Analysis

  • max time kernel
    134s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 13:13

General

  • Target

    809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe

  • Size

    973KB

  • MD5

    809c47b646c7f09b3560feff503ff533

  • SHA1

    5071dd6e257fc7ea619fe7c1170ccd36fdadd6fe

  • SHA256

    3ea1672072c73c71b4d43e7d2d7d269c678107ff7995e9cdcfc2ce6935bd6b91

  • SHA512

    32581c486d94d5c69449eea047a7c002f9c2391e37096cd12df86a8a7c856d3c9648c47f0ad210d2f60c3e92c681ef16b7e8ce547d83c61f1031ed44af96cc9a

  • SSDEEP

    12288:9FmcmPZ2FRHupoVy5mwUenTaQSQBfdV+FlLFb3cFb6qb3sc6kdHUTBfeoF9NZLek:LRH5ROG7bDe4opzyfffDfffF

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

127.0.0.1:82

glider.no-ip.biz:82

Mutex

21C55QTSN11T42

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinLogon

  • install_file

    WinLogon.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    alomhack

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:2488
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:275457 /prefetch:2
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1496

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1213ed411eb613535bed1f8dc72b895a

      SHA1

      75dcb4821ede423e7b82c8dac8afe5a59a736b23

      SHA256

      6382fb1fa1e54397354386ed5c6f9efe5a24f4d510d97ffc1aeb6e6fb78f2aba

      SHA512

      c0ad6c8d5130835a41522cc9fc7cb5176dcd2592a8964bbf209c3fe70a1b703613f7b24f771e23667a3137574270f818f60d83df5c022791c0a26685177e2815

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      078b1bff9471e6db266bda2912a7ee07

      SHA1

      897a806ad9b577dd3a073473036d0b3a59248c18

      SHA256

      69f3610b8c3876cbe94c746632d0f9c812542c4d96196e9c08ae055d5ad5b0b8

      SHA512

      b1bb5fde1c60f872e59472b21048eb3475b88487eb21a97e327cd82e2a12d9bdc0709b1b08a902288ec1494b0e5f4373abd7dd0978a5d4ac03758b8d23bb1d6f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1422b80e64ff1b0cfd4e0af2e3515833

      SHA1

      634af2f585604a6c2abd2adae70fc0db326e9f1f

      SHA256

      635e90209b0c4472613536af2fde4cbcd42bbd9986be16f9608316919758a500

      SHA512

      064c68b76241d821f9b3bb31ae5dbc84166cc02fff7731e78fa93b79a04a688048f1fb1c91b2b3481281f8b5d50a67e17f047923bfc69d49fcdb546bf811573a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      09393c9db65198474db0cca79aa1cca2

      SHA1

      20c8aafc4501bae302e5d6e16ee9f997fd85c63a

      SHA256

      74037fff695d845db784edc4b0d70d423bcdafb7c8b632f4419837c063657005

      SHA512

      a403bccc0f983c40dab9aff2eb9a33b14233ad5ca51f2f00c8ce8bdc77b88f5d67ce1808d3020174ea41a49d871b309e0349582a366814120e94f176f28b9ffe

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      eaa5f3a2cd17a8a79c74b21d0644e058

      SHA1

      198f35b8861f7ea0bc02e061bca8323df9e36154

      SHA256

      54a8acbdfc65e5050ad3a786051ecb964518321dc3b965d5e523dc39148d51ff

      SHA512

      f68eaa5468978f5923483dc215557107f4f3c6feeb110b2f8f74e3987300fbd2864dee3ba4f30dc1f83f05b2c5447287db2f5946fbb08d7a847efe810f1000d9

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      27a18cc227c9548ba749ffd67603e76d

      SHA1

      bd2662cad0f603fb68b560245f00f28c075e0649

      SHA256

      020d38f20956b5bf82b713ca191d17587d98e393f10a5f87f1b7e2797a2db2a5

      SHA512

      1918a976f29d7c5c4a411ce29fa7076503e77cf10687a13ffaf996d798c8d90fa8e469e5bf4cfff01dda4ab72991086e1294f703acd9d47ad574874a675a1e74

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3fdd56a89d098f9f7b48d34cae7e03bc

      SHA1

      fca1339d864486a428db3eb8af1b158140053e44

      SHA256

      e5bc4d6471d48be2609104c030c075e878e1d675f41db33462c02ccee8b8b9bd

      SHA512

      9ef718fa4cf79c11b8807f73f7c355010849c9a04dec966f6ddafb256256da6c0a95a6171f72503c5d845abae58b544042bbde9e64fa37c34a9cd927b6166b39

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1b78c29500c07913e9d1b6d8eb49e8b6

      SHA1

      003ad6e55de5f565028d041bbd8f4d526816fa73

      SHA256

      72773c807a0588452752ea94031f6711b678baaf46cf0557856b0379052751dc

      SHA512

      7cd9ad575e60948a8fcceb87fce0bb9ec071de17d4ceb28b55b2ff9534ce4177b4fa8611931ee9ab0af20a8487710596b96ca906e60c16e65a85ae56a5f94db2

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5f762fca1f8c9a22bb28cdb8423e8108

      SHA1

      ac62cfef809ecd8ea86bc01e214834e21c3da020

      SHA256

      91a13ffb56e8f2d21ba1c75d3e48d21f159afe7f301ae4cad3709fb96bd3c3c7

      SHA512

      125a5523dbebb4aae40d85794475d92296838765f06ee80db597e4019049fcc148fe538e1ab4c54105dd8a93628a3acd30bf954afd0cf1e4aebcb72957ffe411

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6662600bc857326ea1f7ecd0e7e1c594

      SHA1

      34a2b51a32aa2b19404c3996118ed08d5ebf3ec6

      SHA256

      ad66c03ff2bf9c58f4a98182e7894923fdb337c7de36bcd0d2c38d61145a29c1

      SHA512

      d25d9be359c2c82ab63d8239e6f4cdd2e13713d3c3f9e2e54f303d5e43232e44555c9d79fed5a831ca32ae87097784337000d39467a3cc6fac1dfae911da4373

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e8a10359c29821c8f0ce128178a3677e

      SHA1

      b7b7eec25472cd4ec3fd0eeac33402a5090bd287

      SHA256

      5a2204e99394abca455f8b5c2fa4ab5d6ce9385e1c01c65078cb4b1b845b7151

      SHA512

      8087582425f1b4688e272ea87b4e537d71a8d267d40cf3307834625c2a9c773cf73009dc5a3da6d48148429f4f8175e849315e5fb570891b72e0b10dd5cac0a3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      2b14d0d19fcff071f60afebeb0563cd6

      SHA1

      74380e39ae08618a03e24c4a21624b43ebb4c2de

      SHA256

      937b93ba6db1ed7d23c5bce909a28ab9bcd94a2ede2f9b84fabb2302e8368f18

      SHA512

      54ea5527194fbbef6a0c53d0f067d46542f1868e2a1032cb4eef34f4858d31ec5afc396a3d79953c25a9bb697a054e34f8d17aab060d3bf5fe2d0d0820d29503

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      db49dc6ccaaa6e866120f9067d653a39

      SHA1

      7a6cff3343179fc8f602c2a5d1c0d5b11a1a223c

      SHA256

      18872cc55f3d0268ca500eb2e746170c840d99ae1da47e13217bd5f9358fdd22

      SHA512

      222dfc61b92ab81fc5d273a66e8d2d499a7a0384604d552fe143292314abb0d8688d259ad6528c3c790734054e318d5256e43aeb9995e4ce167a42e9b6cfade8

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      45d3206a388fb8694b338a0a299fa9e4

      SHA1

      1e03de8dabb08d66d155bb0532ac03b37c15075e

      SHA256

      022027da2b53f98ab56ac8f0e0f60bcb565e6746fdcad73a2c86cd2f3a5844ca

      SHA512

      989f3b934231eee7fe9f1851e060c5c98ce1484251972dff9542a8ff5f9dfe33f7ba2bec4bdeae382a340da266f29f06ec4f4c9fb6965c5b4481fc418f3d59d8

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1ad3001c5c7849c9563f14caa00d5de3

      SHA1

      933b7d05e5461d705af64e05ae2a8a268adb7a62

      SHA256

      7b2c8ebd64b5a17a1961835819bc4b93488f5944a17f97976e74da4f069505a8

      SHA512

      8aff00435ad29c59d5a8922abc6ec53e266d6109392ca33c442e35c5710dae5abf8f1beaa14c79442ea1b45420ce11aad70588fa8692e339fe9a45d6cddc0884

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fad357a0cefe595338b6c8082dc6f7a1

      SHA1

      0833a1b36f3cfc107599d1721d80dc2ef2355ec9

      SHA256

      a83acee4fcadac99f3f5901c93dc3d238f5245820c27735d13a6586fec5305ee

      SHA512

      c02bcab203fec000c903be3436de435d338e82bdc3d4fd2ca70ee072f040150195c9c550642adf7aa8c82a9a6ff535858555dd65b35364fc1f17e88bb8d917b9

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      397b51b2c05d0b1b869ba680f06e0fcb

      SHA1

      3af6ed6a16a9ceaae009f27aae5a044e93e73103

      SHA256

      56ca7bce662bfa759ab112cb5a33d198463d38f3fc4ccec0158cf9ab3a1cbd10

      SHA512

      e3d22f86c32d83bd42df0cff6489c11c6dcbb54e3a3f9ff346167d5190ad1d85217edd3047d563c8397c0b5620e85f9809dd381290a72feb51581fca58d4d412

    • C:\Users\Admin\AppData\Local\Temp\CabF3E2.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\TarF454.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • memory/1724-4-0x0000000074BB0000-0x000000007515B000-memory.dmp
      Filesize

      5.7MB

    • memory/1724-0-0x0000000074BB1000-0x0000000074BB2000-memory.dmp
      Filesize

      4KB

    • memory/1724-1-0x0000000074BB0000-0x000000007515B000-memory.dmp
      Filesize

      5.7MB

    • memory/1724-2-0x0000000074BB0000-0x000000007515B000-memory.dmp
      Filesize

      5.7MB

    • memory/2352-3-0x0000000000400000-0x0000000000451000-memory.dmp
      Filesize

      324KB