Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 02:27

General

  • Target

    7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe

  • Size

    877KB

  • MD5

    7240322cbe365e6b61cfcc3537a5f32c

  • SHA1

    d30cfd5bf794f085dd8f57d1b938013eba252096

  • SHA256

    9f3b85382a30458dd7a7bbefe8efa186d8814b49f574d32d1aa70b50245960f6

  • SHA512

    dfeb7843c222ef88f359918332ec6acbc803b3457683cf1d3ad58e64af5f2ab97e311748ed6db9a7b0e5738d7371cc467d70841de4e08a6ca743e9b097352ed3

  • SSDEEP

    12288:HXhANA7abIJDKGjvgQ4jtvj8KxNmM5f1ozmBupqYN3BUuQEoB1q:RRWTGMZSsB1/g0IR3QEK1q

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

192.168.0.52:443

Mutex

T3X6745GUMWB80

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1240
      • C:\Users\Admin\AppData\Local\Temp\7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2404
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1296
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2964
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1048
              • C:\Windows\SysWOW64\WinDir\server.exe
                "C:\Windows\system32\WinDir\server.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1372

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Discovery

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        307041b0e0904eff4fe15081310bbb5c

        SHA1

        d545c782e7f5d6293dad78ebc14518400a27b13e

        SHA256

        8da63fd6fd9b9b0a90e7c5fba7818d893437c38eea1805b0c432ae672e3604de

        SHA512

        755ab2fceeb6b55e238f94f14715e08839244c800465cb0beb98b8f35499aa3ffcd5d586205c6827b6ab2ac510ed9bbcdc351e7f9bd16bf640f019cb5e63c619

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7585b58187957d4bddcbce641af2d10d

        SHA1

        e4e9a4a879f1b8dc156a3423ef3a83fc23f320c0

        SHA256

        017aab382cab500f0d3b885b68c8dd7ae7ad14b1c471fb7293ec21e204ca5188

        SHA512

        81af53ff77c1733b9f8a2326baff62cf2bd74287f3a470315f78d8996e37ad311e9affdd6fb5465056f842b963ec8b036ed9f73f03b300c5ee604a6edaf3b232

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        15d511a21c97ff211926c1e5ee271092

        SHA1

        302e23b4f845368561f372ef9ae60fd971b7a26a

        SHA256

        5894eb4219d56d55f6157b3732864029528c9a5a85d6a17432172827e92d4bbb

        SHA512

        3fe8def8a6e657c332d85302ff12ed8888c49c2bc8ce98f10881da0f110a19ee67a971bf86946bcdbd850c26a622de1bad49f806375eea8ef76c765795b87ee2

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a96f5be81213af40630442d6b049d4d3

        SHA1

        552e07b2b07fd784aec214767ece2253f78d9947

        SHA256

        99d3eec315ef0c2af7f3b590efc1786ac99d7d548f78d726bd05a1911704c4c7

        SHA512

        8695f5506718c00abcc70e81b6554ddc2193b7461cce734b98ac20993ba4c62466c5fefa684a7ba0f2386f1bb1029342f507ce82f8907cf673ed227ea9f9dce8

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7d8c00299b5dfad7bb262801ffca0f7e

        SHA1

        11a35a6ed5aa2d010fb0654eda036fdef96920c3

        SHA256

        69c5da62ffcc9610d80c6cc7089a8d9c7afad793b8e1ce207000c3130e244c00

        SHA512

        11cbe24c85b11fbd2db1499b388a89de25ffa404767db5845848d6a9bb96238c1e6b74c0c47771befa249932727410e1ded3050b44c60a2942598939b148fba9

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8fac07fc50a00bbf97b7a2066faf39bf

        SHA1

        31c4e0486c47d3a0c92e7221b2255470a398be61

        SHA256

        c1dc73222cce18f985dea0cf0ddbcc68c9aa0f1281e2cf0e07b3b839ac7b4567

        SHA512

        8ecbce6dc8a4743498d2068b158074c78ae9370131871f122ae06f9f39456a9a04b5702847c1d572b1aade0a6880d762c0f1ad901812f1400fcaac4391763007

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e3488586a00c114593b8086c79f47145

        SHA1

        eebb96565e79d05ce4bed0c84c412eaad0f5cf59

        SHA256

        19858514580e473656c615d6aaf35e8655798aa6aaa9578c7eeb8c4abcbaf1ad

        SHA512

        ee398462db0616fc8dc0017db3b5316f1be16c488dc5a6e67455d7ca73bcc0106a1a1c601f43f16e913962a4bcac484deb0aeea922f641d33851526e7fe59972

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b9d2507fac09fdfde97dd1e5a6f7044f

        SHA1

        1331282869ff12b9f81c8b764a8fd4ec10e8e119

        SHA256

        6d809f82c26f899874b56bee8f5eb343deb9cdb2f9a78af0088142990859324b

        SHA512

        8352f7e88152e4a907762fbe109a76b1bd2bdd005d1f90d212bd2fda973b65bc88935b121cc88ed785955c654847d7a204c72ee9a94cc929752d3f3379ac11f9

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        19a86076cb09fa2950739c3e9e16484f

        SHA1

        6b8f93ee280f2fec15bac4dd387708ad5fad1a34

        SHA256

        1148c7221cd6ca508ff01e2a9c270d4761ce41dea0d99039302d386ea6c124f5

        SHA512

        bbc7d2dc8691ae94c14a23cf1049426a377d4552ccaf5b3b694117ab2bcccdf29d5eb896fa228880e2a543c39b64c4a538c96367c6622ceaa78e915af4220950

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        31cbfc984090197b0a178e788ba8d47f

        SHA1

        4ca16d7b49137596e183ac971bb387006a51eb3a

        SHA256

        7e57fafffb47be865e06d6fe944dd901d5bced7b37da63a77758bbe2322480dd

        SHA512

        61ebe62779216e3e575def2789c51bb8a554d8d7af253a230a43207afda314a5f04f6209f67bc4d20e949a796bd53612a3094d8638d159f6e0b4f590d4a93a3f

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        76719d10e0bd6671ed44ed075f6056d6

        SHA1

        08e8803adbbb1135dca867274be6199811acd280

        SHA256

        eae7abf86047e8e4f42bd6bdb6d12153c90504490bb89163b3f6154b2a13d8fb

        SHA512

        d2f875b5fb7a7043d6a286119cce653ab0c24a912d5658a59564681a516a027db33fc972f2d4c813ef53329ae075369178e97ec17b4f9be7c5bc641b091bbad7

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        996be824a30180bab01f6b2274b5db4b

        SHA1

        f6ed1d1c971331c3f7c17d16df261ade02e6053d

        SHA256

        bbf66321646dc21a4193f4162b52099dd8a310a4b6506e5f842d2e8f84caeb61

        SHA512

        affdcd6b2f30b02bdcd4959af62c122075dc62e6e4db59e61ddeb6084c7a80ee181b78a90590ec613a36a557e678743da09ffab1f6ad738e06e4548c5301563c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7a884f880a80bfc7f7538550925e7147

        SHA1

        ded4dbae27a9ea1716652892978e4a9507c649e5

        SHA256

        01d2d65b34ac7e311e52bfb5384805fb9297fabd1756b56069e6c25957319897

        SHA512

        ede06668001a23c627ee978e6d71ecb378a0d17c51a74f6470fa2cc34e62e1a45763210d2ce1f22ee57c80efae7b85973a39d75a6a245315f1383e0976716618

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        fdee61dfb3f814bce39103aca779b2ae

        SHA1

        8d4f1761de5099a1299435f04adc1dc4091f21f0

        SHA256

        71f1eddc4de3da044ec78c9bca1149006c9a54370ad4797cbf9db50dc0b46970

        SHA512

        ac7c024b0f39700743785d4fabf8700e37f7a216e5294e5577ececf323e831f6b5f19e55cb4600562629070ddafc0164c7b5b705d1d2b23d082fbd28f622e25d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3368067650c383e33be52d81210c7faf

        SHA1

        d0cdf01fb4bbc893be1ef9b1c7bcf526a2724ff7

        SHA256

        8fd7b1fc9ab794ba9d458010a36c2d00e3df537c8184fb885aea74768dee9e79

        SHA512

        8ce2163dd27fdec2e1fe255b1d4a97543dcc33af1f52ad961e5a932206bc6efbc7c67cc1987b518cb1612a3690cafcf9ecc3d60f0148ef704d7181efba4ff211

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e2a9d1159b231b4ee0ccdee3059e288b

        SHA1

        e5df463655dcabb8ddbe2bbccb6155c3316fd7b7

        SHA256

        49af7257d1c2dfcf215678f482b155478797a6380d99f831fbdd6b1d55a6cf39

        SHA512

        5fab949c80b176a0599a4523fd7f78cf080cc894fa809a9aca54f10668e7bd0d26c49ca049f476fd1e210291f7210f9a8085f6a7033f2b4cb6e5975151151169

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8548ca65b2bac695ac6b90f56fa93f07

        SHA1

        af193aca07211e29d14b16f127057801d6aab59e

        SHA256

        745fa96d9e8a765fde03bc3f379bcda11adae681c1b9ff9f5f220c76ee9d0889

        SHA512

        54c1ade64fbfd8cc81aaff271156402053180d107fa1e1164b36414968a02e478fe70af96ebbc9e2568ae35cfc1763fc7822f6abb777a41fbbc39b820cb58598

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        24960189a7af4ba70d26c64a1223cf56

        SHA1

        897747301899c5ad19d51f56a520e7c585d489dc

        SHA256

        27bc457287b177073c8b3f694a6e902f9baac4d88ba99ea7034fd6ba40252906

        SHA512

        50015baa68b503305be1822ec48fbc602916721272ee682becfe6d60342d0bd3fb59762aae87ceaf16969062fa97138c175a539ccf36c49fc57f9375b681e3ed

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        396d3182e89aa70df0a8bf142b94e786

        SHA1

        06c09b353b62476987de97d5a8a15b5511c49c88

        SHA256

        3a0fffc1fcbc984dc792fdf74f5d7418327cc5a7bd1004fbee99f4b1f5f25c10

        SHA512

        f1856f0af935fc670f558f0a85794c0ea49858510e5ff85064e93372fab95f10428a0234d791dfc6f0d50ea372dfed6eb29662897d8060941d1cdedfe0e67e07

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4c30e655375f6aa22181d1ff26597f16

        SHA1

        fd5b15607091cece439970104af8c6496e8ce5c8

        SHA256

        ca74eaf3bcbd3117109d966fdbf8fb056f7fdbbde36dfd4205052f4b397a73a3

        SHA512

        81f6d9e7bd845408fed6f79f6f676fb28ba80c91f445b00a2a7e870d819de79d24ff010c500ab497eb856c9072779a47fe76326b08c7d69692688355289871e7

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        88da58a83b2e84de3794b380bce91dfc

        SHA1

        b458355570aecca624eacef34b4e4c35a7af2243

        SHA256

        ea3a272f8f126fa1abf2fcddb79dfbc86819b1066fdd22e9340f7978c64121de

        SHA512

        13d2605853ce1761bc5864c3880fadf59e45f3d0da9334358ef9923b91f4fff8607f9dca8c2591769bdc083703fe60cf6ec1c54ba112d6fb68140b455370b048

      • C:\Windows\SysWOW64\WinDir\server.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      • memory/1240-29-0x0000000002580000-0x0000000002581000-memory.dmp
        Filesize

        4KB

      • memory/1296-334-0x0000000000310000-0x0000000000591000-memory.dmp
        Filesize

        2.5MB

      • memory/1868-0-0x0000000074181000-0x0000000074182000-memory.dmp
        Filesize

        4KB

      • memory/1868-23-0x0000000074180000-0x000000007472B000-memory.dmp
        Filesize

        5.7MB

      • memory/1868-2-0x0000000074180000-0x000000007472B000-memory.dmp
        Filesize

        5.7MB

      • memory/1868-1-0x0000000074180000-0x000000007472B000-memory.dmp
        Filesize

        5.7MB

      • memory/2404-22-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2404-898-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2404-25-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2404-13-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2404-17-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2404-24-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2404-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/2404-21-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2404-15-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2404-9-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2404-11-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2404-7-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2404-5-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB