Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2024 16:30

General

  • Target

    8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe

  • Size

    296KB

  • MD5

    8136ac6572c5e8e6f6f85bcf92274bf7

  • SHA1

    a34fd043c3f3370f1619c89614c44fc256024c79

  • SHA256

    0303198253d95e625492a5c949095557e55f3666643308e0dbbdbb8eb65d5c5b

  • SHA512

    c309fc0f95e49a790e924f234d310cd68aa89bf5fd390cf7c108e8629104ac5ab83294496703b316b5bb49d1f6eb81c3cdcc2810eae3f68e0f45c42431f668fa

  • SSDEEP

    6144:/OpslFlqxhdBCkWYxuukP1pjSKSNVkq/MVJbD:/wslkTBd47GLRMTbD

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

runninglosers.no-ip.biz:100

Mutex

D8DTC141NQ8Y22

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:5096
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3544
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:5076
          • C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"
            3⤵
            • Checks computer location settings
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2340
            • C:\Windows\SysWOW64\WinDir\Svchost.exe
              "C:\Windows\system32\WinDir\Svchost.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4408
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 580
                5⤵
                • Program crash
                PID:2228
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4408 -ip 4408
        1⤵
          PID:4304

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Active Setup

        1
        T1547.014

        Defense Evasion

        Modify Registry

        3
        T1112

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
          Filesize

          224KB

          MD5

          30ef56f1e8fabb47b170358d9c79ae46

          SHA1

          4d036a2bc18f68c4b841e7bad0f4dc6ea99f9712

          SHA256

          a620d8cfdf8e42c18c11f245470048d7bb297fa8358032675256edc1ab08c75e

          SHA512

          269c564171da5a0768cadcf8d16b04cb8586768754d5e32d6e7c5eef37d481d22490f514dfd70496051c6fc7735cd02d62091a7420ae53f4915f3d045433d696

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          b7b51eca6dced9a02dfeb26e0172823e

          SHA1

          9f0feb4cda74add4056ad2d2f02591998e370caa

          SHA256

          be20ef279bb935da81ba018483f33a57b70d460827ce281686c409de89f47f79

          SHA512

          927157829fbd0fd535c2f2e5c71ad5ed0da2396f5d106231239510ad1f990ebd6e88dd54ef254b541974c45cf06637782ced5080920fe2985c21132245abd464

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          a342fe2d75cc0f0ebdbc44a3803ba87f

          SHA1

          5130f89abf2fa6de40f8b96364de15215261489a

          SHA256

          f38cdb256f2ccc8840b1d5dc8a24e44ef11549030a8fb95ddbad48dc9be26296

          SHA512

          ef5568e623b7f02c27b0c3447a2fa3d8840cb13f3ffc55173ccfa86cb08380ca9d45379738ff7d86698a7a81232dbc65d97c2ec6c662f6ac8800314e4808d76d

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          adefe05a088283e7e6ec31d0d9253c6e

          SHA1

          403165a438ff1662279f57b9cba0bdb49689b48f

          SHA256

          37f27a032fcd1fe44f158065963279eeb40a3be191741ce0e9cdab4541f0a691

          SHA512

          b90f387c84a46e210f6faa1d5bb584200653147fd44c8c8c463031447f5656e4c7505f0475b5624bd0dfd9ec43288720bb2941b3911ec27042c20c674f81d3a9

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          b05dddbeaf6da4f15194038212ad84f2

          SHA1

          22eec39cf1a37458953cc8a6785d8cabfae3a8e7

          SHA256

          8af4120849f6ff52fadd489ec23c297dcde9bfd4f138e34711af60e553f2c127

          SHA512

          5fe9b9fa420603a899042d6e2c01f1b48ed552001d54a98f78a6ae36e02625573b39daacc629eaf4479f6dbff4d978d191e2c7cc1b469901427d94bc0480f5c0

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          8ce48817c6854d02abc6cad8ac089703

          SHA1

          e2fad68a5934bc016b068d9092c205a87e4f7660

          SHA256

          4d3348133188468f1ab7c706421854802aa9185aa9e7e76a976eaeff4b90449a

          SHA512

          2f82260ac33efdc5a1086674e008905ead41dfe2d92307ed42da39768581d0e47ce6f08b99d8205a88315409681d0c5a3575e8c87ff5900ccf91887c64cfa52c

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          79b0a686413be35243fd0ed931c6bf31

          SHA1

          6bd81d514f35c085b4271f062c64e6d4f72983c2

          SHA256

          0ca08b74bbf98bcd93d9a827666d26e8662f5ffdfd5423e2459664a2205c9282

          SHA512

          4a679520293c8f479eb547757f0c50177f4659836b5510363adda518f43e7ea4bd3822842705f6f20a0498470ed2ad0d85763ec9591c48bb4564e4e59952b668

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          1546315285d0b0c8841aab60f567787f

          SHA1

          b084284bbff07a7b2799c24b9b4f0fff48f5c6c1

          SHA256

          b52c2f258e78c1c31066ce1728c9b0cc3e739930e65df479671871d1055d887d

          SHA512

          844419bc12ba59ad33a986d2299e46d7df1f0346d623a3576c78542496ddecad5c530257bbd72ae24db384368ae441609c44e569a532df632aa3ce33d727eafb

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          86f70b5f6429d23e8247af645bb13f09

          SHA1

          7b8add361850870feda854a6db71d4cd5ba7e337

          SHA256

          ed3a2e19370499877da0b400dac35d9ca5f8dfb909a72ea192d80732d92ad59e

          SHA512

          bfcefd46b998a5f7f10424bf35e3dbb63f02d9956e0e9f5eddd05ce270ad0e019d4d6da6f594cb962676018cb45b024cc8c4148277abef4c72e4d3e4d44d50d9

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          132c5c7e4f19cfa216adbd37fa1123d1

          SHA1

          34981955a3e8f584b5ef0f57d880702eb9cb48de

          SHA256

          460834d36bc5c976e2fb3048adaeb2cb5aeb12acf1ef0db4f38b84cd32364abd

          SHA512

          0696a8be0918b8213132d91d25da84f77b4a054c45c7439486e81ded4f4630da1163565aa29c89290da1c691ad6305200801ce510a7597136e69f75ef2289684

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          573390e8bbc8f969a41b6a4dfacd35b8

          SHA1

          a2738062800234a66c1c8c500a2a9fec89126c52

          SHA256

          daf020011d03f4ce6bf6de5161965ff5bffa7703a1114f13401967b946634230

          SHA512

          24c3967652dc8e0eb4aca3fbdd3c945798ab3c35acfe405af816f23ed14ea0b6493382b8c861af13253b5e9351c6114169877e3bd1ad69daa87de70a59b6726c

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          475a5f692959acb40325f491386813b8

          SHA1

          35a7acc8e41ea683cba554b89c7d338f69fa456e

          SHA256

          2d7aa6bb8ba30f1e94394db9d650505ecee207c05c35ecf2666526b09d4271ab

          SHA512

          997354a146f6f498f282323d6d9f171e597acb6bb5a2064795e8da004713ba5cd165ae02f348c3349b1480dd1a946f76acdb907cacad9350b0f94c9090d1cc05

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          09fe816e228d82bef96ec60d304adb57

          SHA1

          3e209c33045ed21dc1c6bbcab0130a45e47fca1e

          SHA256

          f2752d67cc91b8087c7c89144fa74c19590c0cc4c5be7aeb42e24c720a7dc245

          SHA512

          59fc744b271a77ad31592609ee7e09a8a6b4a457bac7f3f743fd63bbd0ef40a2ca92bbf3f16dbdc625dd5088648263cda168296758a2e2a4d80b0f5cfe315d0c

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          97b50583b7f07b7e4c4e9bb36357729b

          SHA1

          a1958d209988ccf7c61d90d086451ace66a27cda

          SHA256

          9ae17e5affc7acd9b46b8fcd4ef29f92eb4cd9443017f2e08a55a10ccb9a587c

          SHA512

          79ec096cbe64debba10cecf93be1e0362c1f323134927650e5b5f9c9f7ae609a17befcc35062947219570ea9355c83855aa5b478bf006ac1757e51a7fb036961

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          bfd4c7b8d9980f5ed6f9be8eca4551aa

          SHA1

          80ce3ed7c9b3b094eee5e538fed04bcf1c56f216

          SHA256

          7279e7b6790c64968600c85e6bfefeeee4908c2777d88fa2b9909b42abaa4717

          SHA512

          e76749eb7ca6db3b0ab2bb712c4f0aa87c079573db3e678b8c7c2a4d7c01b78acb94ee71cf46900b707eacbb19e258493892c43932293ae8d94a3a455db3546b

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          88b80dc7973c80607bbb0085adc62405

          SHA1

          38805b7f789c99d3a8496f5fc73e59ecd1e58413

          SHA256

          4c28648e66213e45adf42a073743fc97cc89a04730014d639a7f94335ffc1e70

          SHA512

          8554f44c410592ef22afa7d90ee9699a683056acf75cc48375e2c4c39b5be8b88a10f71ec2d68957eea356dcbdf7b139383ac025991d6e718837fecf02d13a26

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          d99c1bcea6018746338142bb88c87cd8

          SHA1

          5471c3b03c53018de050a0556aed79b6026e0d1f

          SHA256

          9a0f52f5fbbd3ff1b0e586a8e61d0b99be04cbe0916f084c7dff371fb6d31b9f

          SHA512

          56efc8b3c322e00a54b47ef8c3090e115b23d35a37e4eb380f170766ee039ed46eaadce05fcb15affaa468e44fd03d7fee723d4be14199728be51616e7604042

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          4ae05efbc9922e6f53e2ba6ae7378ce2

          SHA1

          c9fa3eb5e826d1bbcec75ac7a39a886f5cfc098c

          SHA256

          69172561a8f9043aaf0a44b755304508ca7d70091ef0c0fe85db22997dd92c6a

          SHA512

          c8f62667181f8f6b12e1fd966ab0f3f7541e49a5553dfdcae86aa2407e191cbdf0bc480ce3ad37a9d18f63719a2e4d95600aff00ff77cabc1514a3246139f02b

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          08ae8ff51e6314940c4625aebe68fe0b

          SHA1

          d3a242430c2a87d28bdaddd33a4e9752a5c4e7e3

          SHA256

          5ade2f846116775ca12eb89b22f3690ef19f425f7645f6774905b2fdc82591a5

          SHA512

          125531e3a33b3325820c0c313e7ea362d4eb10fbb0e68c6659e314b8940dba7fd983f7693519ee2f78d552e00ae87f0ea1e9a0df220db7c788620a4fcabc0dbc

        • C:\Users\Admin\AppData\Local\Temp\Admin7
          Filesize

          8B

          MD5

          8c5ec02bfde96846dcb09f69cf1d992e

          SHA1

          5b6c5e84be3188099e47d956e1d91d9dfec31e92

          SHA256

          1e937708353cc0a9d3c55ee2d37d701f8d911953434db1bb125a55a3e422433d

          SHA512

          096128a47e81cbd447f53d9ea5aa7daf1e04a6361406baead14b4e4a89a0a2efc424eeb04a80ec8327d7932b2317006980e36b3da74394cb10e751a44552b229

        • C:\Users\Admin\AppData\Roaming\Adminlog.dat
          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • C:\Windows\SysWOW64\WinDir\Svchost.exe
          Filesize

          296KB

          MD5

          8136ac6572c5e8e6f6f85bcf92274bf7

          SHA1

          a34fd043c3f3370f1619c89614c44fc256024c79

          SHA256

          0303198253d95e625492a5c949095557e55f3666643308e0dbbdbb8eb65d5c5b

          SHA512

          c309fc0f95e49a790e924f234d310cd68aa89bf5fd390cf7c108e8629104ac5ab83294496703b316b5bb49d1f6eb81c3cdcc2810eae3f68e0f45c42431f668fa

        • memory/2340-1439-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

        • memory/2340-138-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

        • memory/3544-67-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/3544-68-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/3544-8-0x0000000000550000-0x0000000000551000-memory.dmp
          Filesize

          4KB

        • memory/3544-66-0x0000000003480000-0x0000000003481000-memory.dmp
          Filesize

          4KB

        • memory/3544-759-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/3544-7-0x0000000000490000-0x0000000000491000-memory.dmp
          Filesize

          4KB

        • memory/5096-63-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

        • memory/5096-3-0x0000000010410000-0x0000000010475000-memory.dmp
          Filesize

          404KB