Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 21:35
Behavioral task
behavioral1
Sample
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe
-
Size
534KB
-
MD5
97c37cb207301385c3bfb1ff3cdf0b4c
-
SHA1
03e13a3161f2d66de62bfbe1aa187700a6befc4f
-
SHA256
bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae
-
SHA512
2506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281
-
SSDEEP
12288:QjkArEN249AyE/rbaMct4bO2/VhBqmvKhbAELLJilK09XQlGp/:LFE//Tct4bOsMRdjLlilKyQlGp/
Malware Config
Extracted
cybergate
2.5
vítima
127.0.0.1:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Online !
-
message_box_title
Eskay Coder
-
password
abcd1234
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
server.exeserver.exeserver.exepid process 2736 server.exe 2812 server.exe 1256 server.exe -
Loads dropped DLL 3 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exeserver.exeserver.exepid process 2720 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 2736 server.exe 2812 server.exe -
Processes:
resource yara_rule behavioral1/memory/2160-0-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2720-3-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2160-12-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2720-16-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2720-14-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2720-13-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2720-9-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2720-5-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2720-15-0x0000000000400000-0x000000000044C000-memory.dmp upx \dir\install\install\server.exe upx behavioral1/memory/2720-22-0x0000000002E40000-0x0000000002F01000-memory.dmp upx behavioral1/memory/2720-32-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2736-33-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2812-49-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2812-50-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2812-48-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2736-47-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2812-46-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2812-55-0x0000000000330000-0x00000000003F1000-memory.dmp upx behavioral1/memory/1256-146-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2812-330-0x0000000000400000-0x000000000044C000-memory.dmp upx -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2160-12-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2736-33-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2736-47-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exeserver.exedescription pid process target process PID 2160 set thread context of 2720 2160 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2736 set thread context of 2812 2736 server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exeserver.exeserver.exeserver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exeserver.exepid process 2720 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 2812 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1256 server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1256 server.exe Token: SeDebugPrivilege 1256 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exepid process 2720 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exeserver.exeserver.exedescription pid process target process PID 2160 wrote to memory of 2720 2160 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2160 wrote to memory of 2720 2160 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2160 wrote to memory of 2720 2160 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2160 wrote to memory of 2720 2160 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2160 wrote to memory of 2720 2160 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2160 wrote to memory of 2720 2160 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2160 wrote to memory of 2720 2160 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2720 wrote to memory of 2736 2720 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe server.exe PID 2720 wrote to memory of 2736 2720 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe server.exe PID 2720 wrote to memory of 2736 2720 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe server.exe PID 2720 wrote to memory of 2736 2720 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe server.exe PID 2720 wrote to memory of 1236 2720 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe Explorer.EXE PID 2720 wrote to memory of 1236 2720 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe Explorer.EXE PID 2736 wrote to memory of 2812 2736 server.exe server.exe PID 2736 wrote to memory of 2812 2736 server.exe server.exe PID 2736 wrote to memory of 2812 2736 server.exe server.exe PID 2736 wrote to memory of 2812 2736 server.exe server.exe PID 2736 wrote to memory of 2812 2736 server.exe server.exe PID 2736 wrote to memory of 2812 2736 server.exe server.exe PID 2736 wrote to memory of 2812 2736 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe PID 2812 wrote to memory of 1256 2812 server.exe server.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189KB
MD5cbda8b80ab656059e1206fe80f9a25ca
SHA14eaf1ac53d31b41434b6cca408ce53ac28486e7c
SHA25659f5685c9db7baa7c8def05d175680ca1eee18bac5887b3952d8db230caa8587
SHA512493794700de6054acda381937ddbb71f8f7cac42e48d90dd278673e22f7bf1e99ac573f60d739530d8d4a1c7788de04a4a7cfbca66df61514e19895524d48161
-
Filesize
15B
MD54362e21af8686f5ebba224768d292a5b
SHA1504510a4d10e230dcd1605ab3342525b38a10933
SHA256b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3
SHA512f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850
-
Filesize
534KB
MD597c37cb207301385c3bfb1ff3cdf0b4c
SHA103e13a3161f2d66de62bfbe1aa187700a6befc4f
SHA256bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae
SHA5122506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281