Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 18:55
Static task
static1
Behavioral task
behavioral1
Sample
9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exe
-
Size
987KB
-
MD5
9746945d0bc71b355e35f581c074ed11
-
SHA1
f50b66801c2c7f35c1772392cf85916250b3c0f4
-
SHA256
422575be8a2b57c9f0616679b69b47192cbb45ff9e2a4e74bc58ea1f25a9792c
-
SHA512
a1092aeb79766ade4cbae464b07a931c19344d9b726b1d1f289c9924a89afa6b9f7981139b065f4c2ee9deaae9e6629dcb123f2199f0463519a910ea3929d92f
-
SSDEEP
24576:MqMW9V48fsJDeQNR+On3nvH283T+h5rE6hwcoeltQj/l:7MMmJ/DTKhEezSd
Malware Config
Extracted
cybergate
2.6
vítima
your_dns_here:81
simba13.no-ip.biz:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
spynet
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
rst.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" rst.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rst.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" rst.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exerst.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{L35L658K-G32B-B41M-NHSG-5V72G0C2HR12} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{L35L658K-G32B-B41M-NHSG-5V72G0C2HR12}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{L35L658K-G32B-B41M-NHSG-5V72G0C2HR12} rst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{L35L658K-G32B-B41M-NHSG-5V72G0C2HR12}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart" rst.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rst.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation rst.exe -
Executes dropped EXE 3 IoCs
Processes:
rst.exerst.exeserver.exepid process 4784 rst.exe 3372 rst.exe 3976 server.exe -
Processes:
resource yara_rule behavioral2/memory/4784-10-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/4784-69-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/2100-73-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/2100-74-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/3372-144-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/2100-161-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/3372-165-0x0000000024160000-0x00000000241C2000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rst.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe" rst.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" rst.exe -
Drops file in System32 directory 3 IoCs
Processes:
9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exerst.exedescription ioc process File opened for modification C:\Windows\SysWOW64\rst.exe 9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exe File created C:\Windows\SysWOW64\spynet\server.exe rst.exe File opened for modification C:\Windows\SysWOW64\spynet\server.exe rst.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3292 3976 WerFault.exe server.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rst.exeserver.exe9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exerst.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Modifies registry class 1 IoCs
Processes:
rst.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ rst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rst.exepid process 4784 rst.exe 4784 rst.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rst.exepid process 4784 rst.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exepid process 5048 9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exerst.exedescription pid process target process PID 5048 wrote to memory of 4784 5048 9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exe rst.exe PID 5048 wrote to memory of 4784 5048 9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exe rst.exe PID 5048 wrote to memory of 4784 5048 9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exe rst.exe PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE PID 4784 wrote to memory of 3412 4784 rst.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9746945d0bc71b355e35f581c074ed11_JaffaCakes118.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\rst.exeC:\Windows\system32\rst.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:3732
-
C:\Windows\SysWOW64\rst.exe"C:\Windows\SysWOW64\rst.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3372 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\system32\spynet\server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 5766⤵
- Program crash
PID:3292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:81⤵PID:2188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3976 -ip 39761⤵PID:3796
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5a350b1fdec828e190f2d059864495f31
SHA14ad9da612a7baa9ae48f5f507519c3cb3f214790
SHA2560ea6e2f4a858dded07e4d94795aa0ef7a5f84cc03ceb0449093ea429d002b664
SHA512a8982bfd529310276fb026694a191d58b8fcadfe0579791c98ffe352f193f2e6c91b52ca39953e56d08948b70eb9e82d04220379aa9ca154c74bb910d64984e0
-
Filesize
963KB
MD50a8406991aa9e2f18f481f3949a7bd88
SHA1e4aacfa85079cfb968272f4d0ce6ac23b77d7b7d
SHA2565a3d5471cdc289230bebb735246040a371e59d1d1d5ac2f3a165c3e0573ddad8
SHA51286c97c7598ea925ae52707990d687e01826b0dccbc1fd7dc56501bf5f5fe0feb918e7bf12214a2e16cbeb13eec408d8b96e390f3bcf3109835da52a8b48f84f8