Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 22:09

General

  • Target

    75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe

  • Size

    296KB

  • MD5

    75ed6063a91684770f1a50cef3465653

  • SHA1

    5b947cadf09a3e9f759ecead808cf57596f51a67

  • SHA256

    2388636eb9ba2e19e4c037a63bf795346b08e72f2925b39cba7d150a9e3bf28a

  • SHA512

    ee23c4d374497ee53282ea2f5d7a2f42a4e3b46219d2604277869fab5d14fd0dcbbbf5e98f69234a39ef4c2187e532e9ad7a4c13b6a2fa0bf0fe10c82e217b70

  • SSDEEP

    6144:POpslFlqIhdBCkWYxuukP1pjSKSNVkq/MVJb2:PwslFTBd47GLRMTb2

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

loveyou.no-ip.biz:100

Mutex

C2678RUJ1UUUP0

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3496
      • C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1844
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:4148
          • C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe"
            3⤵
            • Checks computer location settings
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2220
            • C:\Windows\SysWOW64\WinDir\Svchost.exe
              "C:\Windows\system32\WinDir\Svchost.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2096
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 596
                5⤵
                • Program crash
                PID:5056
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2096 -ip 2096
        1⤵
          PID:1388

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Defense Evasion

        Modify Registry

        3
        T1112

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
          Filesize

          224KB

          MD5

          54ee57e12f966e1eb9370934ac6cc8fe

          SHA1

          3d9b4f0e1ce5478e2b4eadddee50e584e70405fc

          SHA256

          d40e7266c4aaf45a5ae9f86289d4bd6044f733e4db7c04870d56542d94ea8a92

          SHA512

          5e4dbdb6548bddbe3b0c2b75cee7c27a3df2248fbcd5f2b275a6afd73f4590e9b1a924ccdefd7f453f76172c4ae3dc1571e3f467595ddb7c112cb1284ebde818

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          fef4827996adf48ff8703f4467ce48c8

          SHA1

          98ce9ec06a3c1f5a96a54e1376a7cb8778c7ecf7

          SHA256

          1243a9e5da3c95b480d72bc553f85c5d527514d8af492a6e85fe45b142f5b051

          SHA512

          130b01194527f15ae8d88e1d28b7065441607dddc687eb4b63cd9e4a256fdf562cf73ec1167f7d54c8eb19d18178654f3e029ce32a19293790305a42082750d2

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          0c336f2f1f2fcb788972a367115e0512

          SHA1

          2bb7fa1f7484ba81adad564f8bdb9fd5395dfba0

          SHA256

          e8de950ff5d6f2ffc935b9c493e8635bc579cc3faebfd2c017e206bc39f289c9

          SHA512

          7af392a705434b8be142f7000b97e65d8fc4a87276c4f9980e0e86171957176117d2e5f010be36933a16f1c069bbbebec0fa0529dd4bf7c01ce8c87b231e7e5e

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          838b12a40972917ecf63a1a23b922164

          SHA1

          147a639ca8d609fa2d1db1afbb0c99bb8e49de6e

          SHA256

          c9706e670655503791ef86eea63556a5c0c1749a6e00e486226055a99874a92b

          SHA512

          f48864e212924fb6cef292ed2a53617a68d9e83bf781bc540ab33a5fab92816803e1bdb5dff1c891e0601c28fc878beeccec65b0649bc84d2e7c5b05b58813c4

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          67525cabdfea659840e02e48c891e139

          SHA1

          1554a4a214c2e0f6d531fa8165543eba4c24a6cc

          SHA256

          f2db2a40ec9226e462ae9be4ebbb3c32d821dcb828b052c3ce309664817dfb10

          SHA512

          d5b0fa733f1a75123519aa0e900f490ae7cdcd068b8e83109d4e4997a0a0e7fdd3a83b67d60a43c1d92d51b0e581e40f5b007016064d4473591cdd297851c275

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          2322e2723c30a0974394cb174475a7b2

          SHA1

          b977b213e0244acd88b722e887a1944f17d991cd

          SHA256

          ac4e615f8432d7aef8ca0351af21d925d6dff124b36bb3a1897369325ba4c1bf

          SHA512

          7cc30c6f0c6dc3a7f06c5981bd548a675acad409aec0f9024d8d5ff8bd41eb9d2ca2875742f064b9abf075b7f518b72a85352593957666457acc4249f4ff6ebe

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          1a24ab7f2a6c6281bf8ecc57b0907269

          SHA1

          f207a9240b3e08f537faa7b29f9d3c827f1e192f

          SHA256

          eb8eb0f18fa2b5da681fda41590b3318b809ff7110d12687d89e9bbcfa68bdbe

          SHA512

          16a42b28a7c3c9657e1161b52e6ab274e98655444c9fb43d9ca68ba975fb77b3cdf821b164df73f93ba17f9c54ebcdf9d546d26a949886fb36e8bfe0bd5aaf29

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          eaedff2b0ac628d438022527fbb460f8

          SHA1

          e8621923265a1c4d33a7c3c96538731a9342712a

          SHA256

          31f8bfb229b0bb490049d953ba4b1ac4c959cf0f4c23b8b3870ef2a8f0e9d0f4

          SHA512

          376aff043fb8d47d36a4861efae120db6dc63815527598b831bc10349e1412042e231a2bbccc13ddd99a12acf9db2a222c5463bbd454d3ee57096c44df92f9a6

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          6446daa85d4f9e1ab7ce15fd4a5ec892

          SHA1

          9c70285d6c64731871c2c0b632825879c2b2cfc0

          SHA256

          18a7eec102b3f75d6fbe34e7caba41e93a3fde4414494ac9ecd2cfb567d39f7e

          SHA512

          ae2ce3dcf90ff1bd307798c4f23d1ea72dd1a72061d7a93fb574dc0e29e145899f69c7a6254e5c271b06a0e17f41c3b12b8bd1304b3cc1dc9cb07971a8bb6335

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          88b3890d9506826c64199041987fe1d8

          SHA1

          0b0bfbae75ea6e28f09d821447542021cb898478

          SHA256

          82cdda3839efa63d1255e079a0bab7743ca1117476e2f4b07db310684c73a5ce

          SHA512

          f76db688735e63b551c4fe3d451e610e45fe332ad75ddacb7d4daa4c2ff31beea81ac4641470b4729b3e836f6cc72a63fdfb9f439ece7cebbb36a5b81acd26d0

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          c728c26b1096002b6c2887e620bf28a6

          SHA1

          8891cddbfacb1967b0c2282169078bda866b2845

          SHA256

          382ad5b1a801637ea8911614556a6be43f1825a227ad403af4463ec87c82c21f

          SHA512

          b93e70e7cb0124edb43a7f221f3612230e0cdb5843df7818bf5ad5dfd459be5abc5820d3faa9042aa826fca56f7e88953bfa2a3f8a09268e06983269732b9179

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          e520fcd3bf4b34f2b300644183de836c

          SHA1

          14375a304513a66ecb676dd8c21ec42bae5119ff

          SHA256

          842b15803f55c846524b827001bbe1a85481b5ac8daf4ce31b03235548230359

          SHA512

          2186091eec1f886860e9d2b320770fcb4cc2ec1e968967d0ea1be83677a64c9b3eb8e12469568ccee349b32223a112abcbd91e4ffdf51031688f906a475f54c5

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          085bf359c06bcf01dc06d3e84a4dc012

          SHA1

          e44871e15b7484e0773650ba5002e9ea8adc898a

          SHA256

          a5d5cd29981f64fa8979f5a881650276c5c0a28b6259dc06e0f6473cb39a20ed

          SHA512

          ba32057fecb05dae5bad88b1fe0b17bcc00f400ecc0f1d22f4707ba4b3e754801e600ad730e607d7277d7f99a7b11287ab351cc7fa734af2395ab4bc07cac5a9

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          fcf3ba95a760498993ab484effa2f96e

          SHA1

          a19272d837e709357b1392036af84018c68bfb60

          SHA256

          292375d174a73da8219f04149c1c94739ea2cd00c753dc51bf1b1b9fa89e2c02

          SHA512

          48ac69b34a13391ce8b965f4131cca6cfd6273c4c1dbf3b070e3de2586daedc88c360a89ff0c9f552dd03bdb5a2ad077f7fb5a13e7fa35000aa14384dd9f185e

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          3188d6b9149d689c25d6f2d2e4cb7ad4

          SHA1

          259d91803ec254532dd210d4814afaf9c704c062

          SHA256

          d7fe336cfbcf8b9307d9fe284e390facb89af1aa76ad9b703ff7f38818de719f

          SHA512

          fa6b04cebe5831768eecb7141a5c218ca656d11df91c182f98693ac9a809cca272316aaf39ebe8859689213cc25322efb68d878b830a5824030090b1c21648a2

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          508a6b7b2d008ce9ff691a9d474f632a

          SHA1

          2158b126e778b6e9bc8f4d1a4bc09d577c6a29b4

          SHA256

          e28c72e5003513e4966f4973f7b3b13dfefd56c413afd207ccfc9fe511b6ae7f

          SHA512

          99175cc3cb38c699bb2fcb3e32de1229b2314cb0aeb7fbe168c6d7b7c5febfa0a8f6fa29e83879edbf822351e5806a3738ba60a07990f5b8ab05b5d750505272

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          c0dadac9630fe39403a1c1d2afa08156

          SHA1

          9504f3f3d0ec1a2f3620f8b88de50bb6ee72dae2

          SHA256

          a907d477eff0f2e1ed85a327aca3503015874e420b9d6b9626aaf8780fc273e0

          SHA512

          1a8297010d7b653af08765c5c0fdc8f48d0c2f23d31db4e75aa76564aa1a4c205e9a8a945091fa13b353990e24202019ac7fe84c6e978013a4f5511713abc236

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          e9399c275a61c971cb25562c88f6c9fc

          SHA1

          d19b2314e138f466763ddb66c8dd7aceac9c0c78

          SHA256

          55097410bdf9275919417e7e93b9f8627f4e182134bc986406f2d0d4ad5684b3

          SHA512

          7f80038436e84b557ed5c60f374b653c4d078283d50ccf01944a19212e0bc9254949755554b2cd7f8526a91dd80153c43b8d90b19baa92f7fdac5eb5289d01a2

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          ab812a1b55bc418c215b705cd146936d

          SHA1

          2e99caea7ec4244602ccfe5ce0f40683c28e5309

          SHA256

          e042b08b928e1ff776c5161510a5ca7fa31c091dd9c053ee76684952fd01aba4

          SHA512

          7e6a0db12a7712ae6b21f24453f3c5a36333e7359c20d12b7478e382fe7ee132a94c353bca00f8d4559739fcfa3ea53300123a5d03aed3c84fa268d955793820

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          37f6f19cac65b0feb2178eaf7dab0256

          SHA1

          05043f4b1f33e64caeac455a551fc037c61a33ef

          SHA256

          3b76bcf173c56370f3528792b6925ab0ea140ac5109bb924fb7438f091c510b3

          SHA512

          05e797b51d1b2020ec1b7402be6f3dbd7ec114a00adfc2efaf4c3ca8d2306de1f7c3dc7ea3857557df4b48665afad4486498c3c9e08fbe8f2431a16cc999e1c6

        • C:\Users\Admin\AppData\Roaming\Adminlog.dat
          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • C:\Windows\SysWOW64\WinDir\Svchost.exe
          Filesize

          296KB

          MD5

          75ed6063a91684770f1a50cef3465653

          SHA1

          5b947cadf09a3e9f759ecead808cf57596f51a67

          SHA256

          2388636eb9ba2e19e4c037a63bf795346b08e72f2925b39cba7d150a9e3bf28a

          SHA512

          ee23c4d374497ee53282ea2f5d7a2f42a4e3b46219d2604277869fab5d14fd0dcbbbf5e98f69234a39ef4c2187e532e9ad7a4c13b6a2fa0bf0fe10c82e217b70

        • memory/1844-8-0x0000000001320000-0x0000000001321000-memory.dmp
          Filesize

          4KB

        • memory/1844-68-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/1844-7-0x0000000001260000-0x0000000001261000-memory.dmp
          Filesize

          4KB

        • memory/1844-942-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/2072-63-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/2072-6-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/2072-2-0x0000000010410000-0x0000000010475000-memory.dmp
          Filesize

          404KB

        • memory/2220-1691-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

        • memory/2220-137-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB