Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 15:14

General

  • Target

    701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe

  • Size

    584KB

  • MD5

    701f55b4d2e78196271782827d9337d4

  • SHA1

    c573d45f4892aa8f1288da4d8d67f8eea16aa101

  • SHA256

    90018ce8dbd4365fc0f100a6ccbffdf204ed8b7c559dc7403dccd39e19a45087

  • SHA512

    c3d4e465a954c79a724eb04ea3c93c2da6aa15522635633cd73d8ad23f6795fb4afa38d98086a6d01129b654a56b372b648b873407cc134c4734a3d5a0f9d093

  • SSDEEP

    12288:RIKulUuDo/WTx/iTr5fY23j6I5TBhOza27y:elKuDoeTY35fY2T6IFTD27y

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

boyscouts.no-ip.biz:100

Mutex

20XNRX50YU5C8A

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Sychost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Game failed. Can't connect.

  • message_box_title

    Error

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:976
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1260
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2872
              • C:\Windows\SysWOW64\WinDir\Sychost.exe
                "C:\Windows\system32\WinDir\Sychost.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:568

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Discovery

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        02b822fb535418da7f641af09d27e1a7

        SHA1

        8a42f48d4b9a8549856c340fc972f9c7abd16a56

        SHA256

        1819372c78b2057a9ca455c46afbe11157c88953404b2788ba84befd1d7730ef

        SHA512

        0c3821c4a5a90ad331b77fa8d6cb60b1ab47c67f491c05e11ea5f9317d657774d0a6bebc703e684c29f901cf3721430b316292a69c44089711044357b4897771

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5539db9d6933f1c53fcfc2492571fa5c

        SHA1

        eced43e7883907a55cb147cc6aa10f7843c5eb70

        SHA256

        640ffb2a394327e258ed669108c153d7d79c43b5aca2796e6244f286bef12cbf

        SHA512

        191e1cb2b7a3c7a997593bcc0f37a1a7d76061b8106cce16969342739e09d2b3d3cbfa58f5d88b0788190b4a13e946505a96e3e7ec76213c682649b5c17a261c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        38a4a7345044be0a3e2284255c453aef

        SHA1

        0518a5a142b4e84dfbaf0d7cc44538608c66e89d

        SHA256

        e4eb56bccef4cc76b5bf66baed23b259e7c9ce31f0eb0750319d5dfc42f12cae

        SHA512

        40ad71f7966fc69319d2bf75f29d18bca5b320e709c048f57a2ed775ee7565844d7928b41086b2cb2bd4c7cd395642a39d9f98b153f6caaef6aef027c86a4e7d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        23704ae131884d599596b26dd7cba61c

        SHA1

        cbc3461605da6856849862a47ec748b6e0bf2008

        SHA256

        99cbd9f8d9816ad6bf19d26aa848fa980c6ab28f9df8c7e4176de4b4e3c62dbd

        SHA512

        a909b94aa0c7ff7971431c68897843c54af55a964c2b462909a0c2d01eb6b5d0303743bf814cc8a29bd7490c731ef0d0da7935a6e2b124c56535693f00e20940

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        cf792a9cebff3a0e7245b19dcfe4e0fc

        SHA1

        40f163e07db6cd8c556cb006ed67fabbb216d3d8

        SHA256

        cc5fed2cd70fc94e5f32b8390bebcb606d4abad77479648d2c474a2f5475a69d

        SHA512

        2ced7874504637b93591714edf453a7eaf059c451add95829b478c9fca1cd7bef0ca1de5c5a3f3ef555472ef5d722c381b4ab9ca2e25c521d879d8a98ed238d3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        36684db9e60a3a61387d25c6d7c3b1c1

        SHA1

        337e63df1fd96c97b20388078a7a878a21a060d9

        SHA256

        1675863ba8eb65ac61c9238285c1a1cf91b6663bfc78ae3341bb9c241f1bf72f

        SHA512

        d5472219cf93208cffff6c688826ea8abeb2aad82f5272e9a7177f2ecdf646e97a7baa55ca087542cae772402ff9d31bb78d92fc081148f05dde98af38d62efd

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        256d0b9644d2f5ea796f6a46b51c71ec

        SHA1

        69a4a01ba3d83d8f5374f7113ea617dfa4f78d19

        SHA256

        f47818c3181bff3959f7f94dcf52a94f8c5ed4b1484eed04a19503684f99197a

        SHA512

        2e02e9867b72e5f1a979ed8fd2bb75b3051f3bea74619b0f82c1f4dd6cbf498947800bc6c697a8de94b6b56935c8337238f16bc1d4c652f8a76eec5693323e90

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f9550307c3227c83e9d09d7cf16b84c3

        SHA1

        f98963232380f78da14a4b1160fd1ce8652075cd

        SHA256

        374cbfe5ada49979a5f7102ee740ca98bb6368ea3594744f2f481654f7c38936

        SHA512

        7f6fd668de7f5bc6129195e5ab5134d8da5453c878db11827aa101df57aff6d99e9ff25cef624e7e7c5c492bd78700de3afa606423cd7462962acf3721213a29

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8f8602faca6be030dd30e38b3fcada5b

        SHA1

        9a7947f16da43c71a5d0943270baa67bf7cdf607

        SHA256

        55fd9e50b5969f02c95b1e8ea3e1200bc7aa911517d956b7fe3584369d3e587f

        SHA512

        89ddf8577f7b293b17a5b8f558be7fe6a12e6c84ffd9dfdb18333e150069befe27c6218f7c947b4459d6eeeb6627a061b0e86896d899e48e0fe7562e90ee1dbf

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        6c03b2938300ce6f4003a03665296702

        SHA1

        69c1353ec4175eb5ce2dba1ed7e78c7466b2ba80

        SHA256

        e7ce88a941f906cfbc1d393ccd589f6eaa882b71fe71b430e880aaf19e6bf13c

        SHA512

        4161d5d36455e674c9b87573fca8391386ec5db5c52de331cbb264e5ea883c3f9396545b91cad5dcf03ca1e16f20d8d6f607e21b595c51d3dd2e26b73f7eecc0

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3ff0a4391c30c69ac835728ea547d48a

        SHA1

        43e1b3f85d90e6f8ca8e0ed480b059a2bb95cd33

        SHA256

        aebf331a00193f5305a8e74b16901a2c465580051cd55bf0237648e162cc88ba

        SHA512

        815413cbdc8874afa3513634dc2442c7f9edd8fbeedd4b6a6c5aa6e5ae78183c31306f91d81da925f4c339aaf67cb7230b925cf9a51b75a856eb7502d3fe59fd

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5622e8f437466cfe3f28e962ac6c7c40

        SHA1

        c2388b4a009c151f328e4e24e7da77a6e5dbaf4a

        SHA256

        881e2328e0fb763e788474ad9a0f54fb0bd70afbfc9beea1b9fc902d742ec9be

        SHA512

        e5766a61e4cf28b6157588488479d6889239bf4539bd274c9ff335e3cdaee474734ae9c11724549738f8c014ae165bc7200dc17a0f3dadad4d473d4bd6ea15cf

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1b028e816a205f08ae798cae9bdeb3ba

        SHA1

        9184d77a4e91eb07b91406290efe610f66527011

        SHA256

        4df91ee490c13ddf487c1c20ad445a336043dcf2f8d5bb1850ed00c84a3051b2

        SHA512

        bd0fedb8fff3d18d2d20961edf980ddfeb8624ba5502334ddccaf4241ba2256da8a120a8c2cfa6bd1be09a9aa9ac5d0b47377810355b273146bc7328d6c6468f

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f868a352660dc2b527debca6f9006e43

        SHA1

        1b9c4900ccd3f4e3a9ea775e5e9961697031ec68

        SHA256

        4ae0fa4d03e472b4c4704a5c5514d17d630403a750c67adedf4d96cb1451797e

        SHA512

        0b02d07c1107410db10297ee7de38b5bcba5049fe4505dc3b5173331607b0ba6766d67b8fcd0aeaceae0b84020ac0c699a3f918c45d2100622721cd41269de78

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        588fe1d132c40257fc592b43dd652b34

        SHA1

        fbe07c7ff57520d78a9080e5c24cbf13b18fc944

        SHA256

        f4c0ec5333d6587fcdd7a7b8d0f4411fe106cffccdcf8b90219e4e698da5f50e

        SHA512

        3b1c984d8fa30ff82bf7f0174a3862ab79140f0d8e103ebe98414831042b4f2ff847e60318f3a0cf7da4230aa9984b4d134a6d477ead8cf4ff49a189d44c0098

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        752d065a1eea2584cd50dbe26e982447

        SHA1

        73a17c684fb8217efef9db08dd278f8a1995c5fb

        SHA256

        9e0ddb47f59fd1759e8cc22196f365449a9a922d1de00d612a928ad63243628f

        SHA512

        d4c38c9959299802d36322e502dd727fbade9ceb7fdec76d06545bb681d0a9f95f9002aff7f3426bf0bced639fe739e96e905d951fc1432826027de5261c31b6

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        11bfd2d4040a3f8f903aea4f0c68451b

        SHA1

        346f70c48dcf33e1fdb23a6696afada1a423e6b4

        SHA256

        3edd78b0684492e75e0a0bfc41f7f84b792ccb9858e7637fb69458738b1bd908

        SHA512

        b1a0e21efd450229fd78e7e46b5a050b7c98d5622f841e61527550568ec94d19108f54adb1b5068b82ccbea9a3c8dbbcb6fcdeb2adc5bc6d7c7a39099517d3cd

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        ecdf68a337cf3c0653214f35cc07dee7

        SHA1

        7b13b981380084e09b0838e82c100081cb2402d8

        SHA256

        64b5c7bbf322d8a1fad522aaf4afd8ddfe8ac0866d583962af4832f13dda4e4c

        SHA512

        2bf5a4cb90c59feee4b8a2ce889285abf593e09a72e747e5c66ecfa653cfa774a6770856b749bfbd34bc26f8368ca45aa167caed6c46912b052cfd775ff54e1b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3f93f0a7d489136ec1cb98e46128de7c

        SHA1

        ebfa3ea231ee6305d47c73d92caa4c7e053a1f71

        SHA256

        ea2717262e4daf9dc65631d0e87ee213ab7cded01432535aae82afb5ceb058b7

        SHA512

        834d5e6422e366ec7408f6794b67f5c24cbc0444da28ae138b4db61c6961e149f9d4dda91ba86f99941815fd69b5df1f9fbd3c95399a183327f7aa83aedd5606

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Sychost.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      • memory/976-15-0x00000000747D0000-0x0000000074D7B000-memory.dmp
        Filesize

        5.7MB

      • memory/976-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp
        Filesize

        5.7MB

      • memory/976-0-0x00000000747D1000-0x00000000747D2000-memory.dmp
        Filesize

        4KB

      • memory/976-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp
        Filesize

        5.7MB

      • memory/1204-20-0x0000000002120000-0x0000000002121000-memory.dmp
        Filesize

        4KB

      • memory/2000-320-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

      • memory/2000-561-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2000-263-0x00000000000A0000-0x00000000000A1000-memory.dmp
        Filesize

        4KB

      • memory/2000-1552-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2784-13-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2784-9-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2784-8-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2784-3-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2784-6-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2784-5-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2784-14-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2784-4-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2784-16-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2784-10-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2784-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB