Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-08-2024 21:35

General

  • Target

    97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe

  • Size

    534KB

  • MD5

    97c37cb207301385c3bfb1ff3cdf0b4c

  • SHA1

    03e13a3161f2d66de62bfbe1aa187700a6befc4f

  • SHA256

    bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae

  • SHA512

    2506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281

  • SSDEEP

    12288:QjkArEN249AyE/rbaMct4bO2/VhBqmvKhbAELLJilK09XQlGp/:LFE//Tct4bOsMRdjLlilKyQlGp/

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

vítima

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Online !

  • message_box_title

    Eskay Coder

  • password

    abcd1234

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1236
      • C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2160
        • C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\dir\install\install\server.exe
            "C:\dir\install\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\dir\install\install\server.exe
              "C:\dir\install\install\server.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2812
              • C:\dir\install\install\server.exe
                "C:\dir\install\install\server.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:1256

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

      Filesize

      189KB

      MD5

      cbda8b80ab656059e1206fe80f9a25ca

      SHA1

      4eaf1ac53d31b41434b6cca408ce53ac28486e7c

      SHA256

      59f5685c9db7baa7c8def05d175680ca1eee18bac5887b3952d8db230caa8587

      SHA512

      493794700de6054acda381937ddbb71f8f7cac42e48d90dd278673e22f7bf1e99ac573f60d739530d8d4a1c7788de04a4a7cfbca66df61514e19895524d48161

    • C:\Users\Admin\AppData\Roaming\logs.dat

      Filesize

      15B

      MD5

      4362e21af8686f5ebba224768d292a5b

      SHA1

      504510a4d10e230dcd1605ab3342525b38a10933

      SHA256

      b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3

      SHA512

      f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850

    • \dir\install\install\server.exe

      Filesize

      534KB

      MD5

      97c37cb207301385c3bfb1ff3cdf0b4c

      SHA1

      03e13a3161f2d66de62bfbe1aa187700a6befc4f

      SHA256

      bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae

      SHA512

      2506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281

    • memory/1236-25-0x0000000002490000-0x0000000002491000-memory.dmp

      Filesize

      4KB

    • memory/1256-71-0x0000000000160000-0x0000000000161000-memory.dmp

      Filesize

      4KB

    • memory/1256-62-0x00000000000E0000-0x00000000000E1000-memory.dmp

      Filesize

      4KB

    • memory/1256-146-0x0000000000400000-0x00000000004C1000-memory.dmp

      Filesize

      772KB

    • memory/2160-12-0x0000000000400000-0x00000000004C1000-memory.dmp

      Filesize

      772KB

    • memory/2160-8-0x0000000002DA0000-0x0000000002E61000-memory.dmp

      Filesize

      772KB

    • memory/2160-0-0x0000000000400000-0x00000000004C1000-memory.dmp

      Filesize

      772KB

    • memory/2720-22-0x0000000002E40000-0x0000000002F01000-memory.dmp

      Filesize

      772KB

    • memory/2720-16-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2720-15-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2720-32-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2720-1-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2720-14-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2720-3-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2720-5-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2720-9-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2720-13-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2736-33-0x0000000000400000-0x00000000004C1000-memory.dmp

      Filesize

      772KB

    • memory/2736-47-0x0000000000400000-0x00000000004C1000-memory.dmp

      Filesize

      772KB

    • memory/2812-49-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2812-55-0x0000000000330000-0x00000000003F1000-memory.dmp

      Filesize

      772KB

    • memory/2812-46-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2812-48-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2812-330-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2812-50-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB