Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2024 21:35

General

  • Target

    97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe

  • Size

    534KB

  • MD5

    97c37cb207301385c3bfb1ff3cdf0b4c

  • SHA1

    03e13a3161f2d66de62bfbe1aa187700a6befc4f

  • SHA256

    bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae

  • SHA512

    2506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281

  • SSDEEP

    12288:QjkArEN249AyE/rbaMct4bO2/VhBqmvKhbAELLJilK09XQlGp/:LFE//Tct4bOsMRdjLlilKyQlGp/

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

vítima

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Online !

  • message_box_title

    Eskay Coder

  • password

    abcd1234

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3492
      • C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c_JaffaCakes118.exe"
          3⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1144
          • C:\dir\install\install\server.exe
            "C:\dir\install\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4976
            • C:\dir\install\install\server.exe
              "C:\dir\install\install\server.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1848
              • C:\dir\install\install\server.exe
                "C:\dir\install\install\server.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:3280
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8
      1⤵
        PID:2320

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\UuU.uUu

        Filesize

        8B

        MD5

        8f250c95aedd0545331d5f10310eb013

        SHA1

        45429e5c7bb233a1df6461e2580199099f2af8bc

        SHA256

        0033913cbb7922f181599bb998c791aba3260238bfa6d659e7ce38dd119f4bea

        SHA512

        0ca57fd1b7ba683708b6ff51df601861c7e8eff104e575b8d162d6e0a1edff2ea9f30c62ef8ffaf45e02aba6fccfbd52320956e6d7a55517a50bdeeafdd74c89

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

        Filesize

        189KB

        MD5

        cbda8b80ab656059e1206fe80f9a25ca

        SHA1

        4eaf1ac53d31b41434b6cca408ce53ac28486e7c

        SHA256

        59f5685c9db7baa7c8def05d175680ca1eee18bac5887b3952d8db230caa8587

        SHA512

        493794700de6054acda381937ddbb71f8f7cac42e48d90dd278673e22f7bf1e99ac573f60d739530d8d4a1c7788de04a4a7cfbca66df61514e19895524d48161

      • C:\Users\Admin\AppData\Roaming\logs.dat

        Filesize

        15B

        MD5

        4362e21af8686f5ebba224768d292a5b

        SHA1

        504510a4d10e230dcd1605ab3342525b38a10933

        SHA256

        b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3

        SHA512

        f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850

      • C:\dir\install\install\server.exe

        Filesize

        534KB

        MD5

        97c37cb207301385c3bfb1ff3cdf0b4c

        SHA1

        03e13a3161f2d66de62bfbe1aa187700a6befc4f

        SHA256

        bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae

        SHA512

        2506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281

      • memory/1144-23-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/1144-1-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/1144-4-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/1144-7-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/1144-6-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/1848-29-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/1848-85-0x0000000024010000-0x0000000024052000-memory.dmp

        Filesize

        264KB

      • memory/1848-28-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/1848-30-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/1848-35-0x0000000024010000-0x0000000024052000-memory.dmp

        Filesize

        264KB

      • memory/1848-91-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/2760-5-0x0000000000400000-0x00000000004C1000-memory.dmp

        Filesize

        772KB

      • memory/2760-0-0x0000000000400000-0x00000000004C1000-memory.dmp

        Filesize

        772KB

      • memory/3280-41-0x0000000000400000-0x00000000004C1000-memory.dmp

        Filesize

        772KB

      • memory/3280-37-0x0000000000170000-0x0000000000171000-memory.dmp

        Filesize

        4KB

      • memory/3280-36-0x00000000000F0000-0x00000000000F1000-memory.dmp

        Filesize

        4KB

      • memory/3492-18-0x00000000012D0000-0x00000000012D1000-memory.dmp

        Filesize

        4KB

      • memory/4976-24-0x0000000000400000-0x00000000004C1000-memory.dmp

        Filesize

        772KB

      • memory/4976-32-0x0000000000400000-0x00000000004C1000-memory.dmp

        Filesize

        772KB