Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 16:30

General

  • Target

    8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe

  • Size

    296KB

  • MD5

    8136ac6572c5e8e6f6f85bcf92274bf7

  • SHA1

    a34fd043c3f3370f1619c89614c44fc256024c79

  • SHA256

    0303198253d95e625492a5c949095557e55f3666643308e0dbbdbb8eb65d5c5b

  • SHA512

    c309fc0f95e49a790e924f234d310cd68aa89bf5fd390cf7c108e8629104ac5ab83294496703b316b5bb49d1f6eb81c3cdcc2810eae3f68e0f45c42431f668fa

  • SSDEEP

    6144:/OpslFlqxhdBCkWYxuukP1pjSKSNVkq/MVJbD:/wslkTBd47GLRMTbD

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

runninglosers.no-ip.biz:100

Mutex

D8DTC141NQ8Y22

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1000
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3004
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:2668
          • C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"
            3⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
            • C:\Windows\SysWOW64\WinDir\Svchost.exe
              "C:\Windows\system32\WinDir\Svchost.exe"
              4⤵
              • Executes dropped EXE
              PID:2760

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        30ef56f1e8fabb47b170358d9c79ae46

        SHA1

        4d036a2bc18f68c4b841e7bad0f4dc6ea99f9712

        SHA256

        a620d8cfdf8e42c18c11f245470048d7bb297fa8358032675256edc1ab08c75e

        SHA512

        269c564171da5a0768cadcf8d16b04cb8586768754d5e32d6e7c5eef37d481d22490f514dfd70496051c6fc7735cd02d62091a7420ae53f4915f3d045433d696

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4437a23e1ae32ab467d3b8d24d6845c6

        SHA1

        5ebc0c1e0d5dc76b86cb7aca42fd714b342cacd1

        SHA256

        ac9c0f0abd61ed28c8f0e8247ffa77bbcedef156ca41fc0a4cb364e8c60643c9

        SHA512

        0c2e629d07379f38270a6287749e8f1fe6b4c211b18fbf2098c49a5bfd2f67589bad0ddc9dafdd0bda3d73e4ba4fe3bda0479cae1ff855bdf789b3393037b0b1

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b7b51eca6dced9a02dfeb26e0172823e

        SHA1

        9f0feb4cda74add4056ad2d2f02591998e370caa

        SHA256

        be20ef279bb935da81ba018483f33a57b70d460827ce281686c409de89f47f79

        SHA512

        927157829fbd0fd535c2f2e5c71ad5ed0da2396f5d106231239510ad1f990ebd6e88dd54ef254b541974c45cf06637782ced5080920fe2985c21132245abd464

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a342fe2d75cc0f0ebdbc44a3803ba87f

        SHA1

        5130f89abf2fa6de40f8b96364de15215261489a

        SHA256

        f38cdb256f2ccc8840b1d5dc8a24e44ef11549030a8fb95ddbad48dc9be26296

        SHA512

        ef5568e623b7f02c27b0c3447a2fa3d8840cb13f3ffc55173ccfa86cb08380ca9d45379738ff7d86698a7a81232dbc65d97c2ec6c662f6ac8800314e4808d76d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        adefe05a088283e7e6ec31d0d9253c6e

        SHA1

        403165a438ff1662279f57b9cba0bdb49689b48f

        SHA256

        37f27a032fcd1fe44f158065963279eeb40a3be191741ce0e9cdab4541f0a691

        SHA512

        b90f387c84a46e210f6faa1d5bb584200653147fd44c8c8c463031447f5656e4c7505f0475b5624bd0dfd9ec43288720bb2941b3911ec27042c20c674f81d3a9

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b05dddbeaf6da4f15194038212ad84f2

        SHA1

        22eec39cf1a37458953cc8a6785d8cabfae3a8e7

        SHA256

        8af4120849f6ff52fadd489ec23c297dcde9bfd4f138e34711af60e553f2c127

        SHA512

        5fe9b9fa420603a899042d6e2c01f1b48ed552001d54a98f78a6ae36e02625573b39daacc629eaf4479f6dbff4d978d191e2c7cc1b469901427d94bc0480f5c0

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8ce48817c6854d02abc6cad8ac089703

        SHA1

        e2fad68a5934bc016b068d9092c205a87e4f7660

        SHA256

        4d3348133188468f1ab7c706421854802aa9185aa9e7e76a976eaeff4b90449a

        SHA512

        2f82260ac33efdc5a1086674e008905ead41dfe2d92307ed42da39768581d0e47ce6f08b99d8205a88315409681d0c5a3575e8c87ff5900ccf91887c64cfa52c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        79b0a686413be35243fd0ed931c6bf31

        SHA1

        6bd81d514f35c085b4271f062c64e6d4f72983c2

        SHA256

        0ca08b74bbf98bcd93d9a827666d26e8662f5ffdfd5423e2459664a2205c9282

        SHA512

        4a679520293c8f479eb547757f0c50177f4659836b5510363adda518f43e7ea4bd3822842705f6f20a0498470ed2ad0d85763ec9591c48bb4564e4e59952b668

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1546315285d0b0c8841aab60f567787f

        SHA1

        b084284bbff07a7b2799c24b9b4f0fff48f5c6c1

        SHA256

        b52c2f258e78c1c31066ce1728c9b0cc3e739930e65df479671871d1055d887d

        SHA512

        844419bc12ba59ad33a986d2299e46d7df1f0346d623a3576c78542496ddecad5c530257bbd72ae24db384368ae441609c44e569a532df632aa3ce33d727eafb

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        86f70b5f6429d23e8247af645bb13f09

        SHA1

        7b8add361850870feda854a6db71d4cd5ba7e337

        SHA256

        ed3a2e19370499877da0b400dac35d9ca5f8dfb909a72ea192d80732d92ad59e

        SHA512

        bfcefd46b998a5f7f10424bf35e3dbb63f02d9956e0e9f5eddd05ce270ad0e019d4d6da6f594cb962676018cb45b024cc8c4148277abef4c72e4d3e4d44d50d9

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        132c5c7e4f19cfa216adbd37fa1123d1

        SHA1

        34981955a3e8f584b5ef0f57d880702eb9cb48de

        SHA256

        460834d36bc5c976e2fb3048adaeb2cb5aeb12acf1ef0db4f38b84cd32364abd

        SHA512

        0696a8be0918b8213132d91d25da84f77b4a054c45c7439486e81ded4f4630da1163565aa29c89290da1c691ad6305200801ce510a7597136e69f75ef2289684

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        573390e8bbc8f969a41b6a4dfacd35b8

        SHA1

        a2738062800234a66c1c8c500a2a9fec89126c52

        SHA256

        daf020011d03f4ce6bf6de5161965ff5bffa7703a1114f13401967b946634230

        SHA512

        24c3967652dc8e0eb4aca3fbdd3c945798ab3c35acfe405af816f23ed14ea0b6493382b8c861af13253b5e9351c6114169877e3bd1ad69daa87de70a59b6726c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        475a5f692959acb40325f491386813b8

        SHA1

        35a7acc8e41ea683cba554b89c7d338f69fa456e

        SHA256

        2d7aa6bb8ba30f1e94394db9d650505ecee207c05c35ecf2666526b09d4271ab

        SHA512

        997354a146f6f498f282323d6d9f171e597acb6bb5a2064795e8da004713ba5cd165ae02f348c3349b1480dd1a946f76acdb907cacad9350b0f94c9090d1cc05

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        09fe816e228d82bef96ec60d304adb57

        SHA1

        3e209c33045ed21dc1c6bbcab0130a45e47fca1e

        SHA256

        f2752d67cc91b8087c7c89144fa74c19590c0cc4c5be7aeb42e24c720a7dc245

        SHA512

        59fc744b271a77ad31592609ee7e09a8a6b4a457bac7f3f743fd63bbd0ef40a2ca92bbf3f16dbdc625dd5088648263cda168296758a2e2a4d80b0f5cfe315d0c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        97b50583b7f07b7e4c4e9bb36357729b

        SHA1

        a1958d209988ccf7c61d90d086451ace66a27cda

        SHA256

        9ae17e5affc7acd9b46b8fcd4ef29f92eb4cd9443017f2e08a55a10ccb9a587c

        SHA512

        79ec096cbe64debba10cecf93be1e0362c1f323134927650e5b5f9c9f7ae609a17befcc35062947219570ea9355c83855aa5b478bf006ac1757e51a7fb036961

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        bfd4c7b8d9980f5ed6f9be8eca4551aa

        SHA1

        80ce3ed7c9b3b094eee5e538fed04bcf1c56f216

        SHA256

        7279e7b6790c64968600c85e6bfefeeee4908c2777d88fa2b9909b42abaa4717

        SHA512

        e76749eb7ca6db3b0ab2bb712c4f0aa87c079573db3e678b8c7c2a4d7c01b78acb94ee71cf46900b707eacbb19e258493892c43932293ae8d94a3a455db3546b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        88b80dc7973c80607bbb0085adc62405

        SHA1

        38805b7f789c99d3a8496f5fc73e59ecd1e58413

        SHA256

        4c28648e66213e45adf42a073743fc97cc89a04730014d639a7f94335ffc1e70

        SHA512

        8554f44c410592ef22afa7d90ee9699a683056acf75cc48375e2c4c39b5be8b88a10f71ec2d68957eea356dcbdf7b139383ac025991d6e718837fecf02d13a26

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d99c1bcea6018746338142bb88c87cd8

        SHA1

        5471c3b03c53018de050a0556aed79b6026e0d1f

        SHA256

        9a0f52f5fbbd3ff1b0e586a8e61d0b99be04cbe0916f084c7dff371fb6d31b9f

        SHA512

        56efc8b3c322e00a54b47ef8c3090e115b23d35a37e4eb380f170766ee039ed46eaadce05fcb15affaa468e44fd03d7fee723d4be14199728be51616e7604042

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4ae05efbc9922e6f53e2ba6ae7378ce2

        SHA1

        c9fa3eb5e826d1bbcec75ac7a39a886f5cfc098c

        SHA256

        69172561a8f9043aaf0a44b755304508ca7d70091ef0c0fe85db22997dd92c6a

        SHA512

        c8f62667181f8f6b12e1fd966ab0f3f7541e49a5553dfdcae86aa2407e191cbdf0bc480ce3ad37a9d18f63719a2e4d95600aff00ff77cabc1514a3246139f02b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        08ae8ff51e6314940c4625aebe68fe0b

        SHA1

        d3a242430c2a87d28bdaddd33a4e9752a5c4e7e3

        SHA256

        5ade2f846116775ca12eb89b22f3690ef19f425f7645f6774905b2fdc82591a5

        SHA512

        125531e3a33b3325820c0c313e7ea362d4eb10fbb0e68c6659e314b8940dba7fd983f7693519ee2f78d552e00ae87f0ea1e9a0df220db7c788620a4fcabc0dbc

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8c5ec02bfde96846dcb09f69cf1d992e

        SHA1

        5b6c5e84be3188099e47d956e1d91d9dfec31e92

        SHA256

        1e937708353cc0a9d3c55ee2d37d701f8d911953434db1bb125a55a3e422433d

        SHA512

        096128a47e81cbd447f53d9ea5aa7daf1e04a6361406baead14b4e4a89a0a2efc424eeb04a80ec8327d7932b2317006980e36b3da74394cb10e751a44552b229

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3083d31c60d668de994727573d50c28a

        SHA1

        b3b1be29b727b6b32162e64f03af3b02409693ce

        SHA256

        b761fd51c66625d970bf86c10260cbcf4f664903e6127b9d64eb09c25b9c1f2a

        SHA512

        743e6c28cba17f51a267b718523262f0bace47bd45a15ea5d1ddeb9b0f449d3e72a9c036216afd21b1a4005fbb6e213087fb87e094041d87a268166bef0f8540

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\WinDir\Svchost.exe
        Filesize

        296KB

        MD5

        8136ac6572c5e8e6f6f85bcf92274bf7

        SHA1

        a34fd043c3f3370f1619c89614c44fc256024c79

        SHA256

        0303198253d95e625492a5c949095557e55f3666643308e0dbbdbb8eb65d5c5b

        SHA512

        c309fc0f95e49a790e924f234d310cd68aa89bf5fd390cf7c108e8629104ac5ab83294496703b316b5bb49d1f6eb81c3cdcc2810eae3f68e0f45c42431f668fa

      • memory/1188-3-0x0000000002A80000-0x0000000002A81000-memory.dmp
        Filesize

        4KB

      • memory/1624-857-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/1624-1811-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

      • memory/3004-299-0x0000000000720000-0x0000000000721000-memory.dmp
        Filesize

        4KB

      • memory/3004-527-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/3004-1652-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/3004-278-0x0000000000160000-0x0000000000161000-memory.dmp
        Filesize

        4KB