Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 21:53

General

  • Target

    7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    7162f99c0ceefc19c88816af9e8dde09

  • SHA1

    8cefb5d035e2f31de72c227217d180356e1e9b55

  • SHA256

    b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6

  • SHA512

    ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703

  • SSDEEP

    12288:LwslI7rGNrkty0fkhAlmv4TBd47GLRMTbA7rGNrkty0fkhA5ml:cslIErmyFAeWd474mfAErmyFAw

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

prodigyera.no-ip.org:20

Mutex

7PC66W54K7W42D

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:908
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3584
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:4708
          • C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"
            3⤵
            • Checks computer location settings
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3132
            • C:\Windows\SysWOW64\WinDir\server.exe
              "C:\Windows\system32\WinDir\server.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:336
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 580
                5⤵
                • Program crash
                PID:2196
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 336 -ip 336
        1⤵
          PID:3036

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Defense Evasion

        Modify Registry

        3
        T1112

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
          Filesize

          224KB

          MD5

          6524fca5b80b5de75d75b92a1a092cc3

          SHA1

          95e3fdf049f8633a07d9f3f28d5b73ce2fd709dc

          SHA256

          8c3713637e0f6671a910a4162de97fb2b4aa0b5c05690e42d45957fbfb4cb53e

          SHA512

          467a8d5bb5e388c8b7d8a1c8fe8a32e9156b133859d40fc0d0ecfb92242d50239cf7db8dc78f19d22925d5873ae0de1728c93ce37c00d465501a9b48a58486a6

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          5f6e5734a7ddd91f0705dc0e83346e28

          SHA1

          0c50d08b8916124c049f4ca105a6973e3a144874

          SHA256

          9bc6c1457e8709f6d7eb9f8bcd86165686d282b627b41d5c050814660d3506e5

          SHA512

          ddceec376c17ba8fdc9a946a3c49a67444e3057e75642ba2c188eb8570d1f7c0803cac52205c18b2f8d0165b5710a8770987f083d21c63efe661884cb9bd658a

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          0c37b884998b4f2680618bb9e02b6e8c

          SHA1

          f671f62189576ce2d23673e9464a38925647646f

          SHA256

          c369b7fee9c4905fbb4e017fe37e61d8552f21464ccb2e143fed27fadd1a4ccb

          SHA512

          2c6406fea40268e2340367de0df6b1cc96a76e7fd3305c87fe12ee2ed953bef19957890d687380c581ed9b40501fd40e536dc80f3040f6ae84fe5c73fcf1d17c

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          8f2b8f46959a0fc5a7409d7041c700bb

          SHA1

          7f37376a8ab0e522c846ee9603befb886957582a

          SHA256

          b35324aa5cb112dcbc5feedb49101437f08f8501e8e78f705d316de95073c2e7

          SHA512

          71e5073adcaa6c33872433413295a0d0bb306ed8abdb7d3b0176eae4f45659ebd63b5a2fefb83addbc7468b5d995a73dc851533a01c16c81352951725fda1a7d

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          3fe4dc1b01d3a515ee04e5840867c380

          SHA1

          4a0ebe4fbf737162870800514ce85f42630927e5

          SHA256

          41b59bc94ceb900be9c925248dc50cf3112d1f1f9563abc1c856ee1674765c6a

          SHA512

          67bd13c2ae79f1e68c909305954ef570102567c32cfc6a31328e924fe74850ca17e73a6e2ca0f8f53474a3223eb3ca155c8e79686d82b4bb1261268716b8d60d

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          8b3f49f4ed73809338ad084d8347573a

          SHA1

          29a6f2624e7924d13d44ced908e02659f937c470

          SHA256

          67ac0f3addaef9a9a02d944a81dea35766c6d3349d26e08a00edf15df624e5f4

          SHA512

          9b121de67559e97e596d9596265a2bb5c3acdfc00c82fbc97cc0224b933575dad7f08802c627e30d258be1210b588ad5e5e3ae8b685763fbfabbd72688aaba11

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          fcd5f81ebd2680ee2fcadc3902ff52f6

          SHA1

          fba7758ca010548a149fe7f21bd8fd1ef4360424

          SHA256

          da15662bcc474eba53d66e10e3eb6b45fbf50b373d35de36b589d2b08a849ecf

          SHA512

          c5fa2ab95ff78d7c58830cf8c9d4f0c6a01c3275541a376ae340a5b7043dfe33ad6bfa0361b5e23a6859a7b1469460855497dd70c1928f2b1c5a8249681768fa

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          fb56e7595dbfb6522ccc0223103b5014

          SHA1

          3173e52033964c0dbb20dec2a7b46bbc7cdaf409

          SHA256

          f05b6182964815ed8fb91f1dc1cc384074f5475ca9c17bd9e73f58acd4159474

          SHA512

          62726206ef090bcaf792466fdccb34c3aa978373305316295dfed583b1fb6e22db0f1fd3be6deb79c90264516fc338803554c758fbb8c842006c9ed6918a48d3

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          4a4a966a0e796455ae8a4f68ea51fff8

          SHA1

          b5de545a78005054ef82cf07215519cf8f241d2f

          SHA256

          1ba82f4e30343e7c6169e46e868b9f88ab822ff4b0b38e53914bf3fea0d62667

          SHA512

          eabe111b0bb1469716ebd66409c93dfe15a7f68995517a77a934b5b5d35469ddc630447075577b06e23d210280c35d88907f710437c3f9a68bc24d1705013ee9

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          cfaf3499d220322bb2b98757fd465345

          SHA1

          dac7520577e090a280ee02de4db27ecb3e4e5553

          SHA256

          d2a0a2fe606e100b5b054a362ebe0afbc99f1d8523a398225633dc50f3b404f8

          SHA512

          6e6cfdb3552011120bb3786bf0ab75ef2088f4f6d052b12bf5cb712f3590e54754a8d7532d94b855ce62b0ef5cec0be57d69b8429e9b4431a254976b85bd5f5d

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          470df2065e75242b2f47860d24da4154

          SHA1

          8fff7f55dc75adfc57c4e55e50f2f0c628548702

          SHA256

          b5598c201925e63b323d8341bf06ffa6d19f6fb0674c2bc294f4da743309a83e

          SHA512

          70470d488d0f584f56d2b50549b868d0d62996283b4cf053d00b055f967b2560dcac4aabe01edb13ddace3734263a966c0d2eb4988c110690008d28e39bf3336

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          a7b96efffff719e5071e85b841e59817

          SHA1

          c2bf5fe32f5c8071ea698b8f45c1b977999faa93

          SHA256

          e6d97f9fa3ab10fb6b487cc18805217dcf13267458cd79e8b7e3401295426ded

          SHA512

          b3374de212b182c4bcfb923ba8a429af6070559e51ac0eed80775d679b9f5f2fcbdc847a41745d0627e11a0cc9f7eb8d3421df772973970d2dcd93110a4def18

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          00fa157213063c051d123991413fd266

          SHA1

          5607462969483b16af54931f3cb1e25d4c07ffd9

          SHA256

          8cf244f9dd379d76659333b0311ae7c83455fad5de7b6da835d7fd6ab717f4f2

          SHA512

          e152f5294715782a1be10f3acfd48fbf80f6009e7695aaab985745ee70e799416e1dd2ece011f2ea2ba13f9b233837f5bd0c25741de558b453dfaf673bc834ef

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          5a7365d6492ff6a81e3b603a2bb38bdb

          SHA1

          1dbc141f3a3b56e6f75084407be88daa33c1dad9

          SHA256

          8b59fcb1347e838e1d727e3fd88e0a4a01faab67ca6715fb423126a2e6bb7fb8

          SHA512

          1361b743a3edc37889a41d5845aa1c3dd110212e1bddb3ece1311b9bc0ecbef4ad2d912cffb0eba486fe828708151cf68227e68437d26dff0e0e5e8026b5669f

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          b6ceae1698a04082f8f1128d07e45b8d

          SHA1

          84add7fb9afcb9f378c4885577d974ead4d468aa

          SHA256

          062f402b1a06585ac49dc2fcd7451e511ccc57581f0c36ec7d7d09cbb9057998

          SHA512

          5d9cb3767a13f3ea76465042c173f2c3fe9225973df0d095fdf3246fd865dbc9166dfa04ba92ab3850b80832bbdcfcad23af035a60165395316e88b8c840f8af

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          ae40f691de87e781b1a342ff6d410ab4

          SHA1

          4adcd7a605fc681186f0058b15907069350facbd

          SHA256

          231d2746b08abb99f4bb82f7993e3ca7ff29b7ac4d04692ac39fa67e2a8091ae

          SHA512

          ef13b209a621c7f2cc66e45721ad180af6a5b35190e7f702bc8d29b301b5576270024325cd66ebd2740719dca67373cf4dc45448510547d87bb72a58f3a42125

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          e5df670854fdf57fe8f36f545e98da30

          SHA1

          e38acb2fd8eeddb7cc88f2db306c32de9596a12a

          SHA256

          10e8fc2d7d0024d93069134577256b20b8521f4ca13ed97bc4f6da2ffbd26392

          SHA512

          b81d78e6442afa7183ad16419b4ec0ae9d9bfafb70a7283d83cb97b37519e2fcbf3add3bf458e7d73a8e1852844b2e1f82120eba80ec37230831ab7f0dc28602

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          b2b9b05a72d812925a09cdc9da51a04e

          SHA1

          61bf4e8ecfe5fb5f2d7971891abed41ea38f0770

          SHA256

          3897791dd8e56b3b3c2875dbae24d8eb8779c1d00a49015ade4567ffe462ef4e

          SHA512

          bfc95f6c29dcc9e640944cc22c237b2b08824bc148c874294b5c6bcf9cefe177e4a8c90535c867ad3c165df58d3355ac6dc816e9ba6a5280cc3eb4b5a21bba76

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          f9ce5a5b87d55727edceca3c9c7a3185

          SHA1

          03c807473f28445a0ae1b6f97ba54f3789161f08

          SHA256

          38eb3e5342b3278f95aeeccf70639ac3a948b0e5899de2cdb23700a0523ea4a1

          SHA512

          1dc1165f222739982c095f9aa200f54e7e3b664e92dee677cd8f1356fe437a2ed910e65676ded9f91219ca1b28052b0e55e81563ae3c7e6507e28d5fe3d2cf41

        • C:\Users\Admin\AppData\Roaming\Adminlog.dat
          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • C:\Windows\SysWOW64\WinDir\server.exe
          Filesize

          1.2MB

          MD5

          7162f99c0ceefc19c88816af9e8dde09

          SHA1

          8cefb5d035e2f31de72c227217d180356e1e9b55

          SHA256

          b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6

          SHA512

          ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703

        • memory/336-159-0x0000000000400000-0x000000000052E000-memory.dmp
          Filesize

          1.2MB

        • memory/908-139-0x0000000000400000-0x000000000052E000-memory.dmp
          Filesize

          1.2MB

        • memory/908-64-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/908-0-0x0000000000400000-0x000000000052E000-memory.dmp
          Filesize

          1.2MB

        • memory/908-3-0x0000000010410000-0x0000000010475000-memory.dmp
          Filesize

          404KB

        • memory/3132-1256-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

        • memory/3132-90-0x0000000000400000-0x000000000052E000-memory.dmp
          Filesize

          1.2MB

        • memory/3132-140-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

        • memory/3584-8-0x0000000000650000-0x0000000000651000-memory.dmp
          Filesize

          4KB

        • memory/3584-9-0x0000000000B50000-0x0000000000B51000-memory.dmp
          Filesize

          4KB

        • memory/3584-802-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/3584-69-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/3584-67-0x0000000003840000-0x0000000003841000-memory.dmp
          Filesize

          4KB