Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2024 01:41

General

  • Target

    69c80f46768f499acf221361564493b0_JaffaCakes118.exe

  • Size

    518KB

  • MD5

    69c80f46768f499acf221361564493b0

  • SHA1

    201f1823b6f876f4d6ef821d82111db11864f188

  • SHA256

    e102e23226e5f0a582eabae99bbc62eb10e9f419ca9e398b2a83ada385d85679

  • SHA512

    ee74f920766fc2dcf1ff7ff05166217af8201678830eb52aaf884d13d8133669dc86f867930fe237a9e2737ebdcdd92352f11543e421ccb009c7e1eaaf60f32b

  • SSDEEP

    12288:YYesk0wZpO69lHyIiSxPmBUgDFrikROUo6NobRIE6LoCu5gVKvXpvq:YQ/w/O5S0BRDNw15gMv

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

drivebyjava.No-ip.biz:100

Mutex

71677562W4B0UI

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3520
      • C:\Users\Admin\AppData\Local\Temp\69c80f46768f499acf221361564493b0_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\69c80f46768f499acf221361564493b0_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4560
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4780
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:3012
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:4204
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2056

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Discovery

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        c9f582a627421801c7ed3c926bd9f65f

        SHA1

        e4858193005a9619e90efd3d9eb64efa58c855ed

        SHA256

        55ad41d15c4dbf6c287a43b10f4f0ff3ff0fbb53172ed9fe9b7291409617c2b2

        SHA512

        ea527acbe1774e9227c42a880559eb383ddda2d84130f0802ffd90d959b89ea6d3957d479186a76a1b9af77f8000fcb0679863a2be19840395d6f4d2b1f7f601

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        50725cdf0d31685665a4331db008c0f3

        SHA1

        d597ad190cb90f5b30c2557d98113a587da7d892

        SHA256

        8ba92fe7955217679b102a87980e85277bb416a5876c7206468cd5d1b239710a

        SHA512

        861f6d21895568fc844962124e1b3cc9ec2b96b181e2e48f6b807fc3197962ebc6f59302854998755c75eb25c7a099ab9fb24c1e9044b1cbca2b79deda2c779e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a44f20bcd7e51a50f4d4ceee877a4c62

        SHA1

        021f59beb5534581eb28894c2c1efba35ca05319

        SHA256

        357c9f2d464377909a1e3a72da87a20f87b5d6df76b4c6b4b0d56ac0ab7e58ff

        SHA512

        a74fc00878ea5637d4ff8be41d6211c3d49166d6f198f2de1a937ebf51e5875b5313a816f3b1f9387079d7ff35f4055e881f6923ff3f4fa31942c77b7950cda6

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        74bcd0a3a70b3bee654ee0a59c085e53

        SHA1

        f5b6c25da6a2e2ca156e9234551eb25a59e437e8

        SHA256

        61fe9e711a944245bd9504efb0eef0d244724d95eb4d5039769818020a715772

        SHA512

        877bb2c26ee8d8b003836ab8179a97e9693b970fc0021ac669741aa911527abc137ea16967a9b2b37e480b4ecda26488bcadcbe5b9e1c6385938b58ad0760bdc

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4657201f348bc36e0b337dbb67f41afd

        SHA1

        00f94abae6a9067875c53e9019ef1fa2c9ff8d62

        SHA256

        182e618087adfa5ff357290abb5f14b1b68b21cc2dee72e8c44edddbe42bf630

        SHA512

        0a617390baf105fffae965256be97712d1ab3a8b9554cf663d06665e1e4e19a1930ba95eebb69277fabf1e9655bd1ee78942bc4cc1551044258c20a53827b432

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        ca9e790500d3a402e7a1d618038df875

        SHA1

        5870e21330200bbaec43ec1e4758f647d1d2bf0e

        SHA256

        ef2a9a4f0d8a9f9140641fdec7fc244903235f19c142c3fa72c0426d1c29be20

        SHA512

        6897c1a8feb1e29e65c3ad93379c147b883256bc5f02dcd046c625dd4dabd078a171140b7559244b2199a6961f920e42746f416b6141ffa70678d3089227d49d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4e8c8870363d9f87b52091194f6982f0

        SHA1

        c7b724e7b2e5ef183b6452dc167a753a64777e16

        SHA256

        15e873b77ab17a25cd5e4d9531fe9deefed05074bff329cbab124dd7a9808c0f

        SHA512

        5afa1647016b8089224f8c97c7e5bd7227f4d6187c298a6b8a519d4303f98f9a65948a7db50cbe52d6a92a66798107fdd89bd400700e53f24e575f049ffd90f8

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        bc73c7725e6a2081c8cd716cf24b41be

        SHA1

        32826c74e2424fe9d803e50f221c40d6184d1b4d

        SHA256

        9310efefa792c85a926011667c38ed60e0d49363bc8e14b049c62b4ab8b0e754

        SHA512

        a5f05e3fb7765d10a4576f50666901af4c987019674da5cd0104ddaac247dd309d6be7a613ef084279ecc0d4c680ad49aeaa13a6f867fd62ead79076e5fc8adf

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        578ebdf0fa8e2a1c5a13c86301a769c1

        SHA1

        cb3ceb839d8926ba31d387025a6a693ef8aecf80

        SHA256

        bf902e226a3dafcd6565d4d355a531c04904fcc9d87dee2f15fdb63bae5f689f

        SHA512

        9f10e28df1b52697fa1e42bad8a9f41c28ce2ca9014bb621bcc1c4b5fd13711aa3c86ed70de3fd6760e654bdd2de0cc5f1187537ba8f9ba489f232cddc5616cf

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        02028a87e0ccfca03103866351717b93

        SHA1

        cd7a0cc5e61a517a2ac1c2520411a02409e7e979

        SHA256

        275c9af5d9089f74f5cbc0c63031ff9b2f0a8910ea79b4e76423c119d5583a22

        SHA512

        378902bb709637666a4bb42942dc56e83f007cbbd0098992cffe0fe7adbf0094b43bc5fba3dedab4a09ebb00fc2a4f86598f1daceca92e9c8f511055c75f2c19

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7387a1c9c4bcacc81445b463a1b3139b

        SHA1

        002a695dabf11818c3db597eea9b89babc403360

        SHA256

        12750fe0e5a4bfe48575f044f7c1edc8893389a9221838943a429c26bb9ade95

        SHA512

        9db740898591264a5afdfd7448d50c82cc42c72fc519a62ee3e61be6dc35c56ed248cbf404bde24251c0cd2fea480c34e9d0719f9afc7cf10723765344efc576

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7e8a2aff4101680a283746acfb53053e

        SHA1

        10f29c5432a8924ebef3a69a7f485d6f73aaf48d

        SHA256

        8d3263071d8bf3ed3d1aea70a861c043b55468444008b08ce9bfaf3e0499e5a5

        SHA512

        d92a61ef01134e024bc32afa7839a273781eb170de8ae9d29bf43b3454c16bd2cc62c654916d1ef602fae8e31532cbbc0f853eb3430050f5d104977339a5bc49

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4c9d1fbe40b324eb531c1f7bf2f6873a

        SHA1

        94a96a3d6c5db8a1fa4b1f8e75c2d784a9ca5cd9

        SHA256

        1bb3c5300199f06db18a34aafcd3191a6722cea38ea23a8dd7c0134e620ec928

        SHA512

        9b801675f7d8701546864d9b4ddf6105704795d67cd9d7c7b82d0aaf5672cf32f85dbf36793cc0cc275c555194b96a55beeabe9c56adc634b6b9e99c7ab1af54

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        04b19bbae9eaec699cffe2b0e19ae27d

        SHA1

        f2d8f5239b5c00d7a4b90bbe9a087329bf2fadd7

        SHA256

        57ae149b9a8a1247d9a7eabc63d3d2d888a52bd24217a0d6addb3bcb9982c073

        SHA512

        1541f7bedeea7a9db88334e3297e83efbb75178d321b2a0156689eb35a0443c60233739bacc16f459e2535fe2a2e43f6708d0045fe5ea329bad1467b96bf9923

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4e1488c1560bdaa35835a42648fed6a4

        SHA1

        6c6c7ded2de0470248fd8d9682979a6a5ea8b398

        SHA256

        a49845a9ba6c4c8de49b4ac50e1b0809a7653413026f13caf887d3414643d816

        SHA512

        ed8e57bc894feb4fa7cbc509890ef21b3cb6e93da79e6633c1f6e93d57de66629c89e1b7645c8d8c5367d09b7a856afcf0ea2140fdf452a776128fda5d79fab5

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b1ae362f8c8c5bc5f0ea64336c835143

        SHA1

        3e3559c002f002e87bcac74ebebc67aaae623589

        SHA256

        6d45d72550451f3c999108c0a913c1d1e218b5d01c7510cd197e8f7537c1eedf

        SHA512

        801f3d8b70306f75d68a3029c47976a9c7b828be9d30b3de26803736d89e5e75f958a411c94022fae84021bd89f6118168871c9e830f73bcf64827e5eca4e46c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        bfac8dc6dcb68195c268f5dc703bd844

        SHA1

        600b64a5f911924e167008cbaa83ae96c71a58fd

        SHA256

        dd39e2d08cc3c8b16c37bb25d6e12be8582b5c77cc4d150d13c71114412216c1

        SHA512

        b78a0f792f1b0e2ca32181b52bd2982577fe21c1ab3ae3ad76ffd00d5be2924bc5d897f6e60826d1eeab55e23e44660886aa420aa1db3616141d100d124b930d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        514eb0a7cd3091e4f6eaed68ecd66aad

        SHA1

        d093790be27a368ac52c7409099ee4b8229c6aa3

        SHA256

        1d2531a50f88c93196e9ba73cbec1ff6d6fa46e3857f8a840c0491a4f0ed3920

        SHA512

        c2fd2f2b15a9f98ee95db792909ebb0425d9c6130bc7920c1f09ee85552c48f5c08cfbe074cb60c00ad8fd832e45cfb38ab072ee36c212af14d82264ff1bb0cb

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        11d9369676500e44601bbb73a8201f99

        SHA1

        1c0d702c8f3859895aaf5ac95eeedfeb407f6355

        SHA256

        780af72aa299917ef717d5655e49616981d7ada357ffc806c5ef329772f10b0f

        SHA512

        6753f5aa4bcc6eba630c568bc197ea462aa6b24cb98da7563fd0863db26fa497d90529d2516fa694907b9b724f14f2701639e3d4439de07649c007f355a5e58a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        43d85ce06a9786e0d691e9c5811fe88e

        SHA1

        08123455ff283a92c5b7dcf1779a5692166e5495

        SHA256

        77b91d9d833570413d91d84074005c12a5008539cd33e503ec1a673c4913f1f0

        SHA512

        ea79047d2ae7f807a6978155b689b4713aea139baba7f1cbe6643a53132c62a10061c75409bf8b262bd8bf89ede86ff419c1ef394feed1b71edd32b4640c799a

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Svchost.exe
        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • memory/2056-1-0x0000000074FA0000-0x0000000075551000-memory.dmp
        Filesize

        5.7MB

      • memory/2056-2-0x0000000074FA0000-0x0000000075551000-memory.dmp
        Filesize

        5.7MB

      • memory/2056-8-0x0000000074FA0000-0x0000000075551000-memory.dmp
        Filesize

        5.7MB

      • memory/2056-0-0x0000000074FA2000-0x0000000074FA3000-memory.dmp
        Filesize

        4KB

      • memory/4204-1453-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/4204-149-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/4560-7-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/4560-6-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/4560-4-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/4560-12-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

      • memory/4560-3-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/4560-15-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/4560-148-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/4780-996-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/4780-17-0x00000000011E0000-0x00000000011E1000-memory.dmp
        Filesize

        4KB

      • memory/4780-16-0x0000000001120000-0x0000000001121000-memory.dmp
        Filesize

        4KB

      • memory/4780-77-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB