Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 22:09

General

  • Target

    75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe

  • Size

    296KB

  • MD5

    75ed6063a91684770f1a50cef3465653

  • SHA1

    5b947cadf09a3e9f759ecead808cf57596f51a67

  • SHA256

    2388636eb9ba2e19e4c037a63bf795346b08e72f2925b39cba7d150a9e3bf28a

  • SHA512

    ee23c4d374497ee53282ea2f5d7a2f42a4e3b46219d2604277869fab5d14fd0dcbbbf5e98f69234a39ef4c2187e532e9ad7a4c13b6a2fa0bf0fe10c82e217b70

  • SSDEEP

    6144:POpslFlqIhdBCkWYxuukP1pjSKSNVkq/MVJb2:PwslFTBd47GLRMTb2

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

loveyou.no-ip.biz:100

Mutex

C2678RUJ1UUUP0

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1228
      • C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1936
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:1896
          • C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe"
            3⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:988
            • C:\Windows\SysWOW64\WinDir\Svchost.exe
              "C:\Windows\system32\WinDir\Svchost.exe"
              4⤵
              • Executes dropped EXE
              PID:3312

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        54ee57e12f966e1eb9370934ac6cc8fe

        SHA1

        3d9b4f0e1ce5478e2b4eadddee50e584e70405fc

        SHA256

        d40e7266c4aaf45a5ae9f86289d4bd6044f733e4db7c04870d56542d94ea8a92

        SHA512

        5e4dbdb6548bddbe3b0c2b75cee7c27a3df2248fbcd5f2b275a6afd73f4590e9b1a924ccdefd7f453f76172c4ae3dc1571e3f467595ddb7c112cb1284ebde818

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f9cd47731431824c426a6841c1ba2d6f

        SHA1

        8cf43b658c8098e4593a6e16f7e8d33c01fde3cd

        SHA256

        f3e8daf35e436633c95a1f6d1ea441ad7070b118edc8ba9fb7b4887566282bc4

        SHA512

        77ca78b927b823e0f64352296cbe50642143d3b940f19343f37c01f6836b76a28c95f85298c93bd2b306ba5c60ceff97d6abe331c9f0ccef44058cd360066984

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        6988ebe431a517c003715e8fd3d11734

        SHA1

        f6274244350e399fcddf5373968e6c5bdca3230d

        SHA256

        563b0f4c2314cfc7567f67c895d9a12dcca7f265e29531e83a631b8973b0545e

        SHA512

        f5f6be0c11e129a522c8f0451e6a9f4e47fd145c7083595f4ac049ab54139df5fcf562964e74e26e84bb09776401168d9fd294cf9ac9cf393eea1b4d8b60278e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5c4178acd5dfffe7ee6479a139f623d2

        SHA1

        1cad5fae1b275f71e4683169d6246488ce20b228

        SHA256

        f0f00dfb99819995aed29cfe1c1131bfb7e10b578eb3af78dac209c6f019fbe5

        SHA512

        79c47071f569f55036a7dbdbcedacf28775168a89c246bcc0492575fa9dd545fa945abac99a9c7bb7ed6717f3f00d2279b195553eb828f0c199d49156cea4222

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        460865447919faeb828f8e649334daf6

        SHA1

        20a9bb127f3b4306a2e10592c2bb30cdcecbade8

        SHA256

        d0ad568c7adf65e1de776aae4ada0b08eac840b3ffa30e40b4a5e7c82c807087

        SHA512

        e4fc177195198c7bc32a5fdf1da96a4dfa96865cf7c0241476154f63342005c1ba8d8f883e3d2454e8fae0ef66f35e9f7117e56bc55661e2cc60fc326236bc35

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f1bc10926fb146aafeeb9d28cf116827

        SHA1

        ba7cf1618b9f4ba65fdab8538c6ca1cb3eb27ea3

        SHA256

        642eb90c4192dd510832a126235694f96798fe31c676e9c71acfc0877752fb6c

        SHA512

        efd58b30b0a22b7209ebb90e7737468c506516d762fb722887e3e93b81f81f906ffffeb561e2017ca328836548e11ebd85107913cd2d6cee23218b85dca4007c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        875c67680c08dccc8f00245f6359a7fd

        SHA1

        08298292ae5749b7e3ad946305551555771699be

        SHA256

        434ed05566f86563725b78952223c702d49143152a46dda9ed5054963ab50a4c

        SHA512

        e6219db3d2107b3672e451f29b6380e58e3ab61bffee7954f450161da7c7bccd492a907d1adf04e8b28855af0c8ac8a2251b9206af7cee8b4b383a4a2974a018

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b5e98923139203ea58a5ec453b2e330b

        SHA1

        cae167b69273b63a98a0adfbeb55be69fbcb5d8d

        SHA256

        97bdc8c0e275ccff4c9972f45bddd19a5776a9b3951df467b841256a0ada3256

        SHA512

        c6e15877850098f793865e3c98ea5ede99f25214074a2d1e51e94e92ab7d5fff140dd1c9e1bba7721edaf0447259f87e6e6903c61ab1e45147cf87347c32aa5a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f375651c8a90a581086be4f156c121ff

        SHA1

        c89eba2e7d9dd6dd00c8267c1b362f103875b264

        SHA256

        879bbe1e07ac5405008155408d3639fbf01365f7f1d9a485b7b55926e5423345

        SHA512

        3e83af9e6d27c0efebb3a32d44ca28414e1d062f6d75c8cf9b8d09a8f614af3659435d92f0da005dab4f107fb0157a1fa5c12324afccae3749b1c18709ecac0f

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        963388c86fc3a29386c212666d3dda19

        SHA1

        d2df7a46e7d5f41ab6af45972c8b6c084106b853

        SHA256

        c2171f4ee7aa6ead8fe1d9a092ea9ef34146c2797c7f9b5ade4a964bd85298d8

        SHA512

        3212ed6e31a4b6057de29e145331039d086c20e48a9f1fea833f343286f757a22c31b641665065055a60ca2205abe6d6e4153dfcfb8cce5436e2c6bdda119d55

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d7548c540df05d88f7f64780255f1451

        SHA1

        e33c98bd310348f595cb0b7effb9cba6faaa7a97

        SHA256

        1c71691a72fa5c0da412f673bb3bc24a9a93befcdc3194a92f944a2929174b79

        SHA512

        97614125e19238178295c3451726cc4b1ecaa646a3613c46d6ccd6141e5db3df286aac916a7e249df2a0e7c96e8fe8479b91ef7783cadd0b69b65b83186850f0

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        885d19a8f47fe76b4be457cd005b3dc5

        SHA1

        e5da8b3bb50d883f644425fd6a832025e9d97753

        SHA256

        af3ab88ff0443a6fa759990b9cb2ff111bdcf6e705f3c67780e172b4d73de50a

        SHA512

        87134a7a58a86e3ebcddf0e9ff541c09f21458eae646cf6167267ef70b671806b630c5826baa9d5cebfccea57d29a0ce061db2293a68915cd759d7077b7dfe64

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d71f96c9e87b698103b2b77ad3631e43

        SHA1

        c5e0074ab327d579634c15d4c589a07beb829bc7

        SHA256

        3ea3c9c92216287eeba5cc9c412584c7d8d534fda95d618ba925b3803e5398dc

        SHA512

        9109eb1ffac436e53b6ddcae6813a7176f24b99bcfa84ab4ca6d613183deb27091a79268f15d66122dafc7ea41ff2fce416cc711f10a8cc009c2cdbbd98d3419

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        ca9a91a2b5e4161b618b7f7ef1d3e457

        SHA1

        2b1544536c46dfeb89dbca09c1faa7316b53d1c9

        SHA256

        440baabfb4eeed24ba2ce6caae8d52ed8c27a9497532227d02dffab9fe57778a

        SHA512

        69227730ef527a04a7f438bed2d1ecf8245eeed081f528c208eda206c695ca9543a3dd8329dee5a3665969715247ac06e5ee069560eb263f1d3f6336eac9f9cc

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1b40b3a9bee6d2db427a09e2b3b744c2

        SHA1

        3e5bef6c9355183eb2b6dff06ea43ca9cb341609

        SHA256

        36a1736a6285b1ce2599131ed2826504b0fa1fab59784c8c2c68184649667b9a

        SHA512

        cfbc903acd53f572928709fcb793624238d6ad2aadbe7cb7f4f24ba2593c13007b9e5274853c3c6fef348338e0c33be2f49fe29e2bf2e0d96055b16b838f2759

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        88ecf3632ed055307e4dc9cc65cda63a

        SHA1

        0f9a5f02454b2df0b4d9dcea7d94d126bd22cc8e

        SHA256

        07a32000a4d59d1a517d4325441d046e02cb048df96e281e7ebf2ebd8af53a81

        SHA512

        df2edf71002326be87a51c46c4c48abfd7976aae0322bf5d4342bbeb6aca593b87df5da95a5a18954f5e60c19b3fea85e1c43114c0728802cefeed86d8e80894

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        777f1fc82057c906982e9b7a00e487ff

        SHA1

        42db3cc698fd89c24fdc4b17f2b31805672def9b

        SHA256

        32ba7778e1466e99a1f5096081cdc4f3f1bd806dd1d4ee7090d793fc57e6c75f

        SHA512

        a1d25923ef700bf8b6d9c08946ab55662d4f942f4edc12804d7dbe8ce1a19985f44a3facaa5b7232cf38c99260e6cea6d8d55b99e7c3599165c3631a5150fd23

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7f3729674013c740b600c2c2c20cdc50

        SHA1

        db23708b59d847854afa0655b7f316d705d46270

        SHA256

        d1b88548acde19d0d9232821a9a981cd196d9b289edf6307c3ea539c8f04d868

        SHA512

        92f29f25748ed47f3cc6d58c8ea43214deae24693f0fedfa341e95080b3eec2db30ee987dbaeea05c794e93aaa9b3169139eaa460d0c89f02224a210431e76f3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8476f447e360fae5ec79b2b74630e416

        SHA1

        aeaa409efce5c0381c916af8f5cccceda713895d

        SHA256

        11bab6123bb7ea7d9df56c391b06b4cd5af81a7e623916ca26ba523d5c10635a

        SHA512

        5c29b9d851300b7b962e88face46069f9f463d494473b35b00083d5ea3f2c2e83ea6f6643d559fda74b70564f59d61474a21e29a9b5bcc48b51739baa5387b4d

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Svchost.exe
        Filesize

        296KB

        MD5

        75ed6063a91684770f1a50cef3465653

        SHA1

        5b947cadf09a3e9f759ecead808cf57596f51a67

        SHA256

        2388636eb9ba2e19e4c037a63bf795346b08e72f2925b39cba7d150a9e3bf28a

        SHA512

        ee23c4d374497ee53282ea2f5d7a2f42a4e3b46219d2604277869fab5d14fd0dcbbbf5e98f69234a39ef4c2187e532e9ad7a4c13b6a2fa0bf0fe10c82e217b70

      • memory/1228-3-0x00000000024F0000-0x00000000024F1000-memory.dmp
        Filesize

        4KB

      • memory/1936-255-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

      • memory/1936-1578-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1936-246-0x00000000000A0000-0x00000000000A1000-memory.dmp
        Filesize

        4KB

      • memory/1936-531-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2292-2-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB