94

        SHA512

        c42fef88fc2c223108c78b42f7f500b7680349f0fe93bc3cf3d019762023ab48c90424aead43689b8f0d795dc8d7b1d8e3ce56020f4892d7844a15a34c6873d0

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        35bb294671004e5833272d8eac18a7f9

        SHA1

        fae7be769c0e4f95b28308cb653f5f5256568a32

        SHA256

        d2579d21528624bfcb638056a7b817625f471e63bc94bf86143c02030948fc69

        SHA512

        2d328d47ada3beeb4b15814d8a95ecad69210e952311895add7f0dc3d8a52c422cef3eb125f0c2ee7c0d59de6603ff924d6bc0522a034b05b35b2d6a64aec65d

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        dcbee7cd4ff8e8f7f810650d42069f16

        SHA1

        50481f0e0bf659849f1f87c342910ef5ea12ee8e

        SHA256

        73454e9434ad372f6cfaecdd767f32f10ec9433b64c68e7fe5287e06a2f38503

        SHA512

        ce796b21a737d7731ca18a8de7ead76fa152bcd00a467361beaac6dc9e0f70e02a5b9f028e33fd23db370f2c5ed8ef55206afa2bf16ea6a61d3a986f670812b9

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        6279087668580d62bbef1f383816235a

        SHA1

        6bb2d623bf654b548ca3802172cc7f294eb225c5

        SHA256

        895e84d727df7fc9a7cf78622fa83a6076b25c530f29c62464e7973ddaa35761

        SHA512

        f7696fcc87501d627fdbc3f6e4bc1fdb1dfb3aba09e9b1ce7a0a8226d6fe6c84bdea385444fafffea1edcbb36fd7e38ad653eb80f4c2626b38d71bd707bd9348

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        435c62a8517c51f6e8dd057a0e80de73

        SHA1

        8eb5746c624875f0da781ae1ae240f868aaed0c5

        SHA256

        6c3e836fec4120e42f65de07a5165c074cf735cf8894d7f590b7689abfb32fed

        SHA512

        cb140dc3088e45eacf63d4ff44aeabb4fb33f2ffe3fbaa487bec2b28861d2a2f3c23598f3b658fba9ffe58d83a221f39b70ac0287fbaeceff0a9918216f196aa

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        41d9a99c90261c0d30c3cbf5caa9e4ce

        SHA1

        44a1eed5d9bbcb5f7bf9081d1245ed9e5888703e

        SHA256

        4ede988873d463b308c6d52c57e19065a42be29050286461ecb0b7a858db234e

        SHA512

        5a203fe689617098b5474890ecba8517a94e955aec8b244522061e38b0c0f62f3fc7afa85704625d4c1ac350a192e0b421522ee9728732e6360a9f7628af9558

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        5f0c3676362633629f02b4b414a9e34b

        SHA1

        d07282875053047ae3c009aacdc7ee03c67437c1

        SHA256

        031e63096affebef908ca71d12f7875b75363c2e3dc21f1f7bc892c02fa33b0f

        SHA512

        4d920e64ec2ba41f90a5edd733c1a72ba344222fc476501c52f088e8cc5c5580d5fd97be00a794595a7f0fb36525b9eac571a63121e6bfbf21f70075acca31c5

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        9aa383aa01ce55662f506be0108a85e6

        SHA1

        a3d6023233d638749ff7179a48e554d8d4f492d8

        SHA256

        5bdc7d76aa2ee70fc9f08d46ddc32100fa2fa6d5bb69e1bcd8421afdf17660b3

        SHA512

        055f8760a11d5ddcb6de641ca1cf9604145b7f70c0b1d95da77293b5f95eb178496415ecddb00bbde85a64ef77978e9cffc2eee5424bb69ec7e9c707a89964fb

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        ba7923603d3ebee02a253dca149ecc02

        SHA1

        be9426cf6af4fc1a4d39beae5bdf99ccd83a94df

        SHA256

        a09be3863d8a812d8e29abb354c3d594805969a3fe816c5f839cfa472c97ebbf

        SHA512

        32328678db3c4ff9977460f163d8afb778d5334ae037d4e08bbe445bdb9ff75531f40ec1d60bbaf201d98b4ff7d7de46f36d1445e4d3269cf93b3dd41512faca

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        d755107ec7d3df6e3c6b3da8e862ac08

        SHA1

        b2bbf1b021b2da410dfd0d523297db6f5b0eb86c

        SHA256

        e980dd3c7e53a0f19c4b05fd16c882b3ba8104526ea9a7533f5285b4ec294811

        SHA512

        fa14bb02fc4f58fadcb9ee46ffd6d4393ff9f25eec9d66cac5a14f45d4705a5e4f1ca62c16c89510e0c52966b219b985fd4c8480d539023c6b0666b8717885c4

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        d11e04fc70ecaad8c32a1119bf3b091d

        SHA1

        54ef883d52e4d9b6dacc6e6e4ffabd84e55e948d

        SHA256

        484198319ecf16393c1277ca08efc582b431c7e27ab5663fc05967f4a43f88c4

        SHA512

        405a5f15d2772b32b69a70dd959f11ebf57d5efa707a0070d2fe640655baa7e4e66e4b17ab5b3e9078086b229ba6a9bc132a95cabbae4ca8a20a3a686aa3fb66

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        1d1ff834cbfdf182a0242ce3a3b8afcb

        SHA1

        6a25d5b18911044f9bc4ae8828fa6d039f7dd2d1

        SHA256

        681ed82925c2768f86596c74deddaaf55fdb4b960a362f27209213f43c475386

        SHA512

        4a378aed7f0ae968c76c5ce2579888629a9ef30980eb86f89ddf934b4e77beb0592dcdead19e99f7d809b56fb686a48671b2f05954e2d1f90fdce558a622bf5c

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        333525d4978783346d8f96b9c302ec13

        SHA1

        2519045d551c87442854aec57e1f84a39361d009

        SHA256

        4383c1be0211d113ce638fbe496dbac2d6cf0d2e0a5e0a50aced1019d96ec352

        SHA512

        ba5ceb912c31cbe2ee32bdf48c413678759d5773256955174a5b6038fe61db14e8067020e5593aadbaf0965980a70bbf95e8219ce4f5acad21d09954848b87aa

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        f0c5956ad51ced48f9a3bfec2fc19c3b

        SHA1

        afbc76b08f429c05710d65b1988c7503f95adc29

        SHA256

        a5ae99421314a477d8136cd953045a348b7c742597d6eb25124850c4ced424d6

        SHA512

        d61c33f4c59192d39176b3cb1f649d7414872406b02f6f78c0c8da33b479eea13f42ac01642f3989ce941bad02a1dd8fc539d70749273c3047349c3bcef7a87e

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        47ef7b6a240158c48a4d2bff1774ecef

        SHA1

        1d0e66da601ccf4345134b04fd7fffe56e71c594

        SHA256

        8b52c9e210fc4354c364a204b8fe400e64f97b1d6434e757687dae61cc14bdf1

        SHA512

        a4f38ab81f291ecf395b3b26be48c43c18b95b757fa0fe221816ce8a5b6d313a1bbd3b5ae99cd73f3e57ca627f833788f57e6e9f74d5d346341d8e8b13779b3c

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        b7c956a45bd42a6a8666aac60ce2812b

        SHA1

        c679886f139852935935e768b2796dcf9496edb2

        SHA256

        ce2f09b6bbd62443f3aa08b363c8ad0fa25e5824a32f0605b4c7c5d4b712d292

        SHA512

        f50ac1771c035d79ec2f309c2f7187242efb802ba8d7a81572ac5e6ca8d57f9ea20a053bc26445fb3bd001644f130e74466d2e3be8fae2237a0ae8b395dce228

      • C:\Users\Admin\AppData\Roaming\7za.exe
        Filesize

        574KB

        MD5

        42badc1d2f03a8b1e4875740d3d49336

        SHA1

        cee178da1fb05f99af7a3547093122893bd1eb46

        SHA256

        c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

        SHA512

        6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

      • C:\Users\Admin\AppData\Roaming\Server.7z
        Filesize

        237KB

        MD5

        ddd9d0d3cdda3902a869f6a84ac2eef9

        SHA1

        6f069bc0105017aabf6e678946ac5e6d7a752e41

        SHA256

        64086acbbb720217891d0cddc7b5b731dd51e2cb0aee4c4f46944469c176ca89

        SHA512

        83c2ab68c2e836098f3db12be3db46043a811823269e2eb1e1d5ac3519c0ec92727e8865e7b5e00068fb8a33c92ef71039a96bd2671009bf083da12e8238bbc1

      • C:\Users\Admin\AppData\Roaming\logs.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • memory/2448-110-0x0000000000400000-0x0000000000494000-memory.dmp
        Filesize

        592KB

      • memory/2448-108-0x0000000000400000-0x0000000000494000-memory.dmp
        Filesize

        592KB

      • memory/2904-23-0x0000000000600000-0x0000000000601000-memory.dmp
        Filesize

        4KB

      • memory/2904-27-0x0000000000400000-0x0000000000494000-memory.dmp
        Filesize

        592KB

      • memory/2904-22-0x00000000001E0000-0x00000000001E1000-memory.dmp
        Filesize

        4KB

      • memory/2904-85-0x0000000024070000-0x00000000240CF000-memory.dmp
        Filesize

        380KB

      • memory/2904-1208-0x0000000024070000-0x00000000240CF000-memory.dmp
        Filesize

        380KB

      • memory/4032-80-0x0000000024070000-0x00000000240CF000-memory.dmp
        Filesize

        380KB

      • memory/4032-14-0x0000000000400000-0x0000000000494000-memory.dmp
        Filesize

        592KB

      • memory/4032-17-0x0000000024010000-0x000000002406F000-memory.dmp
        Filesize

        380KB

      • memory/4032-18-0x0000000024010000-0x000000002406F000-memory.dmp
        Filesize

        380KB

      • memory/4032-21-0x0000000024070000-0x00000000240CF000-memory.dmp
        Filesize

        380KB

      • memory/4032-87-0x0000000000400000-0x0000000000494000-memory.dmp
        Filesize

        592KB

      • memory/5112-0-0x0000000000400000-0x0000000000528000-memory.dmp
        Filesize

        1.2MB

      • memory/5112-113-0x0000000000400000-0x0000000000528000-memory.dmp
        Filesize

        1.2MB