Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 21:53

General

  • Target

    7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    7162f99c0ceefc19c88816af9e8dde09

  • SHA1

    8cefb5d035e2f31de72c227217d180356e1e9b55

  • SHA256

    b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6

  • SHA512

    ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703

  • SSDEEP

    12288:LwslI7rGNrkty0fkhAlmv4TBd47GLRMTbA7rGNrkty0fkhA5ml:cslIErmyFAeWd474mfAErmyFAw

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

prodigyera.no-ip.org:20

Mutex

7PC66W54K7W42D

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2784
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:1940
          • C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"
            3⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
            • C:\Windows\SysWOW64\WinDir\server.exe
              "C:\Windows\system32\WinDir\server.exe"
              4⤵
              • Executes dropped EXE
              PID:2552

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        6524fca5b80b5de75d75b92a1a092cc3

        SHA1

        95e3fdf049f8633a07d9f3f28d5b73ce2fd709dc

        SHA256

        8c3713637e0f6671a910a4162de97fb2b4aa0b5c05690e42d45957fbfb4cb53e

        SHA512

        467a8d5bb5e388c8b7d8a1c8fe8a32e9156b133859d40fc0d0ecfb92242d50239cf7db8dc78f19d22925d5873ae0de1728c93ce37c00d465501a9b48a58486a6

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        40f506e7ce59ca438339bad7b5ce88f1

        SHA1

        d5eb89da786448164a5addc9ae68ad850e18b87f

        SHA256

        8f1958d84ee094b8616a530dc906190aef8593cc5ec06abe3892c2d32f631e7d

        SHA512

        31a71daa9cffe7ee44d808deddd525b629ab2873c084f0cafad9a3d5dfe4bd22cbfcbe4786f6acc6ace924c04d2ee0be8887a7a1db2e96cf4c17fbf98fecc406

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        db458e4172f2b2ba19fcf2e1265e314b

        SHA1

        5fdf21ea18545649a57f33f5d2f9f0fa0691928a

        SHA256

        da1f6041f96d43655538850ee9edaf09b633cb9e092d1644f7082d7926121f5d

        SHA512

        a160aefa0082c822d42236d4e4cf6a41a8dba14005e99da0c8a914817a75412fb013cfa1090a34779fee7e5dd9121ed3932bea895d8a1320963082f34726102b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        44c7120057cef1c8abf2665833f55d9b

        SHA1

        385f662a68a58cb47100a6c45c02038a9978a1b9

        SHA256

        a126869c1d2e3a8da406417ce5a8c9648e46f30002442619c6feec026be95798

        SHA512

        5a67f1cf758a5a0065af5c66becc7fa39350922aa40f4ca8d929f837e0edded4b55710f8ea2f3fb01f82bed4557bb1d2173544755649fc03e4bf5dccade22962

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f616a84e5c2a0e3fe52b6a6f7167a9f6

        SHA1

        4e8b65374bbb87a496817bbc584b6e54ac7b8461

        SHA256

        c85d918dad4c7e664d44926ef2728e1c96197a7ba425e63761981615a2985c11

        SHA512

        c460d6b0ca9f7f353f0f5ad7cb3e0f10384ab56f82fc39acb3f4eb81d2ef80e5c4c527ee252872e505980642c5f9d3d5d7e8cca431cbf2285efea09ce72b3f8c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        bfd3ad42e1261e182d9316641b38c00b

        SHA1

        f19312a2960b19380f98e2f072e7267846e650b6

        SHA256

        c60b15513049ad49236598563d4a6795a9c8bf00e1b8f56b293811831e607ad4

        SHA512

        df07780e70889927a89daa21f056580b950d0fb6c964be9152fb90f758f01c0cae661fddffe92ca722031a969ec249965f63e40928bcd71e375a9d3bbe420ca7

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        838668465d21ab41bb7c7d1bb254c0e1

        SHA1

        7e7fce7f736a9771debc7e484d9443e10e7d5456

        SHA256

        e05723a73dd0b741b71e866f277e0ff712f597c5acb8b1276c5a24e9f382a7b5

        SHA512

        33fa4b1d2f83162b16826c4bd97bca32369aae84f3edcd0fb728921da7f50aa73c2a7079e8809a699a33c9838d419e88fed3d88bb43afb08855dd7605f1232b7

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        2ccb9597929ef690ec885522e78d7233

        SHA1

        23df45c074311f61570b432beb6e8839e14c5537

        SHA256

        4a36f00676e25e4f67a8a65637d43241c34cdab0d115626232f234e4f9702c4c

        SHA512

        b3083a5c2fbf52f6c7e6e70068495663c9a5baaf6ccf3669afe1a76b6c7c2a7a930e84c66cd1afe6e342cc4eee80133f7989442260afbde91074a6e627604c51

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        16d86ef1995919c5678f4e0f01fc2235

        SHA1

        d327649643f7ec606c37125b6f57e8178eca52b9

        SHA256

        605a21f244b900fa76d58af5bb045be4182a9692b4b7fd62ab6e32272f7d373a

        SHA512

        d8cd8494edcfa7119ea4dc81b6534229d705d19ae7324b21c58f5c8906c2277d74ec26da756c70a6d9d3389e8f2c83de2c8fb9903cddddb855bb8f4226ec5737

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        ec54e6f99ec3cdb86e6bcb71ae068b08

        SHA1

        10003b8499f0e6c69e6548fd81053dea7d57de45

        SHA256

        56d3b3ac8bba1254ab75c19d4ea6869fbd4e73fca9d2fe0aacf9c262ebc4ced9

        SHA512

        a2da045f4ce2e35588620b40db827f7d84c6a4b5dce5030f208a0e02070ec2542c104c5eebf77e21707c752ce6f87ad14fff6ee692ba1d2ccfaa1a93a7f8599c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        382f59def667d4ca86f9ae5057acacee

        SHA1

        31e95d034baa2bc5a6b79ff227a2ac93c42c0c08

        SHA256

        10c24ce50e0bb56391be7267aaa025e3eaa921ae9b73651c08d3b632c10623b9

        SHA512

        735ca899b605beeb99502b2b6250df8a006ff9032d534d007ed25d660eb04e2385f74ca60064a67c6822a553f08efadf70571c429646e8acca15c27040972a42

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0046745063100bd31bf915a9c0c3bc40

        SHA1

        feb995853e106f298fa57c9bdd54f7bd145cbb1b

        SHA256

        37aca4eb14b0debd9dfd5454191ca759e0fa6e5e8418ebd3dd46e943764231dc

        SHA512

        6b6837c9b4e108b81e70b6d253006aede2b8529075d5892fa2e7a77fb30a1fc912b5cf3dcd092c8990a44a280132ccc21c9484e175b431e2c0d27c0cf7fd3777

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4a364a0523d9f3869e00902d860e598b

        SHA1

        76d7da1582b953b92340614f07dd19901869fa97

        SHA256

        a3a9cbef0977cbb93c382e61da0011b0c1b20c05b01a596a8b9a543809108dd2

        SHA512

        038b704b76c648aa485ca2d9f725bfb764b55fdea54c53f021c16970d50305488ae43503e018b83c4a4354c75009a41764a6f66ddb4c8957ddfae09bf4d165f4

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        14b9f4e7cf9fa4024bf8d57c410db595

        SHA1

        a7a8bf59e439ed83179e33ad3463c93d1f093f90

        SHA256

        3e9fc31b3e977486665b40aa454c3fe3043a577eaffbb7d754a15d1cae83a0d8

        SHA512

        b8ec84461317c9b52fe5e916e3934dc33a1c60ade806e086e2c3d65edb41aade04ecc2fa0112b3e778681a3bf4bed5d73613acc239f001d5453877de4c97be7a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d32978ca54948369ddcea653fcd183ca

        SHA1

        bc5fcf4595b8ef8071a1be69abb5404437218f94

        SHA256

        c2db9e9db96947f0b3fd4a447e1470abbd56ec163ee59c17c96a26cdec20f521

        SHA512

        6f8a8ba957d6cc5ec9a4d38f9e3abaf908fd60ac623eceb23eae52da6b36a55b3e1b53266718dcb9b5094eb1e79d56ee100f98201728de103e8ad0675f61c998

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8908ad11a84cc33c9e0913c6560ebcc2

        SHA1

        905eb6eacf19b4d1a6c1cf286c91103a31001c97

        SHA256

        5600c12621a494b8d5728bb52bab2e59c7cad8284f77327f93c1304706dd25e1

        SHA512

        78b6ce07a2125f5b7d517293bd14198401529f7049bb2a9b0bab470cf97fa450ffe199bfa6c3aefb4f4a4f0ea5a6b9fad9c9927edf1a06d1068e25febbb00214

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f8b6a6871b77727fa1a0d72f08b71cd4

        SHA1

        aa5b5925180e4c68b8a63216a9c5033c07e2d1c5

        SHA256

        0d948dca2f8affa24b9debd3a4d7377e93eda73caa0e94d77181212fb832baf9

        SHA512

        f95f418372ff21e138cee22e3af8ae5c513599fbef727626fb4d9bd9cdc4fede46bdea90e43c963d721ee2203b073e9d907dd79c5052758cb1f971bbb6c490e7

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        baf1f5e7a8663446b6da715d2312edea

        SHA1

        842e3ff0c0b5ff356dc5a750e05a0eae03f02285

        SHA256

        e72ed236c4aa947d400e69678e06f91fbba2172f11df4eb949dbca7eed2d77c2

        SHA512

        ed0c7b1575cb5c7f1258cb0738f40f266ca9077c7ce6b7423352e9e9518ac6ba52442458a5049bb453d2c5b13d149cee004e8be306572baff2b7d00f1c5ad321

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e94d1b2383458caf3b4b31e0b62a7b26

        SHA1

        a26c093e9276798f40255f68395746ce44502dab

        SHA256

        fa3cc5e41d38fe7dcddb31951f05b4bf61587cc48c5d685f6f325575bb05bf15

        SHA512

        6500b3796af9d8a5a4310af04a90a84ae951861487d3f01191845606dfe8c6af29d83c2a25c48a29256df348d7e90cdbbe530a6259518810a29ea0858147ab68

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0fe4dfcf31bbc0bc2e53a74d6270ef25

        SHA1

        27d41a031f37d5f202ce77c48f4f7e3ac8a498a1

        SHA256

        d160b186213132d4b75441049eae69841cc7dbf2c6684697fd569e5fcbddd4a4

        SHA512

        8d4f4454b00646239c271a9f9cbaa5893e504cb6dc9c44cc020fae6cf3b54ceb26efc37413fcafbe509e621742660345ee8de504df7845b591257d1cb44c5dc1

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        771c5a17eb00ab5d591814e6db300a49

        SHA1

        36bd7487fcb12a9f18a9a9a5dabd3b7087b89f5d

        SHA256

        cb8d91ffdf53a089fc893ff2270a3be3ed33a37dfcee1a8678ebc1044d4f59d5

        SHA512

        ee948c440d3a2f3342f97fe0dcd459cc4a79de21f43e3f766c92209a4815e685fc34bcba3deac9fa495b55f0234bcfd6b98340bb976660d4ccbdf18480c1a598

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a22ffc3c84f98e28499783b78abe2703

        SHA1

        8cd37dd9f7ced78a9b2294d01e8cc5bade4e2f03

        SHA256

        4fd9322a359b0aa25038f279ebc6cf79099e6295023d633834be4ce2feda4985

        SHA512

        45cf07923ae0063a1aba2cb743c700be9121b3469c83baf37393c7faaf73b27e0babaf8b23384c85765a12a7b7827be06ce0114f47f102c6021819e8ff60b6b5

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\server.exe
        Filesize

        1.2MB

        MD5

        7162f99c0ceefc19c88816af9e8dde09

        SHA1

        8cefb5d035e2f31de72c227217d180356e1e9b55

        SHA256

        b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6

        SHA512

        ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703

      • memory/1196-4-0x0000000002E20000-0x0000000002E21000-memory.dmp
        Filesize

        4KB

      • memory/1348-889-0x0000000007100000-0x000000000722E000-memory.dmp
        Filesize

        1.2MB

      • memory/1348-2026-0x0000000007100000-0x000000000722E000-memory.dmp
        Filesize

        1.2MB

      • memory/1348-559-0x0000000000400000-0x000000000052E000-memory.dmp
        Filesize

        1.2MB

      • memory/1348-886-0x0000000007100000-0x000000000722E000-memory.dmp
        Filesize

        1.2MB

      • memory/2312-558-0x0000000001F00000-0x000000000202E000-memory.dmp
        Filesize

        1.2MB

      • memory/2312-0-0x0000000000400000-0x000000000052E000-memory.dmp
        Filesize

        1.2MB

      • memory/2312-3-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

      • memory/2312-866-0x0000000000400000-0x000000000052E000-memory.dmp
        Filesize

        1.2MB

      • memory/2552-890-0x0000000000400000-0x000000000052E000-memory.dmp
        Filesize

        1.2MB

      • memory/2784-247-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

      • memory/2784-1452-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2784-260-0x0000000000160000-0x0000000000161000-memory.dmp
        Filesize

        4KB

      • memory/2784-534-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB