Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 16:13

General

  • Target

    9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    9ab644449c7139b4ae722c8044383e4b

  • SHA1

    04356f283d8278241598c5d97261344bcb2fd8d1

  • SHA256

    5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1

  • SHA512

    f45cc5cf5bf52ae93a7ab8c921e31999f083c71508997e50cf7bb99cbd8ecc7bd3d77301ac5117ecf3eb414fbed465f82b2d5cac05a3f6dca5e180baae0c8fc9

  • SSDEEP

    6144:Dk4qm8zcCzjrTvmXAtEZghSNdKaRafNDPKGviNI8h1hfwO:49/LvmwiTNdiPK/Nw

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

189.5.87.27:81

Mutex

PSICODELIKA

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1300
      • C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          PID:2368
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:2928
          • C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1632
            • C:\install\server.exe
              "C:\install\server.exe"
              4⤵
              • Executes dropped EXE
              PID:2592

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

        Filesize

        229KB

        MD5

        ede4ab0dc240d253ec6719bb232ced84

        SHA1

        f2e3d4558906ee268dd36595f1b5b22a37764c65

        SHA256

        76e94dfb3166cb8794b3be486bdfa5fb1566ec06a780c5fe328a8090cc67fbb5

        SHA512

        a1fa26d4c0487a2536269f19c9f98726c416cafb8fd16a7d02aff504c3c9a4c13db31778dbb9a9ccf94e1ca8802aaa2064ae2be734e2901ff4eae17be7287eb4

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        fb6445b5335a91922c5e6e68cc71d520

        SHA1

        f21e3cd41ada38f307dbd7d89c3e87811278416d

        SHA256

        b5f0ddece953bb5203c8d7ca0039b72acc90b1df5849655b6a99df58ec3ef75c

        SHA512

        a0df91c1eae6591318f6c29e1d7a47b5d99d8f1e2a1646d7ce51e42dbe22041ccc5cefe8a82e2485197bae028c7f1994c1a77aaf769bcad6ae9636d71d3c0834

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        1cf765ecdf79c04773488dac4785327e

        SHA1

        959fd2d22c4b47904255fe3c418ab7c6814c4140

        SHA256

        162172801ccc25363aea0ceffde08b4cae340b839fdfaf23b4664932af889462

        SHA512

        3bc547356b4c4d35b1dcf454249fc94b164b0b01888d26b104203967d179d9fb77c0bd122fc9547cae78392ecf866ca148ed4ade91d433ea8225277c420eff88

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        734339e3dcb0dd446bcccb852ccdaf80

        SHA1

        bca375481f3e554addc47a5c36692438a630945c

        SHA256

        1547acab6d10c894e1c9b9a05b381c769a4af1c61fa3290f0c0b43a0f70be7f5

        SHA512

        dbf6baad219a554f20342db66fe6b718e12058d73854f426e65b3739e62372855641cd2d4717893915e57f3746fe7d0e16a370382a4acd8ae7a91d33080c7494

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        4bec79e0cfa17c450a618803aa2b5bda

        SHA1

        3d609504d946b86f60589229ca44f07a828deefd

        SHA256

        ef1eed846e3de911f319cc90f26c8d8359b3a58934e9da99676c2e03302afe49

        SHA512

        a36dc78d7cba4c89cdc944e753345a2a223271bfe3e6d271c380a43a3767425b09d6e250ba72c446e8ca7653c41e91614c2ebccf209e32e01a4a27e45c3594c8

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        a7bcf93b2e933b7cc828cdaa41a96670

        SHA1

        fe7fe6a6e2b8c9f0a4c6ef1c0f8145623b87e203

        SHA256

        0736c6dd3c4f7502d717078d58227f8d2c8eb79e9435ee8631cfc9c5d4e15750

        SHA512

        70b028eebc28aac649fa2857d797e9d32777b0359c9695e29e4605d099a3677358df5d8ad6d9170480bb7c9f31b399709984883a5958ba2384424ebdd80f2413

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        f12bf4538897f8a3c64ca2c6d4384ebb

        SHA1

        41d64e502c7cbd6e5242caea1bebcee6e2f883fe

        SHA256

        9c2d188ba427261a512947e2c1ce9a99d467f735a78a73330780da045e8d7bd3

        SHA512

        50cb1bddc319c01bf76ee5e58ee040c3289247d8530e57c1c248083a4a80dc225a04de5ecf0713adc941422bdeaa9aaf4bbcae77877b52bb375330c0bc51596f

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        550a067fda5040bf35d9fbc2ecde6803

        SHA1

        f2dbdb2f452db37a8354270b03b9ed4040455bee

        SHA256

        3f76b9626e359555e5f7ec4e99b1c8e06bb139d360bb5f77f842536102f3ded3

        SHA512

        742bdada4a3e432b3f20969a1516c5f2a05d3f3c6114666e127fac052fc913a7c2f44f9efda07cd0f96d6e4295a54adfa844ee831affee1ec82d59f9ae637033

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        0c59284fc3e6fd5a27d8e6063a3cfb11

        SHA1

        7ba57b8b43ef48b54605735d52bf6a69feba02e5

        SHA256

        66323070d53b29c70a95a28033ab61c1a9a991b8c897806eb73f5388b629d479

        SHA512

        7cadc74d292208a3e9c63c29c5ee77fb9d135e1730da689106fb83f00294d7b9525e0cd689c7ad5701b13966f7be816fd8a3d6ba530e6e02823f20ea21032661

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        8b77986f78fecca844187ffa90f226f8

        SHA1

        8f2f505561f495cc297d05805ba5e523d6e147ad

        SHA256

        9d5dcac8ef78cc0bcee912f0d8508627607f9e0b40d299c5929216040bbf0ada

        SHA512

        deaf6a8e128ac8988c5b016561292228ab609d96398ddcf9ff5a6854015418b1e98222519296b156ddbaf1486529f74eb775c9d886a27d0267a81f0fe2f01d31

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        21e4851d992d171d03070c57f6264571

        SHA1

        95722a82701400a574ecdbf54cf98025f9a61e18

        SHA256

        934db246b0319b5a6c5b3de78c59e3a814fc5095d26d4268b8c907bd6aa08b6b

        SHA512

        2fe08f82f01fa081834dd4ea605cbe94d2b5a6fac31260af65a0b06b4b0ece332df69e47d19e0704a2c1064b64fcbc71d3aa165f5b8f97f4f7959284275b8820

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        687d5b1c6f0a45f44808453c8d7a421b

        SHA1

        707c35a7a18c34567feea6f35e0ea2cb8722d3dd

        SHA256

        1b060df76a0d5c748e458f705637c50525cadd8c5d371c2c93838308c422cffd

        SHA512

        43f82013205971d219ad9afa95041d4ca1fbd608a1e47a76ddbf767f4821297ada714676558d383686fe4c847a63d47570201d30118b988cca0dfda5a4e8b00e

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        c2438a51f22d06fb7352c5cf46ced941

        SHA1

        f0c627f143760a936fac093d2622b2ff26842611

        SHA256

        94b262cd319996e00d317ebe7f2b8673c27bd1ec8d5d11b5987bd2a85873b53a

        SHA512

        2b988dbd427d14ea989d0401ccf42bfdde627455a71db2533b492ca83e73e58ad5ecaff1e8507394c45a6ea8c85a3a1523eb395da1d01f03146639387412821e

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        1d827f505228ca285b5fcf109be773a7

        SHA1

        e2699cfdd258ddd7978a2877dd9f82bbfb0497a5

        SHA256

        f468fc79f590cb7e6a12a1ec2ae0f6a67d0c198a781b5c7212431e402e2aa7d1

        SHA512

        3745dcf03d6197a02d2346880d675d02772be47ba0e737c22342b3ca3f59675ea6dafd944978bf096dcb4385fc59224e77854115ecd253c994a26298d621c1ad

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        74797a74c178f3c0cf5186efa6174d33

        SHA1

        d9d307dbe3793b568404acbbc68e62a8b2475d60

        SHA256

        d1a0133d311a61e6dbefe97e1255ab48aefb78c7492c21a844c7f9f3872d5a14

        SHA512

        54ee1a7140e974d94db69a8e076dae08470f86fef30ee9d4f12c7e32ffcfeed08cf7bff49d7bf3688890eb41a4b9da13b820d309da988883c2d6b684cf207d64

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        aaffd81975b243aeda71664f74738c43

        SHA1

        8e28cfed3ada884f66a11b46f4332fb413eef807

        SHA256

        a314947908bc63b29b1cf8452991d1bf5739135499f10b50fa892c5a3720ecc8

        SHA512

        245d02990e6c8b750cb0d20cd3f423bb30d5a5a95792453c555c1e3aae102a3c257b3b8096281d5968121afde61ca6047348cf1c894a057bb0f4d556afdd3636

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        056466b5b74a107a79a26819cf1746e5

        SHA1

        586293c832636c76dd2605e38530660c92c1bf62

        SHA256

        a239b18edc6841424cafc988fd0ae78c56364fb55b056983cbff026b58b00441

        SHA512

        788e586ae3e3fe37e003155fb4b8018c3b197ca7ddcf0485a98eaf3f5db09825353b6ee368b4085206292b4a8c626297608f2bdb2a6b226967bd99847c6f896e

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        6eb8aff4c5ab039c13cac9503665ab01

        SHA1

        d6edaed15c05fd913df99a96ab4b44b2f838e462

        SHA256

        84fdf1bcfdac6919628287948c66a293f5f32c5d148fced55096996102e64788

        SHA512

        9f866cf064776f43e358c6dbc0b955853338a61ecabb3f211644b245a366cb5dccbdd4ad4ba7958de63346c9a072b8c9a595814de64391d186d0e75b8a397532

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        a4216fd86b46ca6d32fcef0d8da63fef

        SHA1

        2ff817a8b90daef81377edb9795e5f13cb4e7887

        SHA256

        928476bdfb64879b8cc3165e440115134c464aca8c94f6e65e1f60918a3f3973

        SHA512

        c47dc9c07f19644ed541025ac6487f796b34d7f54abca8d2fc37708987ed04ea2ca8fa266f90ba998e8339620514df260e2bfc845dc4b64f449dd65e7e1f3931

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        84324c563e46a5918b89906f5603c01c

        SHA1

        aedeeee04f650a42bfa995e05d735d8c54843619

        SHA256

        a06b629f2d650124cdbe82aadd41e9856c7e6d964821b75ee1b10d7ada8ae0b3

        SHA512

        d5419c116f02b3b4f98b23cdc1fdb706dfe13536f5f27f65312034751eaeadf2e9282ca751d997c6fd2c64b3ba74aa61166eb49c35f082215ec0671ec444d147

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        c1fb4bc55250a2006195b03ec5f220f7

        SHA1

        387ce2790b27d54cf0b2ca43ea700126e6fff791

        SHA256

        a22853ea7704a37247b6b127fc3e4dd32102b1e2f002f3a134aec148dcdc1648

        SHA512

        170419fc85dd938a5b84b2060ed7820f012c78c39378d9275ec846bacab2f1197f13dc28b9f8fb4b957727f5fbc108011b8b3b6ede21f463fa460692be7eeac0

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        0daeefa64e1d1119a8a06ac5368bcfb1

        SHA1

        bb9323b4b6c263e91227340a81a1678b9bb41e48

        SHA256

        08f2e622bd9617e66c4bebe95ad2e35a0fe8b36d12d0e8b320df56bb8678a17c

        SHA512

        bab03e6ceb877073c2138589261bcbfb4360802e730c3d764c3bc4deced88598b248b77bee8eab05fd93ca1fd006bc13a2f16dfca1a6c903ae2fadf553be9955

      • C:\Users\Admin\AppData\Roaming\logs.dat

        Filesize

        15B

        MD5

        e21bd9604efe8ee9b59dc7605b927a2a

        SHA1

        3240ecc5ee459214344a1baac5c2a74046491104

        SHA256

        51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

        SHA512

        42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

      • C:\install\server.exe

        Filesize

        276KB

        MD5

        9ab644449c7139b4ae722c8044383e4b

        SHA1

        04356f283d8278241598c5d97261344bcb2fd8d1

        SHA256

        5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1

        SHA512

        f45cc5cf5bf52ae93a7ab8c921e31999f083c71508997e50cf7bb99cbd8ecc7bd3d77301ac5117ecf3eb414fbed465f82b2d5cac05a3f6dca5e180baae0c8fc9

      • memory/1300-4-0x0000000002220000-0x0000000002221000-memory.dmp

        Filesize

        4KB

      • memory/1632-913-0x0000000006A90000-0x0000000006AE7000-memory.dmp

        Filesize

        348KB

      • memory/1632-906-0x0000000006A90000-0x0000000006AE7000-memory.dmp

        Filesize

        348KB

      • memory/1632-911-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/2368-249-0x0000000000160000-0x0000000000161000-memory.dmp

        Filesize

        4KB

      • memory/2368-247-0x00000000000E0000-0x00000000000E1000-memory.dmp

        Filesize

        4KB

      • memory/2368-553-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

      • memory/2368-908-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

      • memory/2444-0-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/2444-3-0x0000000024010000-0x0000000024072000-memory.dmp

        Filesize

        392KB

      • memory/2444-337-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/2444-577-0x0000000000220000-0x0000000000277000-memory.dmp

        Filesize

        348KB

      • memory/2444-885-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/2592-910-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB