Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 21:35
Behavioral task
behavioral1
Sample
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe
-
Size
534KB
-
MD5
97c37cb207301385c3bfb1ff3cdf0b4c
-
SHA1
03e13a3161f2d66de62bfbe1aa187700a6befc4f
-
SHA256
bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae
-
SHA512
2506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281
-
SSDEEP
12288:QjkArEN249AyE/rbaMct4bO2/VhBqmvKhbAELLJilK09XQlGp/:LFE//Tct4bOsMRdjLlilKyQlGp/
Malware Config
Extracted
cybergate
2.5
vítima
127.0.0.1:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Online !
-
message_box_title
Eskay Coder
-
password
abcd1234
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
server.exeserver.exeserver.exepid process 4976 server.exe 1848 server.exe 3280 server.exe -
Processes:
resource yara_rule behavioral2/memory/2760-0-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/1144-1-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/2760-5-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/1144-4-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/1144-7-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/1144-6-0x0000000000400000-0x000000000044C000-memory.dmp upx C:\dir\install\install\server.exe upx behavioral2/memory/4976-24-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/1144-23-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/1848-29-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/1848-28-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/1848-30-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/4976-32-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3280-41-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/1848-85-0x0000000024010000-0x0000000024052000-memory.dmp upx behavioral2/memory/1848-91-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/1848-35-0x0000000024010000-0x0000000024052000-memory.dmp upx -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2760-5-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/4976-24-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/4976-32-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exeserver.exedescription pid process target process PID 2760 set thread context of 1144 2760 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 4976 set thread context of 1848 4976 server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
server.exeserver.exeserver.exe97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exeserver.exepid process 1144 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 1144 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 1848 server.exe 1848 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 3280 server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3280 server.exe Token: SeDebugPrivilege 3280 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exepid process 1144 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exeserver.exeserver.exedescription pid process target process PID 2760 wrote to memory of 1144 2760 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2760 wrote to memory of 1144 2760 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2760 wrote to memory of 1144 2760 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2760 wrote to memory of 1144 2760 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2760 wrote to memory of 1144 2760 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 2760 wrote to memory of 1144 2760 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe PID 1144 wrote to memory of 4976 1144 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe server.exe PID 1144 wrote to memory of 4976 1144 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe server.exe PID 1144 wrote to memory of 4976 1144 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe server.exe PID 1144 wrote to memory of 3492 1144 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe Explorer.EXE PID 1144 wrote to memory of 3492 1144 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe Explorer.EXE PID 1144 wrote to memory of 3492 1144 97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe Explorer.EXE PID 4976 wrote to memory of 1848 4976 server.exe server.exe PID 4976 wrote to memory of 1848 4976 server.exe server.exe PID 4976 wrote to memory of 1848 4976 server.exe server.exe PID 4976 wrote to memory of 1848 4976 server.exe server.exe PID 4976 wrote to memory of 1848 4976 server.exe server.exe PID 4976 wrote to memory of 1848 4976 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe PID 1848 wrote to memory of 3280 1848 server.exe server.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:81⤵PID:2320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8B
MD58f250c95aedd0545331d5f10310eb013
SHA145429e5c7bb233a1df6461e2580199099f2af8bc
SHA2560033913cbb7922f181599bb998c791aba3260238bfa6d659e7ce38dd119f4bea
SHA5120ca57fd1b7ba683708b6ff51df601861c7e8eff104e575b8d162d6e0a1edff2ea9f30c62ef8ffaf45e02aba6fccfbd52320956e6d7a55517a50bdeeafdd74c89
-
Filesize
189KB
MD5cbda8b80ab656059e1206fe80f9a25ca
SHA14eaf1ac53d31b41434b6cca408ce53ac28486e7c
SHA25659f5685c9db7baa7c8def05d175680ca1eee18bac5887b3952d8db230caa8587
SHA512493794700de6054acda381937ddbb71f8f7cac42e48d90dd278673e22f7bf1e99ac573f60d739530d8d4a1c7788de04a4a7cfbca66df61514e19895524d48161
-
Filesize
15B
MD54362e21af8686f5ebba224768d292a5b
SHA1504510a4d10e230dcd1605ab3342525b38a10933
SHA256b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3
SHA512f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850
-
Filesize
534KB
MD597c37cb207301385c3bfb1ff3cdf0b4c
SHA103e13a3161f2d66de62bfbe1aa187700a6befc4f
SHA256bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae
SHA5122506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281