Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30-07-2024 20:31

General

  • Target

    79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe

  • Size

    296KB

  • MD5

    79ee1b8ab439125a681223920358d32d

  • SHA1

    e0227af1698b1ef9daf299c22986d2849483bb67

  • SHA256

    075672291ff4cb62a1ea33346eed991e7bd61f7da5ffd9994d170c2b636b1c16

  • SHA512

    9411ea51dcb7f01a1a621f7ab24634f23720a8bbf2a693e864dd2b4d89bcae1cfdb997825a72ca5592dcce14afb2a3fdd1973fb907876044af52c68df0493174

  • SSDEEP

    6144:POpslFlqkhdBCkWYxuukP1pjSKSNVkq/MVJbf:PwslpTBd47GLRMTbf

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

ano911.no-ip.biz:65535

Mutex

R6A3CAOG021X57

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    SSychost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2952
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:1920
          • C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"
            3⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1820
            • C:\Windows\SysWOW64\WinDir\SSychost.exe
              "C:\Windows\system32\WinDir\SSychost.exe"
              4⤵
              • Executes dropped EXE
              PID:2948

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        6fc1d113e4b78557ab2787c2f7ffa180

        SHA1

        8da78a37da41d25c42b389541bdb7fb5ca98dba0

        SHA256

        54eeabf2a1482afd04175bdc6f5dbff5faf798fb49740e7bf816f99b805967ea

        SHA512

        67db8326a6f72ff78da18b1510c1137688971ead3f0394f12f82affbf7b432f83b37f8b0d58afdea726d9184d41df06cd10bb0b3b62157bc79ba4a6a4643ca1a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        84314c2ba99da34d8eb32c8680938152

        SHA1

        e3bc738b022305cbc507c715e35ebb89e187fc9b

        SHA256

        0359ca198244b5fbe22db1302f3c80cc1d026ab78b7d3c4d230b36c11caeea98

        SHA512

        3dbe43c21bf34d0b425488a907771e7e0954159b54ffddf0a5a631b2d3a835dcce147fab84dedca4496746910b99add6663c89fb774f98c93f4aab1c24ad958c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d6f8d68c2fba6112842640ddeac38ba2

        SHA1

        2afa9c2106701ccfc828a992562535517c63e096

        SHA256

        039f54c439708bbf645b7e83f452688cf00cff6f3f01d3475e4d74625d4ac924

        SHA512

        51360a930c577dc9dd6252095773f8feb4bbdd5f11f1f56c4ce6673ec9c5f3d0059f60e606c41f8fe572cd7bde3f473e6004e03b2e4dff25f9df90515e471b89

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4792d4b0ee22a25f85623b0211eebda1

        SHA1

        ee9c4fa21e79cd987a1979a98bdd7bd28abb4cba

        SHA256

        a5dd8fab031d98e71abf001faf3ef13cdd700477c0c08f78908167961aa94ca1

        SHA512

        1ab35cb6a3b943cb72011a44da9b1c633c3fb4f59366c66ac1638fa3c88c7abbee8a462dd9975a517210c41aacd0f048a52922134701d50bb9b1539f3b9b0de6

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e2c278325f4e5770422bafde1e3b878b

        SHA1

        a67c255bd1cb7d6777e44918c9603381a6fb4335

        SHA256

        8bfae5f95dac70bb23182bb02ca6e8d85c198a8dbdd7f0ecf333368ae193d8b5

        SHA512

        7c5af6463369f9ddf454da07c6670a151f6a6c290a9763bdd8bbe1b88fc9db3ff209d14b78c3b13b31b09fe88f196ecf32cba9c254e55e7209f618130939013d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        fecb6c4edf85d1277e13f5526f0b12e7

        SHA1

        85a52670d3d726c03df9242b522dd0018c1b264a

        SHA256

        9940d8aa86422adbb0c91279df4fd4d3113fa2cebf551247ec49b52e081ea440

        SHA512

        3ff3891b618eb96a197fc45bf4c7c8f4818026312a342373bf9dad8a8c527b108efc0fff0a069c8b642b7cef2bac893389cf8689395ea9578933217f0b53097d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        2c79c1d5c891df869701bde98f405ae8

        SHA1

        90a5bbf7e1b4ab5c134f27052dada8fce4534bcf

        SHA256

        2bf627646b54fe8f97d704653917d559f0f87b3c702886338589b4321fd67a7e

        SHA512

        0090e0b3bcffa814a2034637e28bdded116cced25fe94a2c89ac4fa2520df7eda3b4a1a48a0f2f4bbb4ad4568b1adc7afd4639d59ffd12a5379582f82ad87485

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        cdeb3a654660912e437963918eec509e

        SHA1

        aa68c299aa6fc099a75665218c0413f6917817e5

        SHA256

        2ee49973fffab28dc59ef0c9b2bfdd9e8d452476f12b121d33020654830b5944

        SHA512

        0136659ad4f9b946c66305238ec7b8160f3a8c23d794f7f402a9e7aec2c619769ae387fc71b9734738896b7761479075acd96b971e8d75085bce20d7e3dbfe4e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1c87a0772d8fcc1288104517251479b2

        SHA1

        638b94b70a00aa3741c7d9f429ede94db8124773

        SHA256

        179b08ff5b8f81c29d0f1a4477ae89e66adc4a791b37850fe4321321deb93b5d

        SHA512

        e49e6af16ca1444d2de1f39d9f2c4f73d923ecb5bb5f9e6b23111a90d5de7e785416243862a40c2a8b05108e796e71d0e7063ba5efd30168e74dadc41d6c1a16

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        62709348c38a7e551c293ad0a8064699

        SHA1

        d33b5b719b4716573f9bfe84c3b4f19f02a37f59

        SHA256

        5c0d65be1fe4a06b8a40d9d10834f5628bf6664f2171910742a0290b6801a9a3

        SHA512

        3212a04b53039eb21e31070a296bd68650955b49f6937a6fa66fa67977966264e920a1b4c679bf901e0204410828ad0d397861ff7d53ba207b9bd4847efc7d4e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e4940f174d8ee75abb1561b78187b10b

        SHA1

        a7256ee78fa9d1c80472a2f115d74133acfc79ce

        SHA256

        f53ac34ad48d891de7f5d0921093c11774a26fd356cbf18d3ae1ae214687d2a9

        SHA512

        1c22da7a76f26d878ccbef33b4aadeb8b9b5ecf8ecca7511e294fa02a6564772a83a80978a857c59a09b9771490b3868ad9a45bdf7afd8da41f008d273f4710a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        9c16217371c5b2baefbaaae9f4691e58

        SHA1

        9eb61dbc7e168dd5ab91981226bac4a1abc78f80

        SHA256

        7ed806ce75563808f0f80488a536061a55b8e134005b11baaec5cbed76ed36ee

        SHA512

        e23c6d6e31e322461e678f386c55bd99e7ff6b274d1f5d70af035b70d6f154f863662028acb2ad958e0f6fb4745eb701edc1dff70f3d46c71cc7e3c4e5937188

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        20d26c26b72266b533fed18f9b55d25e

        SHA1

        a1217b6e520a807ec44a77754849a065d4629ebd

        SHA256

        1d8fb3c860ab3e7599cbd2cd3840ca447425ccbfddd46c0a39d889dbce3880c5

        SHA512

        56bb399f609f88e0a34164deb470988c0ee4780798240c4876ebd9e69b66de5fee8a0ee0981a9d1108eb4abfd0e05f8cad41d540e2af2fb5992abf1d59058a5e

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d76822bcda54c679dc0ce901ca79cf10

        SHA1

        0eee04e1154be61dab341bc48f78d95f680491a0

        SHA256

        47a7456961c63186a26b593cd0ae57b92fde6a676458d6a536b1f0128bf13e35

        SHA512

        b0a335cb7d325d843d2f5051922131d1ae3d3992fd733873dbe9d3045943d0fbe9b24bebeea1a8123470c60159be03b2d66da6eecbb2e1514d58ee408fc00d3a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        6fc0c857e0d56056a82ed3847600f79d

        SHA1

        4efc2ab3cbfd5ea145617cd8ad66e923245c98f9

        SHA256

        d5300b102cdb54f5247f002e9c3d977daf00b9c2367b82338c9400449b8fec7c

        SHA512

        cace4de2dde6406318998de33a2e96e6099fc40a377f77b24fb5046e54b58257b3f639066e5cb819fa49a06550e6cca5e5c5a0500cbe757ac74f96241267fc58

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        adbd732b56097c95e2c7216a5e8634ec

        SHA1

        573acc1404a64eecbeb2f9bfdecedf97599a260d

        SHA256

        ea459db767719a63f17eb116fdc8132318bf0717bde18f8f3620eba812ed737c

        SHA512

        e12e06d48153c0a8d000933b9a697706f0529287b7e19105651b5b3801155902cc860284963405c45d71d2898a85f7e1183b26a52768a2e6e36b4384395302ce

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        43b3a2b9f23f0e14940e3080da57ff15

        SHA1

        c1f3a30fc84b6019d17c5f3ce938fc444481e273

        SHA256

        6de4c2db4966cff7fd37eac0db508634ae6e38d447550805842a48caf7680c1b

        SHA512

        4ab91fe07ff14cf1d6ef3d7e512619b097e50ea8d63ee73e48a33fa069d33633d1da05d22070008c4a77420a2322e16473d3b1874f17363d0694c7e6159a0386

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        cdcde7a591a91192cabaf1c9e0150219

        SHA1

        7c26f33c2483db7c6f12bdae2b2f017627b773c2

        SHA256

        e029353fc6c15b0f0191bb43ac245f542cee2c69de17cfbfbdf2d2145e29699b

        SHA512

        cc912f20a5f68b00670e42ee12a46d3b2a80d1d90f82af5ea1159061dd931f15a70cc10a55cfe33d86b3b2cba4b7f6d142b00c0d0b3c6739c399d7bd8cee67b6

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7ee19f9ec59fda92f62c613be7edd15b

        SHA1

        a48551c407373454ff6981a6e43e98aa77c7a1b6

        SHA256

        c7caff26d72526612339681de13424d5672b06b9669aac906504581d04f5d462

        SHA512

        e2a0b774258499959b04711791ed1a0928cccbb9c56e727018891e708b3a3bdcfc7fd4ef89bd5297c6d0978efb56b249ac9faa16338e57921b9d7fe33029e7b1

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b2103cd2712570a0d25a97309040cb60

        SHA1

        21938bf636bfc388059b81eb41202d04b6535153

        SHA256

        f8b3320ae9886e16993bc9b5ca1293f661b0e91b81f1cf713be467b58fb5345c

        SHA512

        28af59224f60adad99bae71c42bfcad53f06d2f5b3a6faf70abab96ca803950f37467c6c41089d41d574893b669667de7b36c8f96d9db3e937ca41fd79e6e6c8

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        6e41c0c07d292d4fd84c7ff029c9fe75

        SHA1

        e2b71647061bd1c38389be1fb89e16604d5aa6d5

        SHA256

        e72b4b065538fa0b70f1cfc116e9bc07842d87892abb25235c2d1a408fd696ab

        SHA512

        399830baaa2ba220340e2c6c3ca374a2484141e4eb563446a42d10d066c020684bb5f2efaf691da3b6fecc6731b24edf0cbc959462ff13870612020327777bef

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\SSychost.exe
        Filesize

        296KB

        MD5

        79ee1b8ab439125a681223920358d32d

        SHA1

        e0227af1698b1ef9daf299c22986d2849483bb67

        SHA256

        075672291ff4cb62a1ea33346eed991e7bd61f7da5ffd9994d170c2b636b1c16

        SHA512

        9411ea51dcb7f01a1a621f7ab24634f23720a8bbf2a693e864dd2b4d89bcae1cfdb997825a72ca5592dcce14afb2a3fdd1973fb907876044af52c68df0493174

      • memory/1056-2-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

      • memory/1196-3-0x0000000002470000-0x0000000002471000-memory.dmp
        Filesize

        4KB

      • memory/2952-1754-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2952-536-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2952-309-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

      • memory/2952-246-0x00000000000A0000-0x00000000000A1000-memory.dmp
        Filesize

        4KB