Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 10:33

General

  • Target

    6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe

  • Size

    355KB

  • MD5

    6f3836931b74da275c0da23ba896c234

  • SHA1

    c92bb5b72e557d6da806321ec9b02adaa7fdad8f

  • SHA256

    f6c4965c3db1a15fed240f6e9aa0373ab93cf55c0447968e9027b600feda1156

  • SHA512

    abc5c087429f8872c889ceeb615e3df4439dfafd8a53b5c60d245aaf21692a5ec084d0836ffa4b067cf2993d0fe74ccfc016a6ecb9c2815d69f6c6f59d31da80

  • SSDEEP

    6144:Ka+mOBCVId41u6S14lqG4JtzD2FuGgfbV2GQVnhXRuKk/OAn6l38kMVcCUge3Il0:CPBCVI+uPDGGguG+gbuKna1cCU93I7g+

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

rsvirtue.no-ip.biz:100

Mutex

62P54T85F88414

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3468
      • C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1324
        • C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2200
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:4132
            • C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"
              4⤵
              • Checks computer location settings
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:3632
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:2272
                • C:\Windows\SysWOW64\WinDir\Svchost.exe
                  "C:\Windows\SysWOW64\WinDir\Svchost.exe"
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2968

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        4ad25343faad756fedcbde96eb9e07bd

        SHA1

        6a0a20811193fbfda51e22a1f5c7419b05f9d336

        SHA256

        bf9e5d321132f7544f0a078038a556255c30bc96e03f474d2c36ce781c439a8f

        SHA512

        4bd8f0244c7d1bae3c5fbe65bb3225fd8a628a6dc96ad8bc9012245d1e5cbd66328967acdb23ed680bca61a35a6993d2437a7b04cc209c656226c642c4055e28

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        18b7f42e98f37b3a6cddacddf1536a95

        SHA1

        aa57b695062605ac773fa7211174794fa1421049

        SHA256

        3db76988244abdf9aea7df1e54627375723cc0d10e2675742cb1e7a6efb1f331

        SHA512

        aaefdb5761b347cdf5a6901a000d3cb33a1f8fc1039af455035d4048a0d8bbb051b7bdcc7dc31cb63ade3dacdb948fd5a0e172ed39dac63fff1714fe46ba6750

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f87689c627359b9729898069ccdb34b0

        SHA1

        fcdc34a99b7755b9ba4b4755122503276ecf1762

        SHA256

        0908f8b44d468badaba014aca56ec1a98f5f96afd25149c58030d962e75188b6

        SHA512

        de36b43aa0d7914afe152b81a0c297d6ece6818531b0c6698cc4c52e246bebedc870b9727fa5e41c3b4c50f12fba33feafec11a0ed63296bd76b241c27b51cfe

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        200d99b3439f620937b446f067e247ce

        SHA1

        b265f5e6ccee538d1b1e12811275a485b851345a

        SHA256

        f28b7aa05408485ff72a6840d35c62d052c3b2d25eee472e2fe5a6a48ae43932

        SHA512

        f2512079394e262e663d7115e29eb671c8738fbca193eb7c009ea2e0e26dd07477b793a0183bea675e1609fad8992bb272a9424658693bc7a55844de2bd95185

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3772ea5b9fd4bd602fff440f00f146c3

        SHA1

        bfd8f277175468d2c2366c0b8a3929d25c085a5f

        SHA256

        602d16e820943123907f9fe83629f9a32b09db4952192899700c7cdf277d4b14

        SHA512

        36201339a309023b80cef303765207c3a2a251a2ba42ad6cca2ad8a0ba8131c53dcc8cd67ecd058a0d32e8a07b505be5b0692f5986972e31e89fca04cc25fb6a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c3caccb28d55a5235f15762346dd8154

        SHA1

        53ff40868e0d9cc415f9af935feb287480c90bc6

        SHA256

        2518b3d64da31c91f80f16ef5f48d304343c40d827bc0f97dc9a6e8c517764a8

        SHA512

        d9d4cce069a1944a40649a8b1cccc02471fbfdeef349d75ab5bef5a02a6698d787fd1a998dd0e4a0c583e63cc3385c06a68832fb0b50030d15ceb05ec85dd45e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        fe16f783aff60ed6941665f28e7478c6

        SHA1

        69fdb5bc3a32f75a5b3e484d69e27cb218180c63

        SHA256

        aabe9f609eb335de67e543db351a71ac8f8dc0ef26cf1b295e31138d4213a5eb

        SHA512

        b6a845d86698f85214a8a008ae967e9626ca7eb1e1e7ed848f3c57bf5196846c03a24e9db99ebd870e2a35c90e97f625ebc14cd8728a6b54f7c393a6c64c946e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        399749b3acf1ca110b6fc3eb815f19da

        SHA1

        045bf6f6d833df0ee5d35314653ec9e00e620036

        SHA256

        da843b07d962d1a212bdc5f2942ae93a1b7875a7a0643e8dcf18e8eba21e0354

        SHA512

        db946d4b2a95516ae91d6d172eaee81ad4dcc9221e1b3ab71ab25a13e32a3805eed5f3752b45d8b88def88a67ca9ed360cca7bba141be143f0149f011fff1df2

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        bb3af1bdc428c106d87d3c68b1e3114d

        SHA1

        fd88023734f75d3b86145df418ad12cfe1faafe5

        SHA256

        966367de8358b40b7a92137dfeb3d86ab13127917efb78639ac9e86bdabefde7

        SHA512

        bae928d9c746226acc3524c563568ceb5abf3b702ec97d393de6866668b587cac38718694464f644a8833bed74dade2c1227dd99bc3347e79579dd99f615fff3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b8648e44cc3c09f747edd0326b372715

        SHA1

        52c205b925b9f153398425fbb73781661bcb91c9

        SHA256

        25c9854ea3bbcfe6104cf151e758527a50ebe37e1d80f4722ea601241105a25f

        SHA512

        def326152b374154ca48d800e1b78edbd560343413f799001fec066fb7d5140c8c7c5a0b90470a739d2fcb21ab0087677eaba70e11012937c11b3b422e53a56d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        74a7a14333faef1fa8d4244eae6d2c25

        SHA1

        d70bdbf6a95bd7b09f4b09676c569cf40a872b76

        SHA256

        729dd58c858563c50eaf812e08f95760103bf74d5e14aef1cb73ad6f0e1a2187

        SHA512

        4e2b314111a6d126b85376c036eb3953352e5f33947dd5bce67f74d9b6f7b5c7773db3f1ebb5b94127ba3791fc9fce578d81b23b91cdf73f9a7f4fcda8761d65

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c170086e536cbffd557ee85b37d9a357

        SHA1

        ccf8ee4801bcd9d2a098378add785284c9ec3275

        SHA256

        ae1e6f4e751137284e68aeaf3302339780127e7c8c48fd4209050aaf4b4f29b0

        SHA512

        55e54feca07d5659c967894d60cec7b36d59c28ed346b03a28e3b6696fe7aad2062413d172ef9616e1459a9985379a617ff4318926547b6e5dd7af429ba2c4be

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        2f66e88632041499549cf8cdc497c067

        SHA1

        976088a57f70b1fb82d056dbe97bdb83fa2e0800

        SHA256

        a395fcba7f9457ad739b0aecd72604bbfabc284bac610c99a7f080e000038d70

        SHA512

        25694dc3392242c2e9157f44d8765efdae75951b397e231d4cd7d439d7b45097692c5f91a31e27c0dd7bb68b11a15b0350bd7c6e15c0be342a225290dec848ef

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        ed91ed0c991a291e3fc22fbc68bca9e7

        SHA1

        9bec6b60749deeb77658c1ebb7a4b7cbd332da3a

        SHA256

        70b97550ebe688938767182f1e1e74f62f70c36f43b22271d262521715f63ce9

        SHA512

        ef91375f46200a26710984e3b75d3f6e1575f74e7d120d79405fe7a776cdfda9d75b1a04c84fc63a6ed8c3fc0c4063c0dc4a9a3ac753191343d8f8fbca6f13ed

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0cb6a74cde8a9d9a88aa838b082d30cf

        SHA1

        cd947281aa6a273d918f92e85188d1a740b1118d

        SHA256

        7798dbf2f0ae5d47e769ac63337fa32d6a15d08eb90657bbe039a493f1125e95

        SHA512

        d363a6a2dcfd6ac3681f45a66aa73bcd8ed01721c79998ce4cb7fbbe9dd8eefc6d98cca00f050a08ebea81d9809bdd2727a0faf34139da883684e3c045d502a1

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        45914403cc303387f919f3ef255142e6

        SHA1

        2d90e0b0afded36ab6b814533b70b4eb6da17924

        SHA256

        52eceba7991be47e636d3d3adfe030e0ec50a3df6b6b8f4919e928fdf8ad8cf4

        SHA512

        267a96cecdba8b51279a007dff63bf69a9f8b1c8ba736707cf27af04175b84dfdbb7303a2590a6507baf62942aa59880788f0dffb1e662dc87e14e03da099ccf

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        45bc754a263581ff8c4ee99fa6c0a9f1

        SHA1

        cd68423f0507b7d06ff35fd77abd913c7d38a093

        SHA256

        953a8c1f33dcaa65e260b73b131ce48877b8adcc024bfadc1d26c16819928f23

        SHA512

        3c69ac1b5ed4c40d7326c998c5744eae68e559a4490e1c6b96f57ca8b3d0897a80108e48e1c05691d169a9035983e6f3d577f67c0459eeea232aa51381cfc389

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        937e0d045f79c6ff540b9d41387ced77

        SHA1

        c6b697171c9b1959b5df524cec78e1af3fab1171

        SHA256

        4b7b57f2cb16d5a70ff5894e779beb3d1b2769835e6f6c002e2e4f1a28a43ca2

        SHA512

        eeacd723ba180391406a5348095c88fc15b4bf119adb625d561e215c1af6c07f31cd25abfae6532cd839ab93af54b4bb4e7fa452d27a4d4d559c67f62b3d032f

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        74b43dd320eac9d1c4ca725a4203cd9c

        SHA1

        1f519027f25556ce477a9f7f161eefc0bbf0286e

        SHA256

        739aedaed13eb3d993f87225837c13b8dd9d6182377c57fd892300e03f3e01f8

        SHA512

        23a2d706085db9dd2a381e5fe12c218556ea97258719f5923995c7accd533674b3fec33b4f87224f037af3943ef0f5c2d271b2842505c56f49498102591afe6a

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Svchost.exe
        Filesize

        355KB

        MD5

        6f3836931b74da275c0da23ba896c234

        SHA1

        c92bb5b72e557d6da806321ec9b02adaa7fdad8f

        SHA256

        f6c4965c3db1a15fed240f6e9aa0373ab93cf55c0447968e9027b600feda1156

        SHA512

        abc5c087429f8872c889ceeb615e3df4439dfafd8a53b5c60d245aaf21692a5ec084d0836ffa4b067cf2993d0fe74ccfc016a6ecb9c2815d69f6c6f59d31da80

      • memory/2200-72-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2200-12-0x0000000000970000-0x0000000000971000-memory.dmp
        Filesize

        4KB

      • memory/2200-11-0x00000000008B0000-0x00000000008B1000-memory.dmp
        Filesize

        4KB

      • memory/2200-1007-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2816-0-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2816-7-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

      • memory/2816-3-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2816-67-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2816-141-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2816-2-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2816-1-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/3632-1464-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/3632-142-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB