Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2024 18:55

General

  • Target

    79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe

  • Size

    341KB

  • MD5

    79a62d9b25dd93ce3345c92e49e6a658

  • SHA1

    89aeb299eaf63fc3e87d0bb41ccc4f995e92d6fd

  • SHA256

    836250cc1bb5ff9bda81c4554a83008fb9b61803d7d613977b41763606b58f3b

  • SHA512

    f38f7a601b9c3901ed4678271da5cd4a20b0fb00cff4a4978d9388e25df90348599f0ea2ec01cdd1bc2f2eb1b4e618ddb9d300c0e63c0478fa49905df629fbbd

  • SSDEEP

    6144:pOpslFlq9GHGFhdBCkWYxuukP1pjSKSNVkq/MVJbI:pwslOOiTBd47GLRMTbI

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

frisdrank.no-ip.org:82

Mutex

46G44QW5AO0752

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Winlog

  • install_file

    CyberGatev1.07.5.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1820
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:3420
          • C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"
            3⤵
            • Checks computer location settings
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:440
            • C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe
              "C:\Windows\system32\Winlog\CyberGatev1.07.5.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3756
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 580
                5⤵
                • Program crash
                PID:2304
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3756 -ip 3756
        1⤵
          PID:3376

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Defense Evasion

        Modify Registry

        3
        T1112

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
          Filesize

          224KB

          MD5

          df5f7d3169da73bca487758bce36e122

          SHA1

          c6e4a791d32084d7182eb97b5bceed64f7fb854b

          SHA256

          69157368071dc7b854a17a661d646c0746744acda03b2c15382c3a51be22a9df

          SHA512

          077f15897593b428b4fa85ebdde0d46436eee03791a75b62af9e8606487ef8967bca9d61e8588d1dc61d88c573d2731799585705024ec9541915133ae72654de

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          08d2d1ddffab4ecd1d85841b16bdf52a

          SHA1

          90857b1ce577ce9ed8ca3f5b3bf150574e6e2092

          SHA256

          4afa7e5680b70c756c33b5f5932a3c4ee4429eb370b2796192e7543806c83a74

          SHA512

          0a17b43e8723def2a682cb5b77fd983c60f3dd3cf0f5a9f92db4ef854011313e4c8d053a5bac44211c1cecf1fc4754543535de057384042622ce1928942ce4f8

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          878574bdf5d7e68856bcd7307cda4bab

          SHA1

          a089d8bb2a4bfdcc6648d8cfbd863b9d671d5a54

          SHA256

          5e494f2bfb8b8187032c17c084f5577bdf16c0d9f8a1541eecd4b97a176592ee

          SHA512

          d4eea2514373e2c564e6d23c4f9e0bdf01f28a2dd1962338d1a8cfd50c6c36d2253464071701a135eefcdf38c7e27c8530858dac04041389e394039f5566591a

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          bc509463a3f1f077440181a681b626db

          SHA1

          0de48222a0c4ffc8e49cb40f785bb029c6ee98fb

          SHA256

          7c8e1a9f2b456ed8156f36570eac58792151cae0068699596dc77514b5ddf7ba

          SHA512

          66d3429ebb4b70e4a279bfdc24484e1e6dae5705a668464e9628d162007fce2dbd36f41d9f71b44d4063071d8d3043bebe80fe6cb82a87a6265e5c4975f66749

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          461fbbbb1dd8a3b6d487ba0619666542

          SHA1

          3456ff34ac587483a0c7f05466490239a645c3f1

          SHA256

          5dd9c0b49ae63a9434c463c83a4bd4cc90665a7a7466a73afbec5fa825d66ddf

          SHA512

          e68f0b0363a6ef0a1c1580847da0b816238e14e508f5f6dd34913fdd3f897a22aff4afcb6f38d8936cf3d891cc5afd2d3d0049c3eae39272e85e513bae6af1db

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          5dfc3481ec27b6bc35d71a66cdf235e2

          SHA1

          5fe2a8d960a633c15b2288227a49247ed1ff7768

          SHA256

          c68bbf7993193fb8fd1df54e184fd8d8abe0e9b2e492cf9a368e17da90b710a8

          SHA512

          92b3d84a731c0f4e0a6d2eafdb2c6878063d5b6f4557d31c80fd14aead15d22c088cf1436139383cefbc8cbda71999f29e70d00e4e4ce8b08670fc49ad64b384

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          54d40568212ab6f63f65bc2ff7d86081

          SHA1

          61df6c8161d4a115e249348b9a18a60691035562

          SHA256

          f42d061e9bb216ba808f32b4e6092142d9605b839c2a37a852feb7aebb340357

          SHA512

          d9d3d8fbd8e18de2d33c6b160d642a0f89cf0a4d833587c211526778e9814d3128e6e4d77543c6964fd5dd232939965f676cf20bed606f64d297f26f42867bcf

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          44e255ade644d036e982dcea96e9db03

          SHA1

          cf1595ef20bed983e8da9e00dac93a87d6b566c1

          SHA256

          48d5ea596ef4287b986e82a8ef6833a0bce8dff6d6c93da8194bee526ce5c2d9

          SHA512

          4e4442c91021a9efc71419c388ea5a8af4d8f60974dd43ee6a4214003851d670ebb9b1724e040826ed6b8bbd5ee305f71861cf636f2ebeff013a7cdfea324963

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          99bf0280c8e5555cf0c4a65c1202ade4

          SHA1

          06e1bb84bd9ccd10843b898f7c1bc47b7c1770b7

          SHA256

          e91eb3ee0e2232d5135fade1a305c1a9a795d852d45b53457504449010206a72

          SHA512

          4205a7345bd207ac5420a0e49731e12537035dad4365658f2841f3af1f236236eaa8c92bd0da4641d7a3975ce8601789a4938b7a223307c73796f9afc44bb50b

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          854ac89f516164d3bc513f82998a912f

          SHA1

          6ce6ffaf1f5152caf594dc16bf95766da36bf079

          SHA256

          493509bfa8468e679d2d9e413859a1fd90f9cad1623c659d9e20c0175c182df7

          SHA512

          60549259ffc0a828ddef03be08c626950fb2be995c043984de720b824adec3fd82d84bd8270dcec6a141e19d241194ee58a80f67bb611efc795b5f9f59f92122

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          c3a5882859878c5f15258e46fa5e4060

          SHA1

          cfb7e3e2f9c0e022888ac2958de5002010ddf101

          SHA256

          b9b38e74c039b35e2ba858e5441a1fd18f8f289accce174069aeaff7f0048187

          SHA512

          f727f29fc5e43058911f50c694c7920bf1e971a31ac1d49fd1088759a2b70d027f7cff53c5505b0b27d16ad79714425f7dadc9dfd95ea3bb7712a2658a901d8b

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          af084873c07b23353d58d80e9b324c21

          SHA1

          b8681c40e18f78b42859d1f6647b9768131af610

          SHA256

          90267f22e8dbe14cd9791aee7c15e184c9f0d7a1c8a9d0387f636c79023a045f

          SHA512

          e8f0195205910f3c9a16c43a92e7a7cab9a61cc29ad3f29c2df1f196654fd3be3c6f1594c0dbbb430561e29abe4e6d38fbf14746daacffd1178ac22604124670

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          f707de1c96fd772a8c33151c62ab8fd9

          SHA1

          0cef3b9c54cea7a8fec0a515621746188b0b2f1a

          SHA256

          490c0340d265face0ab282482ee025fd8f1e7850245dd2734ec0438a2cacd4bf

          SHA512

          ef5337e650550f6d95e35a792e8482d289b7249a30a9d499fc53b0b0f02c8de3a90a46e093c39cd5aee26b4359c90a9bc9c4c21082d3ed4ce8f5b4cb3bd3beb6

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          2bb7b6f8a6d79996ad5705bc6973de76

          SHA1

          4373a923f6435e28fb693bb6801d36a0f2e42882

          SHA256

          c768e5338fd7c270cc0b00d57cce34c2d8af7e4297c825d12a6514191ed4edd7

          SHA512

          72d88ea741c080bd42db02ff69759177f3803291bd123ee61756217fc723aa74fe6b1fd00c016a83b79329e688d511518cb1124e9cb9bc98e082df54c6c806ce

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          337ab9565da3b6eabcdc2dde71a8465a

          SHA1

          c392967d1d976686903d786e6d43d617d705d4b0

          SHA256

          09cdfb7a7a37b023a9463b63e3bcabb5869aa6ed02b9e8879487c5b9300fdd4d

          SHA512

          a52741397ded0e4b060804f7cd93a5bccfceae0e7cf70089ce7cbc867cc2c2b248e710a7ae1daaffdac792b5e11658628fbcbf13eb6f7cd9be8cd9558e739454

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          ab0df17ab2a59b695fd8019a49b96dfb

          SHA1

          fdf88fdfe88b9dcd9342878234614967f0f1e8fa

          SHA256

          45c9f416f933343f7e34ce2dfbf07f20b1dba9afb225b96ab84db5accb163b35

          SHA512

          6a33af61ee296812f62559770635f9b85825f83bd1daf893696d463a48c15193dd798bb339a85e2a4c6b917ecb0f8918bb2907ec47ddea5b49cf4e0ce43ca87e

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          b38228f17c06a4f0ce343c61c4e6d86f

          SHA1

          bfaeb91979ff811691b2870487fa77c864639b74

          SHA256

          86e775cf0efe195c39dfaa4a24d1064bdefe0c99af9388cd989cc3325397d2e1

          SHA512

          b8cff81b23910062dddf9e410996c5a772f64ee8f5d4b678174f0581f5387b7db828ecd628ad0b1eaa2e7ffdc69df766debc9ee6fedc9af218ae0f2b2267f1d2

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          5437749b579a0d56e5b4ae303decb0b3

          SHA1

          3586a7735efeaa37ea71ce82a2c2a2942483fd54

          SHA256

          54d935a4dd92004a8c78e8f92358d92723f02e3ee7af61addfb543febb84580f

          SHA512

          e38e3a976072148a123dd7f1ef967cc6c6e9957b41d0aa87ebebd9a74d0fb6ce69de78e7cb22d8f14554ea84c5bccec768407456ecb2461b594657f1376db936

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          74b7be9bb7402adf6eb56054d6d7d2ee

          SHA1

          a5606394cd2eacb07bf5b6b86596d87c238ffcf2

          SHA256

          bcef319d1b1c18ab8c85194ee66221e1f016df39298754ab8f1069cae4a32f6d

          SHA512

          305a62e2d165ad791ef01e1070fc0c839638b6b7caf65af190e833e8de737c1997933988075a6712a689d58d9b47b500c6d88d965b8a38507e0ce74fd3808a00

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          f85943e1f664aca285dff490056a5c4d

          SHA1

          06d22a9e0cefd72fbf36294f1799b3c7bf54d4c7

          SHA256

          ecf5055cd8c1cee6216259fbe7819c17c33d985ee74b6d78b4f18d78f2d934d0

          SHA512

          75160b8bdb9fbf4c65157f121177cec7e1c29a1fb51b69d3117d00da0f3945f371587a9d1c64e2ddd8be40f63c07b13da956aa7fca1bd5c6734b7f61f5941ff5

        • C:\Users\Admin\AppData\Roaming\Adminlog.dat
          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe
          Filesize

          341KB

          MD5

          79a62d9b25dd93ce3345c92e49e6a658

          SHA1

          89aeb299eaf63fc3e87d0bb41ccc4f995e92d6fd

          SHA256

          836250cc1bb5ff9bda81c4554a83008fb9b61803d7d613977b41763606b58f3b

          SHA512

          f38f7a601b9c3901ed4678271da5cd4a20b0fb00cff4a4978d9388e25df90348599f0ea2ec01cdd1bc2f2eb1b4e618ddb9d300c0e63c0478fa49905df629fbbd

        • memory/440-138-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

        • memory/440-1436-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

        • memory/1820-66-0x0000000003B40000-0x0000000003B41000-memory.dmp
          Filesize

          4KB

        • memory/1820-8-0x0000000001050000-0x0000000001051000-memory.dmp
          Filesize

          4KB

        • memory/1820-68-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/1820-981-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/1820-7-0x0000000000D90000-0x0000000000D91000-memory.dmp
          Filesize

          4KB

        • memory/4572-4-0x0000000010410000-0x0000000010475000-memory.dmp
          Filesize

          404KB

        • memory/4572-63-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/4572-6-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB