Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 12:03

General

  • Target

    73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe

  • Size

    273KB

  • MD5

    73f8b1f6e0e64a648445c575bc64aaad

  • SHA1

    5eb0b30e36a234e2e5bcd11f1456cea6ebb914b9

  • SHA256

    277e3f881ff5937e48da7594ba43f306dfb9d0ed2e7cfa90360ab60ea05f8e4e

  • SHA512

    0ae93d2bf8a949108544dab21d3d8af1d1c82405c48ec06ab89762ad02c3b73b8e0c533b9143d918feea04cce4355a193613a443e1173a373ae94d4cba0a05cf

  • SSDEEP

    6144:73O1ZxoxDNT/xQphU+MYerYctWC201Dxeb/b4N5MCLW/4DOY1ChWdh:LO14h/xQp6+MYer3201tebT4n1LXP1CQ

Malware Config

Extracted

Family

cybergate

Version

v1.01.18

Botnet

Cyber

C2

mywildrat1.no-ip.biz:81

Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    Rs-Pin-Generator

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Please Install the latest version of Java and Try Again.

  • message_box_title

    Rs-Pin-Generator

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:5060
      • C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\73f8b1f6e0e64a648445c575bc64aaad_JaffaCakes118.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2096
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1484

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Active Setup

    1
    T1547.014

    Privilege Escalation

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Active Setup

    1
    T1547.014

    Defense Evasion

    Modify Registry

    3
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      219KB

      MD5

      7430c0e8b7bafa451b23ddad72197f78

      SHA1

      083f4d2fdb8449034f7bb6e770e5ac7e98c919b4

      SHA256

      2e287b6bf77e7a7432a6952696279f00e786ece6ae71e5efa1511a49cd0e4df5

      SHA512

      3bef58d50ccf90b5f4652e4eebf97d544b48b4a00f31166b1e4e9b2cfa28d16b1bcf5d0715f8cf2adb5f4e8e5ab51c92945d727856e508f9c607e16ba646fd86

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      fd237307f7da050eca948e12d87328bd

      SHA1

      a93f1d9ef510f8be3612f0fa97a83a4b97bd328e

      SHA256

      824c05ba2b9d3f6fa45e2f11483e953305d8a242ee02f1c0430293b0a2f4f76a

      SHA512

      44ade93ec0089ebd25a35ad55e23eb9c67c5fe8d8b17fe29fdddc55e3468ed98e891b4c3d1b47ccb58ef4f25a25359463d17638adc48abaa54ebde70c8e7ffbe

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      58200536baf711b80edcd7be7498faf0

      SHA1

      66489cb01f493c9a5f0f5f687d442ccbc33717d4

      SHA256

      1397734e862b55354b4f8dd557e5c64c4ce4ee42caaa62d0ec90e4251a69566f

      SHA512

      b56aa9de345e1b74a71bdd822efd27b56b69458caa6f1e65878d9b0a270f3525b4d7181ab982ecf9c7d7d9657b7094018d21276c1249f0dc9af65ddbf4bdc8e2

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      2e30cda9db138931d4cc5f7920123546

      SHA1

      c1f464445a1d462c2f895c3815ef48f21c219f6b

      SHA256

      1831649db14fd52d32caa58ef5569881d0d75c0743240d5cb7abbe482a827ab1

      SHA512

      7e7834b1a61cc3daf1592cba4db0b417f02e99e6c6b3d3c8c0e77ce39c4686417ad7638fb0e0c21bdeec1066cb8531b99d398fdee6802f3cfc298730706a0845

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      02c6a54bf4104e2f1c55a1d376bb44e3

      SHA1

      24ee98b173733a5a49a99ac44e4ce2c1f4230a6e

      SHA256

      c54e59f8513eeb13dd0930c0c22057df579d2d998cc38208e7e016e50b4a2637

      SHA512

      865d3f99bc0fcc86ac091bf829ca5929a3ca61a1719981d53d519776db06d93b4439b2e3696da07cd3c8b20c540ab368969323d3b571dc24261a72899e3d0ab2

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      4beec87853d94b52e25df74ba2167725

      SHA1

      b11ecf17e4f21413f4813cf3fdb16d5c4c6c3181

      SHA256

      a4be01ea31cc4f69777178299179973ea8f53d6638b57d113cee8240f2e47285

      SHA512

      aedb37807ffae91935265709c0209544cbfcb56b901f2a7b8fd9757eeb3a32953327352de46d0ffdf5c4a63e5eb410095e6dcba493b0fd0934abe48835baf474

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      6dce0353e2e0cb82827ef76480049176

      SHA1

      775058443c4aecc9b5e20203756fe76176f439db

      SHA256

      16b226521dd723380e2cd1a350150d0ce98b6ed5419d43285ef88bdbe38b3203

      SHA512

      dc2a431c9060ef4c81cae9adc7d1ceb1e89de0982b107e80fdc3fa1aab4ca67569cf90108cccc07f3520a4927eee05c12967d82d3f57b02f3dcf000d7d522e77

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      65d2ce1eaa9aa1ee0e885037160b2f03

      SHA1

      97a47cd3de2e4ef8c62cc97974bb4ebb8fcdaf78

      SHA256

      c92dd48ae73897ce183e869cd8d12fec0e5113a4b9837229cf4cfe83193421a9

      SHA512

      c9c239f6d9ade74da081fe30cf21a0e58425c77e17f9576da718ba04b4bba096141399bc103cebde62b126ec473da559452d37f7a0903e9e4332688c0bb4521a

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      24a0590922e1150a097fa4103dec4321

      SHA1

      68e9509551575ee5d4aa256a9a8ac011bf3fbe45

      SHA256

      1241ebdeb34a8fb99b8d37df783ee76c7757eac972b509fb2c0359c78a6e8aee

      SHA512

      e990dcc817363f6839f681c60667d2ec1ab1e5fee77a178179d81690eea93cb12239bd70de90b6df31029e96e96832fc53904000dad0f4b2de8311ea31c4df17

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      6840553ec98d4ceb1f35c20b1620c0b2

      SHA1

      5f8d0dc08cf544309174fe64b846127e04c3204e

      SHA256

      f2219a8211e8cc0d6b8bc24316cac268bf314d1697e0ae514cca2cc88c582e2a

      SHA512

      d2b9e007cf4d69c2c77d08f27e7cf3f374120611e742729e6ef952842a67bde9861a7eeb5b95fe42073a339b7847e4b6b5d30465e61c86595d6a859e0537fe6e

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      bdef009b44ce422b58dfec6d3b0e712a

      SHA1

      a9c5bcb4b93e851ddbd36acf6eb20155d6a3795d

      SHA256

      d66e7a6a66f24dd97b3893e096e2902b6687b99af9aa7b7b735f4317bec33920

      SHA512

      7a0e77ae1928b2a47fa2e3dc50cef29e71d16aa8a66f180282cede21335b6db894267cb6e351bfc5e61483cece711fd46df62ff87467257ee6d4dbdff2095c08

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      8d9fa6f8bde2b5a979af91cccfe6666c

      SHA1

      88f90679cd0eab46e446ef1bd59a71a76e642e71

      SHA256

      ddbd09eb0a98eac216865c1a5a99a090af51f3810a924ee767e01460a65c6809

      SHA512

      5187432390e0f8adab88d7acbda6084cea4ef7a5e16807f867e27e90ab1824dceade6458ff1196c8e2027afe9d611ef9ba5b00c71a6d1b9cd6af583164f9d9e6

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      12d4a2ba28b61f61682f01abb1660996

      SHA1

      fad2069a354c7de9f2751848c851f72bed2f39b7

      SHA256

      68b08f35bbad2e32e07fe315b25422f3805269fd82a4330d317e3eb8fe9e353b

      SHA512

      85947c5efd98e4499056d14883d62d348502cab8c62d2ba6b47c47d5245ce70f8ff7d71a8fd7708e7e7a29bef0588bbb08dc5741376aab5a18cfdd71f1d4d8c6

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      084a18a565b4430360b9b1be95b5f51a

      SHA1

      bb0dee5ce2d4401b4c2e6078f29bb8722890d78e

      SHA256

      49b891e9a54edb1499ecde71429cacae1667afab15d17a5cf98bdded3e52a13c

      SHA512

      1ffc7a7101386c85c31ef65ae2867250ecd64e3fe6060c61cb6a84e671d61bd1fa6f5ac8a515a1b77ebbe46b819d5517a2acfa10e15aa447c7cd6ce7a147e422

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      d6d6e8467c7d99108420610698177776

      SHA1

      f3d0ad79a879154d6f52dd177482a44f3c81d748

      SHA256

      0c85863f23bfb3ee2fadec3603eb9a9afe691d1ce54604b1e9222270f49e52a6

      SHA512

      b94ff67463e64a135ac0262ebbe6010061cd2912a4c12ed36d543e9359b620ae9f09bc0e6bd2bed9782b7130329fbc850c48062bf8693714ba51c2b3ed0a7a5a

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      b844664d0c2f8ca61c3cfab5b1304a14

      SHA1

      1cffabb3b10a21291511514b0d8408f6272f588d

      SHA256

      84e384a52e24ece84c218ef80e7bfc0b43d82208e3dc9ef0cdb0e6ac928820d6

      SHA512

      29f78f5a5536702bf7603ecee526845a01065946df7daaac4349c833dce93b259afda29f2bd671ff03dd16be12a1d3aaa793c3f1fdf3b63b3513d39209a00e98

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      ca8ae974482131876ff0fdfed4d0ee0e

      SHA1

      21c0c381978ddea0fbd4ff775d2413f9f1f461b7

      SHA256

      35075fea6df3c14a21eed4a61ab9d26da2f3774880300993a6e7f7d1a2731cda

      SHA512

      b46e32911022a6ac437ac88cc0b3fee256cea5bbbdca4a2e84e8493c3eb3a5cfb9bc26ad35b4dd27e5735da43773c13c69a25aaadab6001c7d343cc13bb74f18

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      b24588f90d5b6228f0da6b84a4cae762

      SHA1

      2fa950e5f6ae1b19ba85a8ce0f370b8657ffa565

      SHA256

      576167b84065771a235ccdfa921520636357bcf3848863348738c5dc318a29a0

      SHA512

      379505ec00491afeccdc1ddd2d2bea3f5f8f04888c3183076c888779b6316eb6e95700501fe3735c31c984761028c11bb4530377d63bb63219eecc983394644c

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      c2d0399e927ce4801ebb79444935f297

      SHA1

      a05b9afea29b7993ebf862c16211d88b1d07b09a

      SHA256

      3f39a39d760a4ef970230dafb84040bad22da85870a702dc0da4860bc5650567

      SHA512

      ea412cf39de7f79023b3131725a6bc8ad48023c1efd6d2f73a0c7ca4b9263f6ee9268ae490acd956a0b7b05a23b199701a7cc387da5b76190b92e5bb47b70e15

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      491ee91caf866e6ad9679902042da5d8

      SHA1

      c3e8f0c1696ed8f33ff793c21ade0c1d8d2886e1

      SHA256

      88705c7db551e4391b916cedde00f0c12052bdd91ac7059c7454009de3ef1302

      SHA512

      370428cb7bfd6d9f226aac9f4123b816950c5ce95498508a24c976931251a530da119de4f97d902f6a0464b10c3048bacc4a0d8f322b0e1163766ccbc16c0f8f

    • C:\Users\Admin\AppData\Roaming\logs.dat
      Filesize

      15B

      MD5

      bf3dba41023802cf6d3f8c5fd683a0c7

      SHA1

      466530987a347b68ef28faad238d7b50db8656a5

      SHA256

      4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

      SHA512

      fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

    • C:\Windows\SysWOW64\install\Rs-Pin-Generator
      Filesize

      273KB

      MD5

      73f8b1f6e0e64a648445c575bc64aaad

      SHA1

      5eb0b30e36a234e2e5bcd11f1456cea6ebb914b9

      SHA256

      277e3f881ff5937e48da7594ba43f306dfb9d0ed2e7cfa90360ab60ea05f8e4e

      SHA512

      0ae93d2bf8a949108544dab21d3d8af1d1c82405c48ec06ab89762ad02c3b73b8e0c533b9143d918feea04cce4355a193613a443e1173a373ae94d4cba0a05cf

    • memory/2096-8-0x00000000005B0000-0x00000000005B1000-memory.dmp
      Filesize

      4KB

    • memory/2096-7-0x00000000001E0000-0x00000000001E1000-memory.dmp
      Filesize

      4KB

    • memory/2096-68-0x0000000024070000-0x00000000240CF000-memory.dmp
      Filesize

      380KB

    • memory/2096-1371-0x0000000024070000-0x00000000240CF000-memory.dmp
      Filesize

      380KB

    • memory/4956-6-0x0000000024070000-0x00000000240CF000-memory.dmp
      Filesize

      380KB

    • memory/4956-63-0x0000000024070000-0x00000000240CF000-memory.dmp
      Filesize

      380KB

    • memory/4956-3-0x0000000024010000-0x000000002406F000-memory.dmp
      Filesize

      380KB

    • memory/4956-2-0x0000000024010000-0x000000002406F000-memory.dmp
      Filesize

      380KB