Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 03:09

General

  • Target

    726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe

  • Size

    816KB

  • MD5

    726044aff9998f412c0545a66edeed7e

  • SHA1

    bec7344cbecc0b48fb638abfee3812263c6b9b34

  • SHA256

    84b792f95d0b24ec3b0b9274f9d5eac0f14b3af95ee67ab5a00339acc324940e

  • SHA512

    6ca0843f29ff8b7732b58fccc8b06513377ec6a2afe17557ee69727aa6546da1421c8e64673dae4c87646adb170e825802e02f75c7bc23765b67dd201ed45dcc

  • SSDEEP

    12288:yOghu29FDBQZeTLrc1E6JZuW/JkCVgxj1Vstf0KO/ctdRvpcHsUtEo+gPIxVfRt5:ezyltTvirSxVR5

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

vawireless.No-ip.biz:100

Mutex

360G35X0T54I8R

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    60

  • ftp_password

    pascal

  • ftp_port

    21

  • ftp_server

    parnjaca.110mb.com

  • ftp_username

    parnjaca

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:316
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1144
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2080
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:880

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Discovery

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        6202f7a0bc51b0b2ad72cf7a071cc419

        SHA1

        aa961408a5ab2ef25d48fbfddf9524f4c524a788

        SHA256

        6348c65ace9a2243ebc4caece3159e3b631402ebe3a8604057a95e78354076b8

        SHA512

        5a4285c87b6f4527c301eba8807f4926250ad19d716410c0798a354557aab77cce0af09c2f8c5f9a6da42ce20408a31bb45f197337de8ac9976e3eb5be84e89d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0c8a23b3f5e68c56972f62f99e7c8943

        SHA1

        bc5df80aa7308af305300b06ff149f830c21a84a

        SHA256

        573bbb98641c1e6bec0e5429653abd54df069c7da1b93b7785ab98a69fdb9c36

        SHA512

        fa9dea06799432974357d390191ab18f6e2013ecc3308133f49328ffd7aa546419d19cf524658cf7a469bebfc75c55269b83dfb69e0545d36c24eb5209ac3aff

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8a6e7630fbad3ebeddcb28a1c6b2aea1

        SHA1

        ac3dce064b03ae9f2f2bfba9c1cc9132744ed24f

        SHA256

        32d026983dc0bdfc37e0c69e4dd9ec10b6d71eb750bc1596b338b597e8da42f0

        SHA512

        17671ba9c9ffe229b99fe6f318b48ae882a256b60d4f04216f68f55d37ff77b56fdafd91de5a88ff2c2d26030c3f007c76d5021bc6aefe9d184e9f2073cc14ec

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1d978bde050209f70af99a4d14751fbf

        SHA1

        f1c22b888a4e93c58f260915d9d82486a9bd45e8

        SHA256

        e407c946f667f62993d38285d8422732c3dedc3283906fef6679d65d70537756

        SHA512

        9e438f2ca2bb17bde89e29a5f3ffbe8c4e6adcf33b7c7c935f71bfddc6ea2cf4cd1326b55da8b85fefb88928641981fce33cd55fba07ca4f77628ae4c0309347

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        691f8f016bfe6a716210a0c967fcbb97

        SHA1

        4473e2c8a0e849cc7da70aada7f053f2d1ab1fdc

        SHA256

        76d7af1dbb6c1680ea6b9ecaea660bfad148880dfc889d156bd20d106bd40d70

        SHA512

        99928418f8faf3881c8dc3aaef1e47edabe27ed4b29dd2d6ce51e57e46607fd5faa44cbbeb82cce646aef7005fb1c06038eabe970bc88e0bdeb0cc9e4e413049

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        00721c3380f117d974ee36ec57ea5559

        SHA1

        807c1046dd05afd02b8f7b7acc758bda5dabe663

        SHA256

        698f75b28626f26fdfb5d0824a6dddda6aeb7169164fd2144637c574f8542f3e

        SHA512

        d86cdd561636d28f1888c5bf8ac5edff97274d432b3376d846c3487a4fb86b1d4e8960f7d0510164b742311f26241c42bef7062adc31189f4b9fbba4cef4fb68

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        71d40bb5cfd3f5e8df3c1affeefd50ae

        SHA1

        ee1bc86f913048237617c3d5a6603a951c307449

        SHA256

        0d091bffe6182a34f811b43b457e3ccfb6dc7fd7dc5f4a113681421a7e5462e2

        SHA512

        8e1406420eb7a1a2f80030948ef60b5617a95cdc3314986dcbc9114fdba5024babefb4064b43a66d5ec7944890fed8f9f47b7966538d61961a85bdf34080a6d7

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e176d6b6f69f082f48c66a981731b133

        SHA1

        74b294109ebebff9743a66ae08f53660a77d6c0e

        SHA256

        e319d35ac972d6955707d35b4f36c0fc5e7e79f60cbc3b0c53ceb195b5a263fa

        SHA512

        829f43e0f14d9746d6085388d93400c36abaf06db4e2f83418149af00d85b6cf9f9a3854ef4240fd4a43fdf815e97b7761c4f90c9042cc02bc28969a5d4d2996

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4c32245fed0d4237ae4e4be69d8a64a8

        SHA1

        e95f639c9cc7cf29ca579ad89a4da8f969239765

        SHA256

        d6746a0e0f1d9351a4b46439af9823c7ee30276ed6dd236e4e4653b1e88f6a8d

        SHA512

        4cf00c740363a484855013c687948727b0647b2598caf8ee61ec71b6fa63a0ff286a7d5a8e00cfcaa52c15572ba8591df745a57e08acb7156688a663c4ae8474

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8bba2151e476f2e95cd46fe1d83a7165

        SHA1

        180e581eb50dec2fb351a4ff11ad5496dd5cb332

        SHA256

        2c02d11b1583eaabbf75e12f7cb0b5bd61388c9a1682f5aab0cbc9ac5f9c9da2

        SHA512

        b75fa223d0a443a1bbe35fbc9ad3c62ed48860d25de31632aee8f947821c4caf6d4baa81e28c9b197c000fe58795b8b6ec06900c1778522285fbbd719fcf85f2

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e8d6acbd9dd999b7b0a980f7255d16aa

        SHA1

        22dd7aeb0bc07917792f90f7126826fde63add8c

        SHA256

        ea9d965786c874182c9470b16e4f71b67b4ab0af9ab0cf93002922ba300a442e

        SHA512

        e2d93cf9f206f0a3d3d337e4418efb515ac6a334249ac499d337d8d6f532b3443c84367609c3d9e43a5e8fef43f07ae2c6a58908d530cfba6115e14c69330570

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0f481cae508f52e1ae60bffa44279e0a

        SHA1

        8f71aa1d45ce8a11e71701e7d6d757c94229ccbb

        SHA256

        e2087db784de7e3716883cf00d6eb21ce2e534e0be2c3ef980839a529adc1a77

        SHA512

        eea7cde98afba7b4d494a94c994323843e15d861c0c5599f1a5eba8190d9592cb5f98a522c67d257b404b84c1196593e1a32e215fb9c2579ac83af6f9d3a8bc3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0ef69ab9f8b40a6f58506ccb7dcd74bd

        SHA1

        c79809431f5c75be8affa1db35d79ff4cb86295b

        SHA256

        ccc02ea3371fbd234a45ef67c654255db6e281d54d2519a51acf16158c5691b2

        SHA512

        618f3f32ccac458cbcef0fca55e8152764ae7a0316505aa5e11c1bb7b29edf7e1c76cb92c27d0c95f15ac8013fc0580cf26ae1dd24e42f9581029e994828b9b5

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5b98889724482e7064c2b7ef5d46e2d5

        SHA1

        7c44655e68cd2b8fd94f295a06b97937f85cd3f2

        SHA256

        a6480f67ed918c5eec9ef169f456226d02c306ea7b5609b8b15161a5b6ab9dc5

        SHA512

        bd0592a1d7815fe7e5619a6bb7d51e9f2fadb2bfb216c44befda6ddcedf29056f36f4bdc830209f43a2ef978f1aab7144506b7553a160d05aebf96777a3fdd65

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7e4af1444462535fc4add488055a82f8

        SHA1

        eba789c8b76dd832d98e892b5d2e04d7b5e9641c

        SHA256

        63a83a0524df88add6549bb860bdb521357e143d4c0ce4422261983cd3ff2a55

        SHA512

        de53c5c2b841f7f324d6dd5c8c543b94f180a937352dd3bd00dc135091494cd9c0021f62dbf42be1d23d4e2ca2c44c6aad5b74e7ac62772efa675093e6500593

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a2daafc32390b375366888348b763508

        SHA1

        40191b6e2c3752d9be89646d76a98af3e9cc8543

        SHA256

        d3d3a70b0262be4857db351c87a14fbee58f1e5807b8ed554b1a0ab457dede7f

        SHA512

        229e1691a76ac51a162de8238d45a36503dfcf7f24c0eb7e8d748c1feb5179f88c9c88a2ade80bfade6101b99e1d15121dcb46b4f4cba4c1faa113c1eb324117

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d5234611b3f3e2f3ade8165f4a5bbaad

        SHA1

        eaa12fdef3014cc0d711c76046756dfb5d9349cf

        SHA256

        ba1702ebb3fb921db4f3618a232b84930144938bbdc35670501ca4266ee5efc2

        SHA512

        c5cfd20481ab5e5f0516504b4c648ad499cd1ccf5a06c833f4a5113a4e943fde676d1562c782b4445da324d23d9f724b7fc64ab907a60f149988eb5f86b809f4

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        2cb59ab65850760b5ff0119acdd3753e

        SHA1

        8d1af075794a7975bf9d7a5d8f395599db8fecdc

        SHA256

        e4f6cd5bce131efb29b620db6d5b19a2e0e49e1f04b23ddfd9a25d28632ad1eb

        SHA512

        b1502179a9f7e2a801da453c8aae2524ff706e7efee75e5e5cb46abc99d789a1010fb9e3ec9861e566acdb6df409921b5cdca8b93bb5443667fde32dfcf865c3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        2ef343bb1df24b541d82d9029695e8a0

        SHA1

        295d93ee60dd04dfc477b8d48916732451b267f9

        SHA256

        d7824045a8c7dcaebefeec3f59446ecea456e2ce629a5b3b1b9ccaf8d4dcae64

        SHA512

        c74944bb8c119a9e90b33e9ca8600f335c9bfab746bc53afa9b6eca785984907945fcf98de396d20e418a848c579230cc2e18dcecd749c2d1b7597b2eb93f214

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        759bbc682b4c56b174ee5bf8b29c28e2

        SHA1

        cccba5dbbb4ea8682e9d53d170e3c6c7fe4b4805

        SHA256

        cce1db6e4c78a31ffb39006e685b08f2720d00bae5bf329041d7c9a6fa5c94f7

        SHA512

        9bb4bdbb0fabef20e0d97085e83f14d3bb4afc349687fbe6c93d644fb9527d014d857fb2a7d0d5f36be2f9e542ac336d06e50f44328236f5e8cf56f890d2ebf0

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        833d9e0cdf329bed344d0961bc07a5a7

        SHA1

        2994e142ed6dbec65c483b08e93aa126360b1c17

        SHA256

        fbe4d53e400ede46e1c2c2af12f034747fe6ae2d8a1d4f33179c4dec9f497544

        SHA512

        8c5e30eb08bf5e0263944c03f4e0c0925bcb75f6b5c900aba4f0642be3369f4073b992b807c1c837f3db769c4688c00e982f655cecd0536ffee57db5b055c138

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        954d3648d6c818ed361ea30304276460

        SHA1

        a202a81f02cf38494d14d699ea44b9b759c9fea4

        SHA256

        fca50d050dbbfe6913d21d903dd09dc7a69dc6f3113d089c5d7f675887ef9eee

        SHA512

        0358e7d4a677a9de30100bdbfdf737c401c8801e08c6b0431f9569c466202d3d3e0b02b2a7c1853544693ec4869bd5adebfef62ac364861e6bb14abf279c921f

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Svchost.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      • memory/316-271-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

      • memory/316-554-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/316-324-0x00000000003F0000-0x00000000003F1000-memory.dmp
        Filesize

        4KB

      • memory/316-1525-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1204-27-0x0000000002D70000-0x0000000002D71000-memory.dmp
        Filesize

        4KB

      • memory/1452-1-0x00000000743B0000-0x000000007495B000-memory.dmp
        Filesize

        5.7MB

      • memory/1452-2-0x00000000743B0000-0x000000007495B000-memory.dmp
        Filesize

        5.7MB

      • memory/1452-0-0x00000000743B1000-0x00000000743B2000-memory.dmp
        Filesize

        4KB

      • memory/1452-23-0x00000000743B0000-0x000000007495B000-memory.dmp
        Filesize

        5.7MB

      • memory/1948-9-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1948-885-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1948-13-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1948-15-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1948-7-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1948-12-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1948-22-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1948-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/1948-19-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1948-21-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1948-20-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1948-5-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/1948-3-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB