Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 16:13

General

  • Target

    9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    9ab644449c7139b4ae722c8044383e4b

  • SHA1

    04356f283d8278241598c5d97261344bcb2fd8d1

  • SHA256

    5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1

  • SHA512

    f45cc5cf5bf52ae93a7ab8c921e31999f083c71508997e50cf7bb99cbd8ecc7bd3d77301ac5117ecf3eb414fbed465f82b2d5cac05a3f6dca5e180baae0c8fc9

  • SSDEEP

    6144:Dk4qm8zcCzjrTvmXAtEZghSNdKaRafNDPKGviNI8h1hfwO:49/LvmwiTNdiPK/Nw

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

189.5.87.27:81

Mutex

PSICODELIKA

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4636
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          PID:1928
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:2296
          • C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"
            3⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2808
            • C:\install\server.exe
              "C:\install\server.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2864
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 564
                5⤵
                • Program crash
                PID:2008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2864 -ip 2864
        1⤵
          PID:1480

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

          Filesize

          229KB

          MD5

          ede4ab0dc240d253ec6719bb232ced84

          SHA1

          f2e3d4558906ee268dd36595f1b5b22a37764c65

          SHA256

          76e94dfb3166cb8794b3be486bdfa5fb1566ec06a780c5fe328a8090cc67fbb5

          SHA512

          a1fa26d4c0487a2536269f19c9f98726c416cafb8fd16a7d02aff504c3c9a4c13db31778dbb9a9ccf94e1ca8802aaa2064ae2be734e2901ff4eae17be7287eb4

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          0ed06331028d63d49b4ee01f2641e352

          SHA1

          2a76c44528446443fe834ea00504df8e925cd000

          SHA256

          66d61dec7c65089d46126a3491ee7530969a4cbd60a211ce42f2d286cf1fc4ce

          SHA512

          1f78ac0ec1e8aa9cac135cc5e0acbd058b8409b687ed71f6c36a1748d99d619cc224570306608925e745835c85f424a2815e5882ec24199580dcbc33527897d3

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          2779c84ceced72a3d34b16b6df3a2741

          SHA1

          bacf8a924fcf87660c78b38932458bf42cb7811f

          SHA256

          5e1ad37e803217090dbb19d5f0583fe9b6bbd97760361bc61782573504d08461

          SHA512

          46ecf84435a008aad5171380ceeefdcb542318150bc8f06025d1f7e1e2bc8871072321d1ec957843f61594e66d276574a8a094d634b97b14b200c3772f144601

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          34d92c2987f6e95b83f84e300837ad18

          SHA1

          ed4e214b926098ffb26edda4c7c139f7b72e5c05

          SHA256

          214aed4cff482c2355a6c17908e88eb595fc9fd62e8e6ced533eb77a30a30a74

          SHA512

          e300a3e916b7132f96f271a147232322533cc6280be96d7cc0565049fd8aefb5ca8f6e170fee9e4ae4262db7f7463af068e19dc5175c4e63781e1ecfef59ef94

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          fb6445b5335a91922c5e6e68cc71d520

          SHA1

          f21e3cd41ada38f307dbd7d89c3e87811278416d

          SHA256

          b5f0ddece953bb5203c8d7ca0039b72acc90b1df5849655b6a99df58ec3ef75c

          SHA512

          a0df91c1eae6591318f6c29e1d7a47b5d99d8f1e2a1646d7ce51e42dbe22041ccc5cefe8a82e2485197bae028c7f1994c1a77aaf769bcad6ae9636d71d3c0834

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          1cf765ecdf79c04773488dac4785327e

          SHA1

          959fd2d22c4b47904255fe3c418ab7c6814c4140

          SHA256

          162172801ccc25363aea0ceffde08b4cae340b839fdfaf23b4664932af889462

          SHA512

          3bc547356b4c4d35b1dcf454249fc94b164b0b01888d26b104203967d179d9fb77c0bd122fc9547cae78392ecf866ca148ed4ade91d433ea8225277c420eff88

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          734339e3dcb0dd446bcccb852ccdaf80

          SHA1

          bca375481f3e554addc47a5c36692438a630945c

          SHA256

          1547acab6d10c894e1c9b9a05b381c769a4af1c61fa3290f0c0b43a0f70be7f5

          SHA512

          dbf6baad219a554f20342db66fe6b718e12058d73854f426e65b3739e62372855641cd2d4717893915e57f3746fe7d0e16a370382a4acd8ae7a91d33080c7494

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          4bec79e0cfa17c450a618803aa2b5bda

          SHA1

          3d609504d946b86f60589229ca44f07a828deefd

          SHA256

          ef1eed846e3de911f319cc90f26c8d8359b3a58934e9da99676c2e03302afe49

          SHA512

          a36dc78d7cba4c89cdc944e753345a2a223271bfe3e6d271c380a43a3767425b09d6e250ba72c446e8ca7653c41e91614c2ebccf209e32e01a4a27e45c3594c8

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          a7bcf93b2e933b7cc828cdaa41a96670

          SHA1

          fe7fe6a6e2b8c9f0a4c6ef1c0f8145623b87e203

          SHA256

          0736c6dd3c4f7502d717078d58227f8d2c8eb79e9435ee8631cfc9c5d4e15750

          SHA512

          70b028eebc28aac649fa2857d797e9d32777b0359c9695e29e4605d099a3677358df5d8ad6d9170480bb7c9f31b399709984883a5958ba2384424ebdd80f2413

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          f12bf4538897f8a3c64ca2c6d4384ebb

          SHA1

          41d64e502c7cbd6e5242caea1bebcee6e2f883fe

          SHA256

          9c2d188ba427261a512947e2c1ce9a99d467f735a78a73330780da045e8d7bd3

          SHA512

          50cb1bddc319c01bf76ee5e58ee040c3289247d8530e57c1c248083a4a80dc225a04de5ecf0713adc941422bdeaa9aaf4bbcae77877b52bb375330c0bc51596f

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          550a067fda5040bf35d9fbc2ecde6803

          SHA1

          f2dbdb2f452db37a8354270b03b9ed4040455bee

          SHA256

          3f76b9626e359555e5f7ec4e99b1c8e06bb139d360bb5f77f842536102f3ded3

          SHA512

          742bdada4a3e432b3f20969a1516c5f2a05d3f3c6114666e127fac052fc913a7c2f44f9efda07cd0f96d6e4295a54adfa844ee831affee1ec82d59f9ae637033

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          0c59284fc3e6fd5a27d8e6063a3cfb11

          SHA1

          7ba57b8b43ef48b54605735d52bf6a69feba02e5

          SHA256

          66323070d53b29c70a95a28033ab61c1a9a991b8c897806eb73f5388b629d479

          SHA512

          7cadc74d292208a3e9c63c29c5ee77fb9d135e1730da689106fb83f00294d7b9525e0cd689c7ad5701b13966f7be816fd8a3d6ba530e6e02823f20ea21032661

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          8b77986f78fecca844187ffa90f226f8

          SHA1

          8f2f505561f495cc297d05805ba5e523d6e147ad

          SHA256

          9d5dcac8ef78cc0bcee912f0d8508627607f9e0b40d299c5929216040bbf0ada

          SHA512

          deaf6a8e128ac8988c5b016561292228ab609d96398ddcf9ff5a6854015418b1e98222519296b156ddbaf1486529f74eb775c9d886a27d0267a81f0fe2f01d31

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          21e4851d992d171d03070c57f6264571

          SHA1

          95722a82701400a574ecdbf54cf98025f9a61e18

          SHA256

          934db246b0319b5a6c5b3de78c59e3a814fc5095d26d4268b8c907bd6aa08b6b

          SHA512

          2fe08f82f01fa081834dd4ea605cbe94d2b5a6fac31260af65a0b06b4b0ece332df69e47d19e0704a2c1064b64fcbc71d3aa165f5b8f97f4f7959284275b8820

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          687d5b1c6f0a45f44808453c8d7a421b

          SHA1

          707c35a7a18c34567feea6f35e0ea2cb8722d3dd

          SHA256

          1b060df76a0d5c748e458f705637c50525cadd8c5d371c2c93838308c422cffd

          SHA512

          43f82013205971d219ad9afa95041d4ca1fbd608a1e47a76ddbf767f4821297ada714676558d383686fe4c847a63d47570201d30118b988cca0dfda5a4e8b00e

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          c2438a51f22d06fb7352c5cf46ced941

          SHA1

          f0c627f143760a936fac093d2622b2ff26842611

          SHA256

          94b262cd319996e00d317ebe7f2b8673c27bd1ec8d5d11b5987bd2a85873b53a

          SHA512

          2b988dbd427d14ea989d0401ccf42bfdde627455a71db2533b492ca83e73e58ad5ecaff1e8507394c45a6ea8c85a3a1523eb395da1d01f03146639387412821e

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          1d827f505228ca285b5fcf109be773a7

          SHA1

          e2699cfdd258ddd7978a2877dd9f82bbfb0497a5

          SHA256

          f468fc79f590cb7e6a12a1ec2ae0f6a67d0c198a781b5c7212431e402e2aa7d1

          SHA512

          3745dcf03d6197a02d2346880d675d02772be47ba0e737c22342b3ca3f59675ea6dafd944978bf096dcb4385fc59224e77854115ecd253c994a26298d621c1ad

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          74797a74c178f3c0cf5186efa6174d33

          SHA1

          d9d307dbe3793b568404acbbc68e62a8b2475d60

          SHA256

          d1a0133d311a61e6dbefe97e1255ab48aefb78c7492c21a844c7f9f3872d5a14

          SHA512

          54ee1a7140e974d94db69a8e076dae08470f86fef30ee9d4f12c7e32ffcfeed08cf7bff49d7bf3688890eb41a4b9da13b820d309da988883c2d6b684cf207d64

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          aaffd81975b243aeda71664f74738c43

          SHA1

          8e28cfed3ada884f66a11b46f4332fb413eef807

          SHA256

          a314947908bc63b29b1cf8452991d1bf5739135499f10b50fa892c5a3720ecc8

          SHA512

          245d02990e6c8b750cb0d20cd3f423bb30d5a5a95792453c555c1e3aae102a3c257b3b8096281d5968121afde61ca6047348cf1c894a057bb0f4d556afdd3636

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          056466b5b74a107a79a26819cf1746e5

          SHA1

          586293c832636c76dd2605e38530660c92c1bf62

          SHA256

          a239b18edc6841424cafc988fd0ae78c56364fb55b056983cbff026b58b00441

          SHA512

          788e586ae3e3fe37e003155fb4b8018c3b197ca7ddcf0485a98eaf3f5db09825353b6ee368b4085206292b4a8c626297608f2bdb2a6b226967bd99847c6f896e

        • C:\Users\Admin\AppData\Roaming\logs.dat

          Filesize

          15B

          MD5

          e21bd9604efe8ee9b59dc7605b927a2a

          SHA1

          3240ecc5ee459214344a1baac5c2a74046491104

          SHA256

          51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

          SHA512

          42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

        • C:\install\server.exe

          Filesize

          276KB

          MD5

          9ab644449c7139b4ae722c8044383e4b

          SHA1

          04356f283d8278241598c5d97261344bcb2fd8d1

          SHA256

          5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1

          SHA512

          f45cc5cf5bf52ae93a7ab8c921e31999f083c71508997e50cf7bb99cbd8ecc7bd3d77301ac5117ecf3eb414fbed465f82b2d5cac05a3f6dca5e180baae0c8fc9

        • memory/1928-162-0x0000000024080000-0x00000000240E2000-memory.dmp

          Filesize

          392KB

        • memory/1928-8-0x00000000012B0000-0x00000000012B1000-memory.dmp

          Filesize

          4KB

        • memory/1928-70-0x0000000024080000-0x00000000240E2000-memory.dmp

          Filesize

          392KB

        • memory/1928-68-0x0000000003E60000-0x0000000003E61000-memory.dmp

          Filesize

          4KB

        • memory/1928-9-0x0000000001370000-0x0000000001371000-memory.dmp

          Filesize

          4KB

        • memory/2808-163-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2808-141-0x0000000024160000-0x00000000241C2000-memory.dmp

          Filesize

          392KB

        • memory/2808-164-0x0000000024160000-0x00000000241C2000-memory.dmp

          Filesize

          392KB

        • memory/2864-161-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4636-140-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4636-24-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4636-3-0x0000000024010000-0x0000000024072000-memory.dmp

          Filesize

          392KB

        • memory/4636-66-0x0000000024080000-0x00000000240E2000-memory.dmp

          Filesize

          392KB

        • memory/4636-0-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB