Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 15:14

General

  • Target

    701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe

  • Size

    584KB

  • MD5

    701f55b4d2e78196271782827d9337d4

  • SHA1

    c573d45f4892aa8f1288da4d8d67f8eea16aa101

  • SHA256

    90018ce8dbd4365fc0f100a6ccbffdf204ed8b7c559dc7403dccd39e19a45087

  • SHA512

    c3d4e465a954c79a724eb04ea3c93c2da6aa15522635633cd73d8ad23f6795fb4afa38d98086a6d01129b654a56b372b648b873407cc134c4734a3d5a0f9d093

  • SSDEEP

    12288:RIKulUuDo/WTx/iTr5fY23j6I5TBhOza27y:elKuDoeTY35fY2T6IFTD27y

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

boyscouts.no-ip.biz:100

Mutex

20XNRX50YU5C8A

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Sychost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Game failed. Can't connect.

  • message_box_title

    Error

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3816
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:4504
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2436
              • C:\Windows\SysWOW64\WinDir\Sychost.exe
                "C:\Windows\system32\WinDir\Sychost.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4308

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Discovery

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        02b822fb535418da7f641af09d27e1a7

        SHA1

        8a42f48d4b9a8549856c340fc972f9c7abd16a56

        SHA256

        1819372c78b2057a9ca455c46afbe11157c88953404b2788ba84befd1d7730ef

        SHA512

        0c3821c4a5a90ad331b77fa8d6cb60b1ab47c67f491c05e11ea5f9317d657774d0a6bebc703e684c29f901cf3721430b316292a69c44089711044357b4897771

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        50762ce8d681736fbf830221740b1dd7

        SHA1

        fb991260b3bb525e7ea6b67cb6603ccc5740e51f

        SHA256

        a430608d5bf4781d4fb0cd845552ddf27ab03bc363c7e1aa312b980724ae416a

        SHA512

        0b6b68595852a8f9ab56bd2ed21fdf9d1ed122cd2241d73e611845ba7546e6c33b7279d5a446491281264bf5b984894047a6d4b4605fddc18cdf9d124e6229be

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        efcdb671dd5036b9bc8dc59494e56007

        SHA1

        138ade14e4004eb80927074942675b332a1647dc

        SHA256

        1924c743a715a2ee166b9f061779a5c24d447c5c2bb68fd48106daa0daad6b22

        SHA512

        728e4cdba4780adf083b8eed30b11d75854f67493f8f9097669fc27deb6122ebc47a6b015b4f9430cf49cad43ebe33a0dae976a7fbb25ee9e4cbc8ceddd7d65f

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        128528450d492c8ef7e3f05a16c29853

        SHA1

        a39a7482773696ca1bce078b03af8f226d34a469

        SHA256

        5be58541b77a5d9e2bff46bfc28f5397ddb180e784baadfb2246034ba7e40536

        SHA512

        3007f3871955d6d68c1adbefcd513d1e7505b8b6110af42d0b3ed9a6046c4c5254506b497247102a2884b58dafa7df613ede1643f9ac33c229676e9294fbd5e7

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        ef0e8a082f6fd5f91cfb59bbdd325acd

        SHA1

        246c2c5b4b392d12d5c5bbfa0aef35faebad645d

        SHA256

        ae125d2982f99c3ba208a8bebcf00a17290090969b442a5192fc745cc5990a9e

        SHA512

        f5641e9bf71036d1c8a6ed85c218a9e1766bf5ef6daa1c021e6338664b104c896d9f1c7365fa1f070fb44b0c066ab5f7420ccd1e7e1736f3c041a292dc313737

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        9ab4bdc6ab85fe2cd3b8fbc94af90a72

        SHA1

        5e389dc8947a84975f739572402cc54f81c1fa0f

        SHA256

        4d69be7360f8c8ba2d3b934decaeaf54970f9d3d1e1631cdbec6f914377053f1

        SHA512

        1fcdb5b0971a6fc1bf19708775e7c55e019f2bb2a792d29485f078bcacdd40d8b3dfd6ca0e54d250d39a8c6285a9e358918fccd8a99fa77d955346db7a5c81a9

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        82bcd98bb6c7d5b189663ae81ea1af06

        SHA1

        7c2fc023803f980793566861124d2acd3a6851a0

        SHA256

        6d8f51c3c4effe9795a798fa871239f855ef2a41e9b67ac46724940690e09a4e

        SHA512

        90f638936b3fd725a317508b7f5ef480742067851bbd6012ae0ee05ffd95b2e17eb730399dbce23453ffa24348e905d77ef7822f7986ba7bc697f28c8274e411

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7f2edbfc3f34bd608c82cb09707dc1f0

        SHA1

        57aa21596b6775868388ecbe010b755172d63fa1

        SHA256

        7a053b76e189c623a2b5d86cb6f426d59a07ad6693f79572d631e7d7b1038ade

        SHA512

        03ec1c700eeca6d1d2891f2d86b1c83e29d02c62a5ece91bd2283b5fe02a6abbcc1d4b6c1d561f335fe3636bac08a9428dfed713b8ce45d42cb8da5ded1aeeca

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        912db37d25be48d4e9b9e99855401d54

        SHA1

        fb59ebe94a410ea30958287ccec4ab6d3fb5d16c

        SHA256

        e1ab5fdf81dd40ee53fb6fc468c2046cb2341a82c98c34e85a555f5407957213

        SHA512

        4feacad653c852f8af04429dc6cac3519cd1dcd27236a1513902a931c671a3e88712a0fb7c47d690f3e8b665938219fcf8c0e9de4905d900ea79876260349ad6

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4e6050546f0c1264d52776880f3b4c3a

        SHA1

        d9dbb984526cb209805e1a67be772d52196ab791

        SHA256

        bc842cb38c4e09f794df08095cd6fdb581de432a0872c8820ce0e82a9551cf32

        SHA512

        e99f9b24f34494d54ce62d5d442a68d2413962a3411ac5cebcca7220166fef937e21cffbc74404e36df0bc5b44c530665cd156018170f2b6a6dff8a339611fcb

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        351312f27bcbb572a6ee4070333ae370

        SHA1

        d730ebe5861192a83deb3c42a037af37790035b2

        SHA256

        368e3dcff7b855b5bbfb655d8d99e19826cd4e63dba9dfbc3b77062a088d59dd

        SHA512

        e0b3f475ac43885e12b7a29050849f02b51f0f1bbe9d41a1a33f7871f546ed98c1ed4b2b0bf334eaec9746c2b03ebd7a6ab058b66e7b572c7dbc6cd29fe764e6

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        899e1b9b59403963922ae093f2982501

        SHA1

        20bc8215f00435d5477ae7450d0732193c99cf3a

        SHA256

        de48a3bcc1820e16fa97acf5aa37d1b157d9282a944fd810ad6800ebef37b48f

        SHA512

        493cd3fa3d5793c67a782d23dfdb0bb4110c4086786061ba63a137e5532003640aa046f61201b4774779de265fc8003a3be136a64c89bf44c86285f510702b33

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        49ac65d86aa5842bcc4bf494ca3ad82f

        SHA1

        70f28b61f36c5eaa80e3265e7b7ad4cdbb2c7ef2

        SHA256

        333100de9a59f46a6818182e744e7ce4e30bcc6b7d4a88535cb3d48ce79381c5

        SHA512

        55eada416ab40aec5b3c2bfeb5bfe57fa9d7838e7c4ac26a25577da45a19e3aded26abd8190ab588ed91f163ea856fcd9e409ad57a681cc8849d24e660387a9d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        44bd46ebd5cc7dc2f335563f23f9ef75

        SHA1

        289e8739f10716b204e355247aa3c48d48dbcb70

        SHA256

        3f975cf9ed2c5ecc904a0de7173795b65685b07534fe7423f286b2bac5b55469

        SHA512

        aa85424e8d27cecf52475bc0d80ee50c6e621d5c4ac2792d1999301691a2c626e20f5c35a3bdcc3ef47f34a023e8250858cdd6d3538e3a6c841f92093ced59cc

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        49e2e980cac33bfc6ef196fd3368d8ac

        SHA1

        f428f667ef9622593c93e0da1ca89631f615503b

        SHA256

        d52826aa05e0f901495ea58a60eb7436b59afe83b110c2db4ee916962cf50db0

        SHA512

        fb45e2304e10b8d97369a9a5eb08e422b545c376b36a14e4acb3914430e5c3002b30a737e8afa65441633fac86e456adc09d60da3d4cab95687ec0f12e40bb75

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        9b03cd6f0fae4deabc99c7c978dbad45

        SHA1

        71eace1080098aea38afb23a01eb8ac8bc50c321

        SHA256

        fddb7dbd104b05300acb1f50f7046344bb531bbdba43854a0e8f1667a0542fe5

        SHA512

        b2dd01dec71970bf5c449fbce022026c5cb4baa3d0d568d88e1f3180519c1850d88244507af0573562ba895db598b2eca9123dbf888dbf93cf8fdd6cc510f848

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7decf2c502411b1a4755463669533fa0

        SHA1

        5f09f8e326afa05007c20fe40a8d13727da65315

        SHA256

        c073c5556345cdea0b8ce0417f5860250e0fae4ea11819d37c5fbc0261f62995

        SHA512

        2abbaed20e31b529c35f8d5edb3b34ceef3f4a4cb123bb6558cda300e54e8138c2a723a008dad97d024dd25ed8ab80b4fece9277fd5ea99b03d2483ed67d2126

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c0b393ef3188e7415d2de53e7bb4f564

        SHA1

        f666b5b5b84d94831ca155b2e739e7c0c1aa4995

        SHA256

        d5a1666d439ee81c1868f9151a44fff95a2bd7c917d6e1c143b626db060b2c6e

        SHA512

        a9c84547d186a372f23540347e6f3f4f269a480a9c5104a39e695188b9979c9ae1dc4491f211d1d993becf50f5c46afb883a8ab856d8100e3b138017e4f5fbea

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        05d080458caf399767a482e9afae1a74

        SHA1

        e54a36fad411ed3cb10a7c1b0957f955a585177f

        SHA256

        269ebcacfa83091ed512b7dc4fe5434e4f4ce9f61f8127e5f59d6ca6b4ab90ad

        SHA512

        8c0489cf5562d4879add905ff2965c4a2835fa0e9bfc0aa052a8b221d88a2e877804e3be374a70513fc5130dae802641803a61ceaddc6316aaef3cabbf9264b0

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Sychost.exe
        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • memory/1708-6-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1708-3-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1708-12-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

      • memory/1708-73-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1708-4-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1708-146-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1708-15-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1708-7-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2364-8-0x00000000753C0000-0x0000000075971000-memory.dmp
        Filesize

        5.7MB

      • memory/2364-1-0x00000000753C0000-0x0000000075971000-memory.dmp
        Filesize

        5.7MB

      • memory/2364-2-0x00000000753C0000-0x0000000075971000-memory.dmp
        Filesize

        5.7MB

      • memory/2364-0-0x00000000753C2000-0x00000000753C3000-memory.dmp
        Filesize

        4KB

      • memory/2436-1459-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/2436-148-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/3816-17-0x0000000000C70000-0x0000000000C71000-memory.dmp
        Filesize

        4KB

      • memory/3816-16-0x00000000009B0000-0x00000000009B1000-memory.dmp
        Filesize

        4KB

      • memory/3816-30-0x0000000000210000-0x0000000000643000-memory.dmp
        Filesize

        4.2MB