Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 10:33

General

  • Target

    6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe

  • Size

    355KB

  • MD5

    6f3836931b74da275c0da23ba896c234

  • SHA1

    c92bb5b72e557d6da806321ec9b02adaa7fdad8f

  • SHA256

    f6c4965c3db1a15fed240f6e9aa0373ab93cf55c0447968e9027b600feda1156

  • SHA512

    abc5c087429f8872c889ceeb615e3df4439dfafd8a53b5c60d245aaf21692a5ec084d0836ffa4b067cf2993d0fe74ccfc016a6ecb9c2815d69f6c6f59d31da80

  • SSDEEP

    6144:Ka+mOBCVId41u6S14lqG4JtzD2FuGgfbV2GQVnhXRuKk/OAn6l38kMVcCUge3Il0:CPBCVI+uPDGGguG+gbuKna1cCU93I7g+

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

rsvirtue.no-ip.biz:100

Mutex

62P54T85F88414

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1228
      • C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2992
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1308
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2248
            • C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:1196
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:1980
                • C:\Windows\SysWOW64\WinDir\Svchost.exe
                  "C:\Windows\SysWOW64\WinDir\Svchost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1488

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        4ad25343faad756fedcbde96eb9e07bd

        SHA1

        6a0a20811193fbfda51e22a1f5c7419b05f9d336

        SHA256

        bf9e5d321132f7544f0a078038a556255c30bc96e03f474d2c36ce781c439a8f

        SHA512

        4bd8f0244c7d1bae3c5fbe65bb3225fd8a628a6dc96ad8bc9012245d1e5cbd66328967acdb23ed680bca61a35a6993d2437a7b04cc209c656226c642c4055e28

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        ed91ed0c991a291e3fc22fbc68bca9e7

        SHA1

        9bec6b60749deeb77658c1ebb7a4b7cbd332da3a

        SHA256

        70b97550ebe688938767182f1e1e74f62f70c36f43b22271d262521715f63ce9

        SHA512

        ef91375f46200a26710984e3b75d3f6e1575f74e7d120d79405fe7a776cdfda9d75b1a04c84fc63a6ed8c3fc0c4063c0dc4a9a3ac753191343d8f8fbca6f13ed

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        9a6212e54a4597871c1700d1ec7ee9ef

        SHA1

        f7af5f6d93bff9f29a51924dcd98c7b42839a30d

        SHA256

        c9e0ef635282359d3953405c9f7ff1affa1868d72abe77c7308712a86321e247

        SHA512

        1333a153bb2071d51848238a7b06bfee72ca40f00ad49d0db4a3483e88cc3637998c17b1c8a959f0b8638e3b700c95468ad597205fda6de88a059472e323ec02

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0cb6a74cde8a9d9a88aa838b082d30cf

        SHA1

        cd947281aa6a273d918f92e85188d1a740b1118d

        SHA256

        7798dbf2f0ae5d47e769ac63337fa32d6a15d08eb90657bbe039a493f1125e95

        SHA512

        d363a6a2dcfd6ac3681f45a66aa73bcd8ed01721c79998ce4cb7fbbe9dd8eefc6d98cca00f050a08ebea81d9809bdd2727a0faf34139da883684e3c045d502a1

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7619702aeefec1a2135f7e72b44cc87b

        SHA1

        0fc8aface0ba62ffb5b232fb97ce6423bd4de85d

        SHA256

        4706a9ea57c9774554e65a63f77b8c831cb87f10b57adf5ef1c88fe84d25d6d7

        SHA512

        02137d4bd484855c0029f2d51eb4cb1c970a32b4383f273d8a72b05e3905741faad684071d085e6f9dd92cd8a280a5fce54ae2a5d313608f05dbd6cfb36df006

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        45914403cc303387f919f3ef255142e6

        SHA1

        2d90e0b0afded36ab6b814533b70b4eb6da17924

        SHA256

        52eceba7991be47e636d3d3adfe030e0ec50a3df6b6b8f4919e928fdf8ad8cf4

        SHA512

        267a96cecdba8b51279a007dff63bf69a9f8b1c8ba736707cf27af04175b84dfdbb7303a2590a6507baf62942aa59880788f0dffb1e662dc87e14e03da099ccf

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        95b382184fd7bdb4e8059bcca7f1db60

        SHA1

        550e921244cb9659f783d9a9cd3dd3e5c35c74cd

        SHA256

        91b144208c8f063b44f88fb057466660a8a6337dd28c66c1c61bbc257c985205

        SHA512

        0d06fa81a15ff2319aebc969351f4fe6aa6c5b1847c2ae0d024cdd1b2c4122a6e61c116bebfe78aac104be10ce576747e0d09dc882ba4074b8711c4ffaa89eac

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        fe16f783aff60ed6941665f28e7478c6

        SHA1

        69fdb5bc3a32f75a5b3e484d69e27cb218180c63

        SHA256

        aabe9f609eb335de67e543db351a71ac8f8dc0ef26cf1b295e31138d4213a5eb

        SHA512

        b6a845d86698f85214a8a008ae967e9626ca7eb1e1e7ed848f3c57bf5196846c03a24e9db99ebd870e2a35c90e97f625ebc14cd8728a6b54f7c393a6c64c946e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        66431af0c7928e9ef5e6166fd8b1b1f8

        SHA1

        802455eff9ce809d0f44c56110869c0b63500caf

        SHA256

        5ab3a9790b330638dc2a6999c8691662374a547fc656b953d676493508d69b1b

        SHA512

        142253813e6b06d75d113f993e2773f1e4729c62ec519f7a4a302336586ac1533737e0fb17e933f44da6d42cee1b0e76cd52d0212970a1bead0e283cb49a43de

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        45bc754a263581ff8c4ee99fa6c0a9f1

        SHA1

        cd68423f0507b7d06ff35fd77abd913c7d38a093

        SHA256

        953a8c1f33dcaa65e260b73b131ce48877b8adcc024bfadc1d26c16819928f23

        SHA512

        3c69ac1b5ed4c40d7326c998c5744eae68e559a4490e1c6b96f57ca8b3d0897a80108e48e1c05691d169a9035983e6f3d577f67c0459eeea232aa51381cfc389

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        99f99464cd72ab411285f6a50479b6d7

        SHA1

        ee623fcca68e5f33278241f919cdcbb704ec820e

        SHA256

        da4e334e2f9d5b5f4a1ad7b1d70cf23307c828dd497f55d0a19d2f2a7274ea03

        SHA512

        18588ff94d36941c6a738bda0ea6c4474d54d63d5f8236384cbdba67b5c623c5a6e7f81f1e7fbc94a52b83b0fdc5b7318ea56929b5d1197d2baea296790c943d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        937e0d045f79c6ff540b9d41387ced77

        SHA1

        c6b697171c9b1959b5df524cec78e1af3fab1171

        SHA256

        4b7b57f2cb16d5a70ff5894e779beb3d1b2769835e6f6c002e2e4f1a28a43ca2

        SHA512

        eeacd723ba180391406a5348095c88fc15b4bf119adb625d561e215c1af6c07f31cd25abfae6532cd839ab93af54b4bb4e7fa452d27a4d4d559c67f62b3d032f

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        2b15b8c8357f9d9ca8c3e81302a79d6f

        SHA1

        51cbcb5ae3d971bea1af297373848588e52e38d5

        SHA256

        d03f674dc142b94189b885ffe2eb01e4d92479e0906b96cb254d5877f8532b0a

        SHA512

        6297115aa81230badddd1cda656d9b0a39fcd2ad74de517911e1c927d85206a072f8bff9ea4fc92b2013a036c4799adaa6bc594a380577cb3e126c6124b00fa3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        74b43dd320eac9d1c4ca725a4203cd9c

        SHA1

        1f519027f25556ce477a9f7f161eefc0bbf0286e

        SHA256

        739aedaed13eb3d993f87225837c13b8dd9d6182377c57fd892300e03f3e01f8

        SHA512

        23a2d706085db9dd2a381e5fe12c218556ea97258719f5923995c7accd533674b3fec33b4f87224f037af3943ef0f5c2d271b2842505c56f49498102591afe6a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        200d99b3439f620937b446f067e247ce

        SHA1

        b265f5e6ccee538d1b1e12811275a485b851345a

        SHA256

        f28b7aa05408485ff72a6840d35c62d052c3b2d25eee472e2fe5a6a48ae43932

        SHA512

        f2512079394e262e663d7115e29eb671c8738fbca193eb7c009ea2e0e26dd07477b793a0183bea675e1609fad8992bb272a9424658693bc7a55844de2bd95185

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3772ea5b9fd4bd602fff440f00f146c3

        SHA1

        bfd8f277175468d2c2366c0b8a3929d25c085a5f

        SHA256

        602d16e820943123907f9fe83629f9a32b09db4952192899700c7cdf277d4b14

        SHA512

        36201339a309023b80cef303765207c3a2a251a2ba42ad6cca2ad8a0ba8131c53dcc8cd67ecd058a0d32e8a07b505be5b0692f5986972e31e89fca04cc25fb6a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        602221439ebf56dbf880c824f9ca76b0

        SHA1

        8d09c65cec4f0b24dc7e238478b608ef8f208256

        SHA256

        a8daa187ebcc793aa6fe986099c07c43d5256a910c961c55aec7a13a93e656cd

        SHA512

        f5a73d68a56251f8b50dabee89dbd7017e51b6ced2701d459102b414a831de5078ce10e186a7f158beea1c7c9ed38e4329465e46ef46b42691b029f86d1591a0

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a44cea083e82b47c5979ff8d4c453ab2

        SHA1

        fb8063ce01df61ebb41f7676d4ce4a880bf071d6

        SHA256

        d02a4ccc8a351301445f8b24dfc4a8c356cb9845693dfe063e13de17af2e6860

        SHA512

        66cc15e8cd525f0e560e6ba474cdb1d6f0501c6560309b2aa772829c0b3b1a97005f6a6632261dcee0576f8b7acffa67d3178ae86ca3f7fc14f6c95683e5efe5

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d8791e7098ccb9a21718067f6b1a4036

        SHA1

        1d944af9024a172fe4f7e8ad5fb2712b80ebbb1e

        SHA256

        e8889491706a1f4c765f13a8a13b85bc31601fddd8dead96385d049a2535e65c

        SHA512

        928cef228302bd8ec4b2b3ed18241a06e7730a1d9c0fa77c9d2ffc2acd14ea3b16ba4977791b0cd13fcde288b41d1a3ebb2df4de476e4e2a7c3767db016de6a2

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3008a029921e405098b55882234e4965

        SHA1

        f471edbac44f200b97b8f7fd733c894de2082dd1

        SHA256

        8cb2ae1c62ebaeb9d12771b4b2c3d0e06da60fd3118f42463f6bc4648a4f5eac

        SHA512

        f5a0d0a96531ca832412291e33924ad7df5746a5edfe59bec761c3f82a66baf5ed55a37556502c620f3663aa4a4a648a38b1db87a9199fb704298170c9152fd8

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a0393d01a6d37a5165d723f94a7f35a5

        SHA1

        1ef6f75a8bd818f7288a7cd4388135ef9d8b00b9

        SHA256

        50568d4a9323acecab96e692a9bf01e4a6507adaa03f4fb9766dbbad6c6031a2

        SHA512

        6217d99692e5bb2a58fbc27e7ebc8e182cd8d0dfa46a879259856a25c36673c7e23248193cc6d6c696ae1dfbaa42611ee914c85721296d9fe6889b0ea58564e2

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Svchost.exe
        Filesize

        355KB

        MD5

        6f3836931b74da275c0da23ba896c234

        SHA1

        c92bb5b72e557d6da806321ec9b02adaa7fdad8f

        SHA256

        f6c4965c3db1a15fed240f6e9aa0373ab93cf55c0447968e9027b600feda1156

        SHA512

        abc5c087429f8872c889ceeb615e3df4439dfafd8a53b5c60d245aaf21692a5ec084d0836ffa4b067cf2993d0fe74ccfc016a6ecb9c2815d69f6c6f59d31da80

      • memory/1228-16-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
        Filesize

        4KB

      • memory/1308-1529-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1308-265-0x0000000000120000-0x0000000000121000-memory.dmp
        Filesize

        4KB

      • memory/1308-546-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1308-263-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

      • memory/2992-876-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2992-2-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2992-0-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2992-1-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2992-11-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2992-4-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2992-12-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2992-3-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2992-5-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2992-6-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2992-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/2992-10-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2992-9-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB