Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27-07-2024 17:10

General

  • Target

    78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe

  • Size

    776KB

  • MD5

    78e7f1563c25848c3762b61c2a49087c

  • SHA1

    f41a87a66f64ae821109155af68e0d2c0b580c90

  • SHA256

    52b15158cd920cb369a6e000be8e17206913fc5f06fdbb5e87403ab30f17e820

  • SHA512

    369ab1ffa92c68056b5631fe776c032e0e8d117bfb31342939c0a6ae6fdc2dbed73dbbdc8aa2c5082e1ae52e00f4bda18d649daeedfb254280f5b763a1afe03a

  • SSDEEP

    12288:Hm88dAkLtY3RehWUA7bxq1f+aRyVs1QXmFtG2LPm7Va2wWrXuGcSIOUHBhzCli5n:HQt5AUTL+96LzBef

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

rotca.zapto.org:100

Mutex

NAB4KV5S88U048

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    p4xati9600xt

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1172
      • C:\Users\Admin\AppData\Local\Temp\78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1860
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:1276
              • C:\Windows\SysWOW64\install\server.exe
                "C:\Windows\system32\install\server.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2508

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Discovery

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        571fd566d9ad40e38a30a9ce89667aba

        SHA1

        ad01a33387f6f17e1435a2dd1b353e5daa2f3e60

        SHA256

        c42c0cf3a968cb0cf80f6f8c880e86c8e7609ca5cd24c158554178bab0f955f8

        SHA512

        04bfe55441d98e4e2fc4a44cfc175e281ae04f4c07bf60412204730eb2f9cc7b77e3992b894a7b83d842c53c350d63eea1f6f0ad485617283e9d28708bda294f

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4fffc5f08cda7e70f968c5517c12ea64

        SHA1

        23d09a3a7a7a318f73cc2a66d454a99e8bd6dd31

        SHA256

        304b3c5f66c5d201d0d16935add59a2414ccf8d49470852d00bf55cb555117d4

        SHA512

        d40b8e5a7534b7af0d4519610f7c1737013cec1d2707b48996c12fe582c5eeadf844caeb6b49e948b93a9bdb53a5339a56addc41095546fc23d6ab8e3d8f9a49

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        fd567a1bf4469d132d5351f290ddd619

        SHA1

        24d183b9b77bc55f8b1098799d7c18458818cd5e

        SHA256

        b9aeed834a50ca4359970e5a39a41b096cca5bca4d79a4e49343ee3d61c43691

        SHA512

        612d24126319bf5e69e40e2f91f563084ae79fd6355250c7419711437ffaf7cd3c08bf2159d9d8762657e419f546f38ba53ef3f30b9a2bdf1b5a25ab77a87c00

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d4df5810e9e5900e62f899729eab5eb7

        SHA1

        26f5dd81ad04afd4613f9754753b343ee98f0cd3

        SHA256

        f0cfde9414fd8ad1eb14a64e7e6ffc2c364e4637947b563f941206131a67dc5d

        SHA512

        7bea78623fd50df33e3ab5216c87ac8bce70df8b8e19c4fba909197d465273a07456f3fb9e8346d296bfba75a86df9921e8ae81ee2f453a3a8e0b305668110d4

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b0bdcc71b6694531ce63ef2cae9c3482

        SHA1

        21a385d435cf18293870ee42b16fb37b2e5b77e0

        SHA256

        9c2c331dbe248e6c5fdd94709e4aed1dc9524ca6c37fa4fb17150bfa12aedfe6

        SHA512

        e65b62360b6816dc0b55edfd571bb94cbfcf3fb28d6bb170ddfc620dc5f13a518d0b2e72c37e2f056a9fd78e8826bfdb125f09ddb7d12c114b85546207b8cf6e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8782992558871bb7fef30b5b159b9014

        SHA1

        c039ede80a39e50b81bf7fa13e6b3f93fc243c33

        SHA256

        e8b446d27523358fcf8606b4c5a8b9ab6d3aa177b0012fa7b8e065361971fa8c

        SHA512

        eebd3b35bd8fc3310e9e858bc8d5f09c77345601574af9e0706f505cc93e6838affd0b043b25dd0b13f98d1755ac7580d6fae51d621a21d5245c6293c159fcd3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a6757b5d6ef04f806daab19a7202642c

        SHA1

        6e47af2599de0c92f27a173e527b1edc30dd0523

        SHA256

        dca5362db08f0394d301b1f5753dda49abcbfc5ab28374f2a05d9eb86647633c

        SHA512

        b0b0acc2b279dbd83afc6e033ad1ae6cfc5f89502ae1740051c95dea6fa9bdb9861cdfd80a9d29a92084c3609fdc0881957ab7bdebf34111e32b6719c60ac4cd

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        bfd4a97f0e69974b6de00030a21668b2

        SHA1

        0fab99ef5c8bda7f117fde24ddaa03055eb80b9b

        SHA256

        2d12a171eca9d4b44e6e57e64dc9ae7137ab5f9e8a080ab75663b65a09bdf034

        SHA512

        8437f4727d900a544ddfd50fb36b84427033b8dd612c14db01754554b2c933c374b6b5902903badd76aa83487434403043559e8a570f12ffa6e46d0bb8b2a307

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e4ce3b9ad7371c8a0ffd44cff700a2c1

        SHA1

        96d703e51daf3b9aa09f8839b1fd487efb9c48a6

        SHA256

        181c2a67041f5a690a9a73d63e29b8e3b2ab163f37a13c5c117fcb8664272356

        SHA512

        b57c2fbf90fb93f27ed556c2440e26255339fe0e70e02fae962176edd41d660c06ee524b4259b360e8e94498206149b89707c80db5aad8c154441283ca11c780

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8275b6be92b3f6ccec1295a94743c87e

        SHA1

        0d3cba6eb1f34d122474abf33c805287449e81ad

        SHA256

        06e2b08fcdbb6c9f6c57937015f221fbdb249cc7218f22212111f89f182ca9e2

        SHA512

        5836642694f6f274a7b16082d04df9efa1ed04694eb127cfdf68a079fbab4d0b874a0f00d1be4f261a2b746f72363e6c7648a898e29cf2b833619d262e791a28

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        fc566824674e737ef1c406e5c54785e4

        SHA1

        bf987951ce8743410bf2216bcd7aed005dfc8029

        SHA256

        35ef74443f7822e0307ddb55ce177aa0b3bb8c790ce9159ed447239692d43e1d

        SHA512

        6d9dc54ea16de5dcf90c8a2a939e6fa50b1d855b588ea4ed70c94aa4237ce2a12dfa6d1c656023d468d2422cb6a6bb10b50980378d0782a6f19da7224334fd5f

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d53d2039989eac051123a9f202783023

        SHA1

        ae6e8be937e8996662864ab81578e09cdb64097a

        SHA256

        b2d6b7b2df1c5427f19b3ef1333bd4d5ab739979fe1b6943e5fda886f7f799f1

        SHA512

        70e1eecd3c74329bd006302d9aff77de0b86d5b5594baac7f53dbb88b5ca240f278b730337e053f9a90406643d44d999d2ecd2327ddcc3a50eee8f1823214244

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        21141eb8e836634bc6c5a8b7705ffdcf

        SHA1

        7419afa430c18aa5de3bfc648809881a94d4c6f5

        SHA256

        a3208d7a279f0db51272b32844d62c25fa770cbc877bc7f1b946c940def85b99

        SHA512

        e8eb005fd8be4a998a526587d1164889aa42c1567cb25f0789f0dce5ac0b665188338a831734131ad9acbb9432a534363e26e3b3c2dd072a720ae76dd263eb00

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5de44c3dc76034793af0d206a867d7bb

        SHA1

        67b9a52dc80f61a895e13fe2074d4da21cbf97a6

        SHA256

        3e866be9b75b528d672505b52b8190be579852fde10ab2d41a8e69e89c374c69

        SHA512

        1fa28b2d6949194283e66c2119d2967ef48478f0431b571474e97a8323a87cba3fbeb8f4756688c8928e33436995cef05c71acd23a327748c4f6638481645a17

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c65beee0aa69f0fb040ffc28b8aaf186

        SHA1

        6f6ed70c2ee72c4d13b2b976ddcd46230f4819cc

        SHA256

        1eae32bb2c6027c42c68cc6c4c12bc2814eecccc6298d6dd3b1d4198b8c56229

        SHA512

        3658819e49c3fd077a6fc897606031bd906e5609b4b711ab905dccd8d379e433f90d9411d1b8df6dd613f4a520f23772675e407fcd073c3251553125312a1908

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a26349be84a6b5b8de79353f1091849d

        SHA1

        aafff19ac8cfeef8b3bf6fcc35640c627ecfe60b

        SHA256

        828358d4c3b2451177d8885f037a0ab945c03936a306a8b8451ee8087540b04f

        SHA512

        c94ce201a62aa54adbc612855080d3b7c4e4df8d869c4f2b4861a4fc525eb66a8fd510f7eebf8e30924d862ab5a8bfe5d72edc111a87bf2035889d7fd69f341d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a77dc182af529a09d24d71d3ac1a6e17

        SHA1

        fc483a21ff6edacd9e6ce7d2bb6b955cca369f3f

        SHA256

        dbb49aeaea1c769c4377dea508135b4c4bf392dd9ab309c3fb3872d833e81992

        SHA512

        2b39e409360ba4d3ce081cea43a97650eec0d8aac03d3df51c72f228f4f98043e70f58bd3a6043da86e9196f621810bf2124c864b768446d19e49a86cf65050c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        6e55e4797dc9628b45c31d25cec5205b

        SHA1

        a1fd62f53574e9a2dc914ecacf0c4f133dc3f1e0

        SHA256

        dd5750a32933c75c49ae9fbb7d981d36046ad0790be7190672aca123a111c604

        SHA512

        f11ab89c36f7b3e6107a23b8497512b67a858400a5f546f709206285ddc6be307807fe2d08c6a9067a404e8f35222e55a0beb488c6f9e221e6c5e0d690e4870d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        dfca6ac4e3cf8201e0ffa88d871b6bf4

        SHA1

        c8f81e00b78e9baac0dd8bf5b7e4a3200ac13b60

        SHA256

        934e0e694dfbb8c012e652783ed5a8c36e7ae0d99862d39e72bf051403353e05

        SHA512

        7a8a578598b0650675f99f3a45c05130c8f23b43b3d583c886e04316ec0bab4c6b8bd712cd5c0f42c2b15e4717552d958011e291b11f3080682d3adaeb18aac9

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5f88a3c8e1fe0f19298699f0f6d5dca7

        SHA1

        78579ff48748d817f22f0bb83fad33b45de46724

        SHA256

        ffe1c2fbebbb6c7652d8ca70e3419bed1ef3a575ed392a5b2c720e84cc80629a

        SHA512

        50198ae0327c9287669fde7e6de6eb551db0d397b9ddf9c9726a5fefb3d3466f21e8999e4c955729ee29697088b42cf586704af7d8afbf63f1f54102126f76a1

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d2a8ce807e38b2532b38483965610528

        SHA1

        59666efa5f1038a9aacc9d5afddbb958625803cd

        SHA256

        ba93e375ba3c81d40fb532835063ce021f66056e5076fb0b333acaa63aa2cf47

        SHA512

        172319f7c8d2c8d750240b2ddbefc11ff9635bca61e391e6eb0708a3a74a995ddc859c8647fd2c4bb9b4cb9dae8e9c969ce7b98da8ce7171d62808d894f83e04

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\install\server.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      • memory/1172-30-0x00000000029E0000-0x00000000029E1000-memory.dmp
        Filesize

        4KB

      • memory/1624-1520-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1624-565-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1624-312-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

      • memory/1624-313-0x00000000000A0000-0x00000000000A1000-memory.dmp
        Filesize

        4KB

      • memory/2188-0-0x0000000074B31000-0x0000000074B32000-memory.dmp
        Filesize

        4KB

      • memory/2188-1-0x0000000074B30000-0x00000000750DB000-memory.dmp
        Filesize

        5.7MB

      • memory/2188-26-0x0000000074B30000-0x00000000750DB000-memory.dmp
        Filesize

        5.7MB

      • memory/2188-2-0x0000000074B30000-0x00000000750DB000-memory.dmp
        Filesize

        5.7MB

      • memory/2376-29-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

      • memory/2376-15-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2376-5-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2376-7-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2376-9-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2376-11-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2376-21-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2376-20-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2376-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/2376-19-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2376-13-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2376-3-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2376-25-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2376-896-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB