Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 01:41

General

  • Target

    69c80f46768f499acf221361564493b0_JaffaCakes118.exe

  • Size

    518KB

  • MD5

    69c80f46768f499acf221361564493b0

  • SHA1

    201f1823b6f876f4d6ef821d82111db11864f188

  • SHA256

    e102e23226e5f0a582eabae99bbc62eb10e9f419ca9e398b2a83ada385d85679

  • SHA512

    ee74f920766fc2dcf1ff7ff05166217af8201678830eb52aaf884d13d8133669dc86f867930fe237a9e2737ebdcdd92352f11543e421ccb009c7e1eaaf60f32b

  • SSDEEP

    12288:YYesk0wZpO69lHyIiSxPmBUgDFrikROUo6NobRIE6LoCu5gVKvXpvq:YQ/w/O5S0BRDNw15gMv

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

drivebyjava.No-ip.biz:100

Mutex

71677562W4B0UI

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\69c80f46768f499acf221361564493b0_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\69c80f46768f499acf221361564493b0_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1480
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:1184
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2308

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Discovery

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        c9f582a627421801c7ed3c926bd9f65f

        SHA1

        e4858193005a9619e90efd3d9eb64efa58c855ed

        SHA256

        55ad41d15c4dbf6c287a43b10f4f0ff3ff0fbb53172ed9fe9b7291409617c2b2

        SHA512

        ea527acbe1774e9227c42a880559eb383ddda2d84130f0802ffd90d959b89ea6d3957d479186a76a1b9af77f8000fcb0679863a2be19840395d6f4d2b1f7f601

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8795ca98399eed51738f239a0f6b1d89

        SHA1

        fcc13ec2d7dde265d51add1485a84ec2eec2a0f3

        SHA256

        4669d479b6cd081eef6248b971acb09d125e8c6baffb790600b7133af6c7b648

        SHA512

        c2cb1f237d085aea3d4fb08e03e7d09d6e36a0cbf151b7125887c2e0d8438689947d48242aa6391592f9e1da0f5178d3a85a43a9546db33f2643d4c877aff2ad

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        492df1d5ff16bef7e60ad8854ac3f74b

        SHA1

        84df1dfcdfeca7b1b6b39ba53893bbf6cdbfaac9

        SHA256

        46c5628ea04f28dc3588d0294c6b2e43d0e00a20847b7e75219f704ec92524cb

        SHA512

        9aadd2d68f1e078710a5457ea5b453bf86edc125888020addd3766880b74cbe89d598617aedd24a67a25e099a81fb1187a6988e214fb6be57f11edeeac1aba55

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1fd4ed23de4531054345e62fffb5f766

        SHA1

        b8d4e047abc19885bfa719a2b72736a3c6f4938a

        SHA256

        04172bc3c73fe9bb7d9124ad80e575d4a2479bc91c7ef8b84104424c5e5e7b3f

        SHA512

        fd68ea7862ce3a5958c7193ba627cf1dc1089d6f6c645a056ff03929840f9d28fa9741512c1f1ce55739d58c11f35ccd429a37af40f63fd3fbdc11a1246701f1

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        bcf08c511997c34a7576688dfa96bc72

        SHA1

        92b93be55c3932998a813222fd9f4ce8d99dcf25

        SHA256

        024e3860a82bcdcb29cf3f07f08f376d2204f4b049aee27d013c6d05ddcdf1de

        SHA512

        417235c3503752ce1e247ef3db964a337213895c1de7e9bc59b4284b6c2871d64df68735313910c9fec316a496191fda5dbb0f1bca27414fdb8b82cdef24a6cc

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c708db82dcc4eb402d1e40ace9c0fd9a

        SHA1

        75e513458827f7e4886a475ba32bc69a054d6b64

        SHA256

        84533db93481990092499974390b36fe9450556ee2aaedc6e103839a197798bc

        SHA512

        6a44a3cbbb303147e95273a1dcf0a9a878268d77f5422fa9b5c534a244f8a66048305bf65691e95cfa5a4e368755319d92d3537cd8832b08220de3a1f72fb1a2

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        aa456b76e4fcea91f264a9ed0a8306c5

        SHA1

        c749a809e3568aff4a33c84408d6178918d05423

        SHA256

        2c666e30104ae66316ae10400d293610faebcd87a1c2676492979c13851312f5

        SHA512

        e8e710a3aa0c6c4e285f4aafaff994b4f84584273d1711a33b1435557d0792ec3dc0dbd5fe9bab3635fa8c6e33a0db45e84ef3e2e7c38c054766f6c3b033df98

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b864f34473bf366928664ee2e32bba96

        SHA1

        800a1e8be3f386d8606516b488f3c3165a7887e9

        SHA256

        24c917a48192608884749c1f110d56e38849fdb9d87b54c50bbc078077014390

        SHA512

        556724cc1d2cbe7957c4a86548be3cb11514ace538ff2a6729ce918cd49c9ee5caa32a333c33d7bb4cdb12aaece4644c9ab631bd75abf3c26e1033914234c89d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d334e110f06c1301b1247f12b73231e7

        SHA1

        336267e8bc747ba3a6993d8770e5c46c7a461221

        SHA256

        09fcfe9b3e71337a7b3555e493698e188194584a87d9a70d610fdfbbd44c3a28

        SHA512

        a15dc99c51ec51870cd489e7c6c3b11ab57db0d20694daa2dc5d8d9d3e37b603e08ccc8be4a896eb56407949994b4ad352f3cd1d0339bf05f00c0489adf40341

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8f4f437d8df3f8d3cd65661a60abcb2b

        SHA1

        2bfbc07a33b01022e74a13a83ad75355f6cbef38

        SHA256

        f1feda5b43c06c1d5e27e8be3cf5ac3b58f0ebd3907751d85976da34d4d3bd9f

        SHA512

        d40ae81a5baafe7791ad84bf686bb693520ffa0a8368636dcddf7ad996000a9a2d864c436ddb784e2ad58443b34bda60764d4a06bb0e98b91bb0849ec475ce77

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        18bf4cc9e468d93cdb49cc080253f6ab

        SHA1

        7e6d5e425dec227864db25e1ce3659161c3f8ef1

        SHA256

        a1d044dafbb27ab88105524bdc8790dc0961385425f029a6c4f196b2c92e959e

        SHA512

        8735e61d9c8818784224802865b1e6a4d30f5866735af18343a7c68584428d89ee0a28f991f555a0461cd4182e36cd6e39c007abf2e0fab6a8d97b525fa877f4

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c9b2dce988abb106cfe7382b9abc9cf2

        SHA1

        fc5012627d7ce6dde009fe1b18616b60e1b5e7ea

        SHA256

        3203363913c6ed4aafc31205764fcea730075e273feba1a95d4c1d155a2b20d3

        SHA512

        7f8004ac4ae719270dd3bf2c1d940b0503b1f0d52ba90438da1814d3b8918f0648476f5a970e9a00ea80f6cfbe12cbd9a054dcfba4637da33664c074db1bc7f9

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        6dd5dac8df742ce07220bccd11d925c8

        SHA1

        cb86240ac23de0f4b34d2243baf6b090ce8a78e4

        SHA256

        c07fecae2040c8859382ccf5c982e5469eaad2aa592a0b566e1650282af0a469

        SHA512

        db32b9c933352b28deda008cc10e0ca399aa0d300162cb381415a0e6254757ca82ad9c40a9328c2b9aae1a3adc15042a6a7271ffc03e552416937663de2c8c35

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        81a6ad4d5a79fa29a74cc58d2800dc72

        SHA1

        ac05f4ec34c385c402587ec86c084fcb70cb2935

        SHA256

        79a1589bbf646ff7bc2db0b28b96eab749a842e33418c494bb9d823e1f5bd373

        SHA512

        40f99010b58bbee092e8fcc7d7c3557c57eff20ea87b33b7f2c25a268eb9128bf29e46e359a8a03b3b5cec345120db2082c0958f27d2aaa1a5a92a7c2fa1647b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        29b4eba5b0e8feb097fc4ea454bdec0f

        SHA1

        81bed1ca7b9344d4ac6c221e647a6093c2b2a2e9

        SHA256

        b97607ee75727ce28e9252a74ae70bd0258d0711373e2defde098860a832ef0d

        SHA512

        cf32de695cd1f30c26d2a4f6317c2b66074bfc4f30e54f4a95c99381a9f410fb55da37c3adc5cb7049e49e3303a6340c836bd3c2b3114ca4b42d6d30ac55f40d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        6dc87bef63617080910219675f8f92a3

        SHA1

        d0555c620a5f8b99a4d8c6fb20044d557dc6192f

        SHA256

        82a0ca088a81c8763efc4eb97a916202281cf84b73081eddf00fdb5c8ed885ee

        SHA512

        6701c60c5056379652ff87069e8943ef816f499a685f9bd3f9e14d88e3c792cb82196d27cc5a382a352d66d079d84a9109ad8fd2bdd7ff764336cf17f656c449

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        cb38b672c73c6ee4d9325c4a5834b878

        SHA1

        c75ad8e47e3c9264c7c5abf57dcd66926dfa18c0

        SHA256

        edc8a317c806b6af9813f94d031abbfe2253fdb10c0ca2e2501ec5240dea0f1b

        SHA512

        53699d550e75084c33bc14402016447a4211f9d74ce2a889b17cf8cb77731526d2d6c33776de2e9a77f96d25ac8eabb84136c03f3115f1633656657eac5bb06b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d9bcfbe181b2a0c6f82470be7152f14e

        SHA1

        407586ef9105b886f1c87ff76a53a84e605a56d0

        SHA256

        50c28cb54cd80d6b5b46d377156ce253ab9aecc4bf9eb71816a875f364797174

        SHA512

        ed0388e5c4fdaee23128e171780ddb93c2205029bf7a8a9b20984bd509efeaffb36506b9d079f60f4218eceb1f83c519b388818b1e84c53817e368a0edd1c74e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d380273fe0cdfec128a5cab5b332367e

        SHA1

        e7ef3cea9fef06de899a2c61b82a82e800d494bb

        SHA256

        e01022f8e466cb7b9d97becc908d00b8de165395b2b641924dbaf2131f48a04d

        SHA512

        84e7f84af0fce109ad65e320fecac0cffb137400241da1010e797dbcc96ba2591cd8dfba3117b9662d64751cfa096b8c9039447b3d5bd02319895f9a56b93b6b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e1d94d0d3a047056d554a153f56b1700

        SHA1

        d1edd2bd893b594cbedd9077c9e6efa7b7798585

        SHA256

        70f73b7fcdf8dc9177e228ce5bf7259a75771b7d77858f36362f1f5107a879b1

        SHA512

        83b62ade4dd02c6bd341a530789673bf37ed5f250e83d318958c0516662f407108d9cf5153f0bc6e7e88fcaf78b43a6f7db7c4768856750c3a23451fc5280061

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        bd1c70a9a3c6b087065e74e3e27b7aaf

        SHA1

        9d0e3a8e5d7e64470ed5a1c83c3c214b673ec2bd

        SHA256

        c2ba3dce185ffc66abca2b14944a3de00b9ddd02956a5d602c6d345d483522fd

        SHA512

        79fd71c81f530145997235eb2475ad4078c601ec8533cd1b099078186cd10e6ae520597e299bb378ec13c5fcb077ccc077bb19baf31d1e63c063c98bdaeb7af3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5950db46e1eed8fc07ade05b8857c194

        SHA1

        5ff2038d795af758586093749224c703b8cb6f2d

        SHA256

        6edb02ab6e3d672405d15452b427fb715900b3efc39044a430d7693012875d43

        SHA512

        b4da9a8114853f1b2e17739f78de5cf2208dbe3f5b7bfdc8ddf549176418ee743136bbf5ba74be52eaddca871f867f5b384ed8ad31f4cc5bf82eca3ee4670057

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Svchost.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      • memory/1188-27-0x0000000002600000-0x0000000002601000-memory.dmp
        Filesize

        4KB

      • memory/1624-270-0x00000000000A0000-0x00000000000A1000-memory.dmp
        Filesize

        4KB

      • memory/1624-323-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

      • memory/1624-556-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1624-1522-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1740-887-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1740-15-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1740-5-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1740-7-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1740-12-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1740-13-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1740-3-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1740-23-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1740-21-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1740-9-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1740-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/1740-19-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1740-20-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1748-0-0x0000000074451000-0x0000000074452000-memory.dmp
        Filesize

        4KB

      • memory/1748-22-0x0000000074450000-0x00000000749FB000-memory.dmp
        Filesize

        5.7MB

      • memory/1748-2-0x0000000074450000-0x00000000749FB000-memory.dmp
        Filesize

        5.7MB

      • memory/1748-1-0x0000000074450000-0x00000000749FB000-memory.dmp
        Filesize

        5.7MB