Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2024 20:31

General

  • Target

    79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe

  • Size

    296KB

  • MD5

    79ee1b8ab439125a681223920358d32d

  • SHA1

    e0227af1698b1ef9daf299c22986d2849483bb67

  • SHA256

    075672291ff4cb62a1ea33346eed991e7bd61f7da5ffd9994d170c2b636b1c16

  • SHA512

    9411ea51dcb7f01a1a621f7ab24634f23720a8bbf2a693e864dd2b4d89bcae1cfdb997825a72ca5592dcce14afb2a3fdd1973fb907876044af52c68df0493174

  • SSDEEP

    6144:POpslFlqkhdBCkWYxuukP1pjSKSNVkq/MVJbf:PwslpTBd47GLRMTbf

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

ano911.no-ip.biz:65535

Mutex

R6A3CAOG021X57

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    SSychost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3500
      • C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:796
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:976
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:4588
          • C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"
            3⤵
            • Checks computer location settings
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3224
            • C:\Windows\SysWOW64\WinDir\SSychost.exe
              "C:\Windows\system32\WinDir\SSychost.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3948
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 592
                5⤵
                • Program crash
                PID:1900
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3948 -ip 3948
        1⤵
          PID:1336

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Defense Evasion

        Modify Registry

        3
        T1112

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
          Filesize

          224KB

          MD5

          6fc1d113e4b78557ab2787c2f7ffa180

          SHA1

          8da78a37da41d25c42b389541bdb7fb5ca98dba0

          SHA256

          54eeabf2a1482afd04175bdc6f5dbff5faf798fb49740e7bf816f99b805967ea

          SHA512

          67db8326a6f72ff78da18b1510c1137688971ead3f0394f12f82affbf7b432f83b37f8b0d58afdea726d9184d41df06cd10bb0b3b62157bc79ba4a6a4643ca1a

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          e2c278325f4e5770422bafde1e3b878b

          SHA1

          a67c255bd1cb7d6777e44918c9603381a6fb4335

          SHA256

          8bfae5f95dac70bb23182bb02ca6e8d85c198a8dbdd7f0ecf333368ae193d8b5

          SHA512

          7c5af6463369f9ddf454da07c6670a151f6a6c290a9763bdd8bbe1b88fc9db3ff209d14b78c3b13b31b09fe88f196ecf32cba9c254e55e7209f618130939013d

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          fecb6c4edf85d1277e13f5526f0b12e7

          SHA1

          85a52670d3d726c03df9242b522dd0018c1b264a

          SHA256

          9940d8aa86422adbb0c91279df4fd4d3113fa2cebf551247ec49b52e081ea440

          SHA512

          3ff3891b618eb96a197fc45bf4c7c8f4818026312a342373bf9dad8a8c527b108efc0fff0a069c8b642b7cef2bac893389cf8689395ea9578933217f0b53097d

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          2c79c1d5c891df869701bde98f405ae8

          SHA1

          90a5bbf7e1b4ab5c134f27052dada8fce4534bcf

          SHA256

          2bf627646b54fe8f97d704653917d559f0f87b3c702886338589b4321fd67a7e

          SHA512

          0090e0b3bcffa814a2034637e28bdded116cced25fe94a2c89ac4fa2520df7eda3b4a1a48a0f2f4bbb4ad4568b1adc7afd4639d59ffd12a5379582f82ad87485

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          cdeb3a654660912e437963918eec509e

          SHA1

          aa68c299aa6fc099a75665218c0413f6917817e5

          SHA256

          2ee49973fffab28dc59ef0c9b2bfdd9e8d452476f12b121d33020654830b5944

          SHA512

          0136659ad4f9b946c66305238ec7b8160f3a8c23d794f7f402a9e7aec2c619769ae387fc71b9734738896b7761479075acd96b971e8d75085bce20d7e3dbfe4e

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          1c87a0772d8fcc1288104517251479b2

          SHA1

          638b94b70a00aa3741c7d9f429ede94db8124773

          SHA256

          179b08ff5b8f81c29d0f1a4477ae89e66adc4a791b37850fe4321321deb93b5d

          SHA512

          e49e6af16ca1444d2de1f39d9f2c4f73d923ecb5bb5f9e6b23111a90d5de7e785416243862a40c2a8b05108e796e71d0e7063ba5efd30168e74dadc41d6c1a16

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          62709348c38a7e551c293ad0a8064699

          SHA1

          d33b5b719b4716573f9bfe84c3b4f19f02a37f59

          SHA256

          5c0d65be1fe4a06b8a40d9d10834f5628bf6664f2171910742a0290b6801a9a3

          SHA512

          3212a04b53039eb21e31070a296bd68650955b49f6937a6fa66fa67977966264e920a1b4c679bf901e0204410828ad0d397861ff7d53ba207b9bd4847efc7d4e

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          e4940f174d8ee75abb1561b78187b10b

          SHA1

          a7256ee78fa9d1c80472a2f115d74133acfc79ce

          SHA256

          f53ac34ad48d891de7f5d0921093c11774a26fd356cbf18d3ae1ae214687d2a9

          SHA512

          1c22da7a76f26d878ccbef33b4aadeb8b9b5ecf8ecca7511e294fa02a6564772a83a80978a857c59a09b9771490b3868ad9a45bdf7afd8da41f008d273f4710a

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          9c16217371c5b2baefbaaae9f4691e58

          SHA1

          9eb61dbc7e168dd5ab91981226bac4a1abc78f80

          SHA256

          7ed806ce75563808f0f80488a536061a55b8e134005b11baaec5cbed76ed36ee

          SHA512

          e23c6d6e31e322461e678f386c55bd99e7ff6b274d1f5d70af035b70d6f154f863662028acb2ad958e0f6fb4745eb701edc1dff70f3d46c71cc7e3c4e5937188

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          20d26c26b72266b533fed18f9b55d25e

          SHA1

          a1217b6e520a807ec44a77754849a065d4629ebd

          SHA256

          1d8fb3c860ab3e7599cbd2cd3840ca447425ccbfddd46c0a39d889dbce3880c5

          SHA512

          56bb399f609f88e0a34164deb470988c0ee4780798240c4876ebd9e69b66de5fee8a0ee0981a9d1108eb4abfd0e05f8cad41d540e2af2fb5992abf1d59058a5e

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          d76822bcda54c679dc0ce901ca79cf10

          SHA1

          0eee04e1154be61dab341bc48f78d95f680491a0

          SHA256

          47a7456961c63186a26b593cd0ae57b92fde6a676458d6a536b1f0128bf13e35

          SHA512

          b0a335cb7d325d843d2f5051922131d1ae3d3992fd733873dbe9d3045943d0fbe9b24bebeea1a8123470c60159be03b2d66da6eecbb2e1514d58ee408fc00d3a

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          6fc0c857e0d56056a82ed3847600f79d

          SHA1

          4efc2ab3cbfd5ea145617cd8ad66e923245c98f9

          SHA256

          d5300b102cdb54f5247f002e9c3d977daf00b9c2367b82338c9400449b8fec7c

          SHA512

          cace4de2dde6406318998de33a2e96e6099fc40a377f77b24fb5046e54b58257b3f639066e5cb819fa49a06550e6cca5e5c5a0500cbe757ac74f96241267fc58

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          adbd732b56097c95e2c7216a5e8634ec

          SHA1

          573acc1404a64eecbeb2f9bfdecedf97599a260d

          SHA256

          ea459db767719a63f17eb116fdc8132318bf0717bde18f8f3620eba812ed737c

          SHA512

          e12e06d48153c0a8d000933b9a697706f0529287b7e19105651b5b3801155902cc860284963405c45d71d2898a85f7e1183b26a52768a2e6e36b4384395302ce

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          43b3a2b9f23f0e14940e3080da57ff15

          SHA1

          c1f3a30fc84b6019d17c5f3ce938fc444481e273

          SHA256

          6de4c2db4966cff7fd37eac0db508634ae6e38d447550805842a48caf7680c1b

          SHA512

          4ab91fe07ff14cf1d6ef3d7e512619b097e50ea8d63ee73e48a33fa069d33633d1da05d22070008c4a77420a2322e16473d3b1874f17363d0694c7e6159a0386

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          cdcde7a591a91192cabaf1c9e0150219

          SHA1

          7c26f33c2483db7c6f12bdae2b2f017627b773c2

          SHA256

          e029353fc6c15b0f0191bb43ac245f542cee2c69de17cfbfbdf2d2145e29699b

          SHA512

          cc912f20a5f68b00670e42ee12a46d3b2a80d1d90f82af5ea1159061dd931f15a70cc10a55cfe33d86b3b2cba4b7f6d142b00c0d0b3c6739c399d7bd8cee67b6

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          7ee19f9ec59fda92f62c613be7edd15b

          SHA1

          a48551c407373454ff6981a6e43e98aa77c7a1b6

          SHA256

          c7caff26d72526612339681de13424d5672b06b9669aac906504581d04f5d462

          SHA512

          e2a0b774258499959b04711791ed1a0928cccbb9c56e727018891e708b3a3bdcfc7fd4ef89bd5297c6d0978efb56b249ac9faa16338e57921b9d7fe33029e7b1

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          b2103cd2712570a0d25a97309040cb60

          SHA1

          21938bf636bfc388059b81eb41202d04b6535153

          SHA256

          f8b3320ae9886e16993bc9b5ca1293f661b0e91b81f1cf713be467b58fb5345c

          SHA512

          28af59224f60adad99bae71c42bfcad53f06d2f5b3a6faf70abab96ca803950f37467c6c41089d41d574893b669667de7b36c8f96d9db3e937ca41fd79e6e6c8

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          6e41c0c07d292d4fd84c7ff029c9fe75

          SHA1

          e2b71647061bd1c38389be1fb89e16604d5aa6d5

          SHA256

          e72b4b065538fa0b70f1cfc116e9bc07842d87892abb25235c2d1a408fd696ab

          SHA512

          399830baaa2ba220340e2c6c3ca374a2484141e4eb563446a42d10d066c020684bb5f2efaf691da3b6fecc6731b24edf0cbc959462ff13870612020327777bef

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          d0a09057777ffabceaaeee34ad090d46

          SHA1

          44e6e704f586eebd6c1c55b8e0a6a4651be7e03c

          SHA256

          9779dd22ebbc00cb9cfd8f34c8c8de473265db71c035f046afef6d5a941b74d0

          SHA512

          e6927e3dfa9bceb8699a77ba8cd63c697fdcac945ca2a9385b75b6d6b7ae0301c3533554454547c8ea9c293b3e0f9a9e830e62467adf2b9effde3103333434f3

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          bef1966efc26325095f75a84a2ffc07c

          SHA1

          e6ad5b7e5f4cb951f11d6e8d71cf2ca04783956b

          SHA256

          5162af6247cc19eceed3e9a03a1224b3a9447ff3f6f8a9fbeba08e0fcbfc25d9

          SHA512

          dbbd75991805152855d9eae2119af4018564f258397cb76104825171fd99dd12c2b33a2a3e0a195d801be6d3e8da742dda9d9feb399464c79b164d60813c7964

        • C:\Users\Admin\AppData\Roaming\Adminlog.dat
          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • C:\Windows\SysWOW64\WinDir\SSychost.exe
          Filesize

          296KB

          MD5

          79ee1b8ab439125a681223920358d32d

          SHA1

          e0227af1698b1ef9daf299c22986d2849483bb67

          SHA256

          075672291ff4cb62a1ea33346eed991e7bd61f7da5ffd9994d170c2b636b1c16

          SHA512

          9411ea51dcb7f01a1a621f7ab24634f23720a8bbf2a693e864dd2b4d89bcae1cfdb997825a72ca5592dcce14afb2a3fdd1973fb907876044af52c68df0493174

        • memory/796-63-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/796-3-0x0000000010410000-0x0000000010475000-memory.dmp
          Filesize

          404KB

        • memory/976-68-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/976-67-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/976-66-0x0000000003CB0000-0x0000000003CB1000-memory.dmp
          Filesize

          4KB

        • memory/976-7-0x0000000000F80000-0x0000000000F81000-memory.dmp
          Filesize

          4KB

        • memory/976-759-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/976-8-0x0000000001240000-0x0000000001241000-memory.dmp
          Filesize

          4KB

        • memory/3224-138-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

        • memory/3224-1439-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB