Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 17:04

General

  • Target

    7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe

  • Size

    369KB

  • MD5

    7079223f4284eccaa190e7defa1153cc

  • SHA1

    0cc9ac32371e837b5006f4a5a39bd80178ca339a

  • SHA256

    17977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14

  • SHA512

    b840209bde31000983c691dc4eb74b2eef7395fdf062b7a9726b8b276264777e434b52ead2cdc9e837574fd9a20ba174df8b04afa9ed4ca731ab2b927991557d

  • SSDEEP

    6144:GStXQhoyq04rVmZ3k4cSbgzsdrVRRetrEpsKHAK3m+jDt+YTvLRUQSOObAIASglQ:yRyBUnZ4urEo2PmSKu44Fkm9U

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

1yop.no-ip.biz:100

Mutex

7R65OQ0XHTGJ73

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2288
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1548
            • C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2632
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2864
                • C:\Windows\SysWOW64\WinDir\Svchost.exe
                  C:\Windows\SysWOW64\WinDir\Svchost.exe
                  6⤵
                  • Executes dropped EXE
                  PID:784
          • C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
            C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
            3⤵
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
              C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2724
              • C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
                C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
                5⤵
                • Executes dropped EXE
                PID:2572

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        ca46c5f9060503c809cb6e70f8be3a7d

        SHA1

        4565db2ccc1e874b3db4982d56604f00a105a9a1

        SHA256

        16d3c4f7c7407f1f662c694d24a87abfed3faff4d899cc5ecb125ea0c9967009

        SHA512

        a5fb6f2812174abdd936fafb52e469b845116069273f04d6e4be12602a6bfcd2f9363db0c5c619385bdb7832996d8b7b3f0bee7449e44406f3f49600f21f6514

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        64b1db6a7fee77b2b3a2a1a88d012e22

        SHA1

        5557d5598dde960b617e09fa5b9fd7592e963442

        SHA256

        bdb65c9986c08f754ed47e47d8510b3e0ff448c71347b93b5ecf94a1b829ef76

        SHA512

        b48a8a1a597191a6b078bb364c00a28e91c06ae8e9bc009032a20c1013a93edd5f126aaa67331641e61be6a7a7541292117b3251ca75203563aeecac7815b859

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e10b0fad19664950ed7825b7bc14774b

        SHA1

        c3f27ff9a735091953cb51caedf66d68d382106e

        SHA256

        1473d289a4dfa02654a355d32b15f3a6b31bceaa40eddc109c2fe347609aa4a5

        SHA512

        9ae73e7af4ef0ac35d3519de4039c08a39011304d65a6eee43d928b0868a8022dac0a6ba16f3a7f63839a6a970a12bcea7c1de0eb5b7ecee0d9c41bc06caf6dd

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        6829b37bb4b7580f13a7ef2d74a6b7f5

        SHA1

        5798032adcb64feec5ebc945aa6904df873d3974

        SHA256

        3b107b880378cca694b576bad8c959c54153f1f7b3b5532a0426d51c61a1fbd3

        SHA512

        9a6fa4e50a8b04939ceef6cd4bf3fd6896f1de85b6ad330901f27dfa2e1ff3661c62dcd4d1447e349f6af40721c4fbd33972d73272759ef146794d2dcd740f5d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        50d2e034971354d81f6291bc1ea0cfe0

        SHA1

        d9153d29eebff478b15c8421348d275ed278b234

        SHA256

        66fbc608152b68cec90a496074226e34fbcb763b8755f6d552fc05f885a3e72a

        SHA512

        dcde586f6c3367aa8b6ebeb793483f220dc2d20053a53b632902be627034fddf7d264f2c147b833e226c3ee5121dc3db348977db68aa3a88cbf6cf7d766cb873

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5dada78ad50a4b4c503b79cdcc074f3c

        SHA1

        ef3f58e63c5a04864eaf014e6ea2b0ade7f44cbb

        SHA256

        93cbb9ac22775a860530e71b9343024e34ed8711ad91e1fdeb96d2b76171dcb6

        SHA512

        65818cec282c0c427a3313e58f4ae02e0029a0ef94a0a00ef1f65a39dc44e1ba93113e39bdded6edf661dcae9952fa0d8ede924d184bd14d01e29bd2f09e7c2b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a8ca0efd1a9e5f2429f7f9cc253178d2

        SHA1

        161fc7e0d2c6ae99b1d1997d2cfa82c0018bc141

        SHA256

        b42d338c40c9eaceda89263544687e10e975fe992dc860894d6c37461d5e8ba2

        SHA512

        3fd6f19f4eac17fbaa14172396a5d148999c01bc28d190f93ffdab6aca1dc56b53fa2cf1b960d1cefe5fedda5ff699bf55f8893d34035776c0583b36f10dac84

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0ce489ada6b851cbfb7ef59ede511861

        SHA1

        c0f243b529353225bfefec2d7fd03e6fafbe31cb

        SHA256

        8ea338910a2d42ebb00066d5fea915ab674c2065822a1ead5676e2da1fd95da8

        SHA512

        7a6d1a787567675d57bf671bb8281e1b5813ab426295fa19704d6aee8f479ec631372836d1481295dcc6a367f7ed6405dc6f7f30cc8b584f00ddb94b1788f49b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0a09f8aa2587b1f466bca2a46e0a68da

        SHA1

        177e62c81e708ecf6e3164043c441bec1d868024

        SHA256

        b1d8378d451fce49397694c93657a7be384b8798efcbc05b7d97593c3103f96f

        SHA512

        6cd65caa3574a5ac93e534a8ed1d7859427709919a8f0d389c16fa20e256ab585f4e4def269ea0ffc2be935f7b5d313d45afb337422fac658070eb106c9469b4

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8cb8f619cfc22fd1b29e27123c637a8b

        SHA1

        957d6b8559b8b5e0ed53bb4297c0e15e23254559

        SHA256

        990d4e75f202c94f0977b854dd60713d58b1549a046a02d9a4cf3eeb1b57e585

        SHA512

        d27e4cfd84cee0e55421e5311830e12e89217d14a6330adb11815ae95947e89329de304c449eee729b53dac400bd42d7a336ce4bad882f36f13dea42136fee0e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        9b91a20dfb5f69d4468ee5ca2cd59b6f

        SHA1

        dd3f53c5b15cdec665bd7961dee4142f4faf29ea

        SHA256

        774964dd68ec19f8e688e4cb5eb6cd75566ea81cea6d5cf522efef69f58506ed

        SHA512

        d5b5252afa376ba4d17b6fbace5ff0585cc6c926793a352fc77b6f5793b318146bd21cea6914bea6d20c83e956bdda9c148841fff7987d2719b2752dc3619140

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        11e0d5d61359f3d6f8afc49e832ea55a

        SHA1

        5e53fc33ef2a73c2b8479b12e46ed32e26e2b89b

        SHA256

        09d21085ce69f425cc89c04b37036dd78e3c4949f0c30d098a13409b9fcf94c3

        SHA512

        f4e26a3c1fa4d2b47d3f90b7e13936b06498aadcdb33ddb0dce96d12b1500e856109855e3f43f9435ac8fd03aee0ca48fa129c86d19c364569ba360ea15f9393

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        98c97d3e37e2ef2917a136b625c61dbd

        SHA1

        e802fc7e6dfffb469e43c6be1a6ab28e395e9729

        SHA256

        1f5e742550d0fb77391d281fa8e2ecdbd66c24c4d70a08764f560037b4027b6b

        SHA512

        edf349d1cf361f60545a6bd539fbade1b3fd8022fbb386b5e1e40996008798c2a6293d49ff727f2903339d42687663c48dd334c87dee9da2ffaea7da8f68acae

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e7caf83f9b54eabea651f2528b207fc8

        SHA1

        9cad3ca5939e6e4074da809a05193ee6a3f0520a

        SHA256

        72330c61c04b34f8a91d5303cefb6bd6b2f143194eb475c1c561c3fc829e8e87

        SHA512

        c97c3e59526c2d96d3c665e98eb1095c7fc8781054394af84dbeed191afe058e37ff8904a0aa9184194f7fc3a337055b153079cb3818affd9794d2bc3b4694fa

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5cfe0454657d064d7ca796d99fee21f6

        SHA1

        d423f713b0a8e2ea0d8e08fc0a694d1f809d35a9

        SHA256

        c745feac7b33643008992bf5a77c3a2b1ce3bed35f4e5604127e52fe89fb60d5

        SHA512

        c1d4491115571a54851f54ba98f4365846020cd8810a4e5dea0ab8b55ecf3ade25c9966de1af2074dc5cef7ab2bfcbb08414a713adbc4178ca6d5c9f2d2df1ee

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e31f56294cce6ef59cc29c5b56882d40

        SHA1

        817637d02594616d3193e2435e9edc2369917bbc

        SHA256

        1c01a136ac5ca620a9fac95b32373a7dd8948bbb4878a91264a44a5b7f81f388

        SHA512

        45b4f142856b84401efa44dcf6094bb9c19521b699436a2f19f991f07ae37d231fe71eef7758a483f55b98422784d2cf54644e5fe47ec46ef388616c64ae0ed1

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d2a39291951a0aa6c85967822dfbc66a

        SHA1

        163782dfbcff565d1eef2a171766b0a7c367df71

        SHA256

        6dd2d9e53c559bfe5bef373f82ca5684af26409bba7e9fdf082704b1b5d93b32

        SHA512

        4aa856894ce4ba9a712326e59234765298071a835415789d76bc0c32742703dc1a1964206fc4e32fcc37b6bbc98c003e0d66779e7cde2597ebab51366207e5cb

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        03be095ced0331678ffa8b8954d9e1f1

        SHA1

        576c200e840edb99e28dcceb26925637c32c3af3

        SHA256

        237a1a227e604535efd2de4ba09875b5578e6cac8ca44412fd8fad8c0ceab126

        SHA512

        e0b01e872cf343c37a459f76afdec9dac3d3d33e3f387e128c05e426682f3fb3742995b1d25820bbd707639f1b4ff85465f9e5b1aa87cedfe0ca10ac0e9fc856

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        857e2059dcceeb27104604353ada8a3a

        SHA1

        175adac9962285a6d1d439c1c2cce414ed88f291

        SHA256

        690b83ee2db1e50872a5ae21bac72455029a6042797ab55a8a8a9eccc240f774

        SHA512

        d8fcea2e6025ae4c77071733827dea4cc8d87ea45e8696a28fe69a87a6d4c1a330ddd02f2c96545901984f40dae539432eb5b0944ff1bd477608659af982fd6e

      • C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
        Filesize

        369KB

        MD5

        7079223f4284eccaa190e7defa1153cc

        SHA1

        0cc9ac32371e837b5006f4a5a39bd80178ca339a

        SHA256

        17977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14

        SHA512

        b840209bde31000983c691dc4eb74b2eef7395fdf062b7a9726b8b276264777e434b52ead2cdc9e837574fd9a20ba174df8b04afa9ed4ca731ab2b927991557d

      • C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
        Filesize

        8KB

        MD5

        514efe550078fbedb88e23774742e295

        SHA1

        971bcc5648e1a70ef6a9a7c909663d2e01a31473

        SHA256

        673528eae87d1f48f9a8238de868e8f44aa92575744259a7a3e8b5ac34ca9ca2

        SHA512

        b952bd54f348b7d39b1a2f2a322068d31a4837988aceb09821bd6f54216f79f356868497b44f17e060e3fc6c5b130caaf247a64dc0bb49569ba4b8472cf34451

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • memory/1220-48-0x0000000002940000-0x0000000002941000-memory.dmp
        Filesize

        4KB

      • memory/2572-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/2572-42-0x0000000000010000-0x0000000000030000-memory.dmp
        Filesize

        128KB

      • memory/2572-41-0x0000000000010000-0x0000000000030000-memory.dmp
        Filesize

        128KB

      • memory/2572-40-0x0000000000010000-0x0000000000030000-memory.dmp
        Filesize

        128KB

      • memory/2684-1330-0x00000000742B0000-0x000000007485B000-memory.dmp
        Filesize

        5.7MB

      • memory/2684-0-0x00000000742B1000-0x00000000742B2000-memory.dmp
        Filesize

        4KB

      • memory/2684-3-0x00000000742B0000-0x000000007485B000-memory.dmp
        Filesize

        5.7MB

      • memory/2684-1-0x00000000742B0000-0x000000007485B000-memory.dmp
        Filesize

        5.7MB

      • memory/2712-24-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2712-17-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2712-7-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2712-38-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2712-23-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2712-967-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2712-30-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2712-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/2712-9-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2712-19-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2712-11-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2712-13-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2712-15-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2868-1335-0x00000000742B0000-0x000000007485B000-memory.dmp
        Filesize

        5.7MB

      • memory/2868-1449-0x00000000742B0000-0x000000007485B000-memory.dmp
        Filesize

        5.7MB

      • memory/2868-31-0x00000000742B0000-0x000000007485B000-memory.dmp
        Filesize

        5.7MB

      • memory/2868-32-0x00000000742B0000-0x000000007485B000-memory.dmp
        Filesize

        5.7MB

      • memory/2868-37-0x00000000742B0000-0x000000007485B000-memory.dmp
        Filesize

        5.7MB