Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 18:27

General

  • Target

    9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe

  • Size

    457KB

  • MD5

    9b24f78266073aed6e00462cb31756e2

  • SHA1

    603e0d50a9b9464a0a7d70dd0bfb06191918ea6e

  • SHA256

    f8c4d7333771ba91143b8122fe3b8a20b624efc6f2ed9a9899bde7d025518433

  • SHA512

    3fe6b0af07cd3b4661c3d84003c5b6d644727ad2826e273875f9f01aad4bb8bfc7eef7f02087c0dd5aa5d5c64797721dabfddae6ce6bedb83969fc64c6c845fe

  • SSDEEP

    6144:2w9MMg9RwSjLLag2UmGaUtMulLE6raZIMHJJmVLxIyvTTYRP0mCiiggprtQglW+9:f9MblXeU7tMuMHrwLne8d/gopQgYxCm

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

six17.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Svchost

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            PID:1696
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:992
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2384
              • C:\Windows\SysWOW64\Svchost\Svchost.exe
                "C:\Windows\system32\Svchost\Svchost.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2376
          • C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2644
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              4⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:776
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                  PID:1276
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1640
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 496
                    6⤵
                    • Program crash
                    PID:2252

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

          Filesize

          229KB

          MD5

          1ef6cae3f52a3803b36ca70da09bee3d

          SHA1

          4545b14691be5e189f9436a45d4ddd9dd7fa3609

          SHA256

          41c2b2fc8b65d8f67ac2174e31a7052b1657e5bf2ef16ef041d9d6d27cb4a608

          SHA512

          fd69aff563f36a2b073ccd41a09fc848a1c01a004ed2fdc626a348fafc6ab84e68c8679607e315e390337295c924dbe80e027c1bb7ea0e3b8ba7666b7e3fcf70

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          36dfbf131ba3ff7c4736971791bfef49

          SHA1

          884c0bf85e53466044ed59b5baf4535e9f033779

          SHA256

          b7d910bb0e94dd1949c5dc91cf75ca3189296f7e0252b5a4698455f7c0d5581f

          SHA512

          e48c7f7eda182326d933426d79bc0894d7fb54d43708f8b433f2f01eb2bb2eaa797c98457c7cd57cc0a5a345183d202ab1d0299cbe70d85cb5a2bc77c7b297f5

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          aed62ff7f1eb43cc7bd704a77e31a6de

          SHA1

          a20d88f3f92a90c1e747ccc22d8600ef0e52d3ea

          SHA256

          1833965030b64288cca4501015ef32170a8e466f6295c9cefd7aa1bccd61d70d

          SHA512

          61cf14e2203fbbdec1dd95536ff8c2477a16a9ae453071d832e4dcca8de0dca6681b223b06353d3e63874acf1031bda8437b5df2f7c98566b5f6d6c8f1a9ab12

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          5f6c13afd068c928787beb636113dc78

          SHA1

          0831889243db3e1c1b87956c1072c4236cf4c634

          SHA256

          01e42db04a65ff7c562f59792caeb270c98f6e9592411ad9700887336b6d8564

          SHA512

          bac1079546a9e6d015050619b1ce488a35b6db99f6656fda436500701e9f8b3e01bee9fbbfc36831f93be20fabd3b7eb43081129983ad54af57f5131a18afe4f

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          869d45962696e0352f66d0f591574fe5

          SHA1

          d913f212a5d09d393d588bf298d2a73df71af9e8

          SHA256

          09e9c87bb7066f646c49f2d0764bb3c8dfc2ca20b7088d0d8d168ed540971db3

          SHA512

          15c96dc0a6dee0c2d67b51edc681a6c5c9872606703b4d36b85bc2ae96a98224828ae05163172462173ee670e62414ff951a82ae0e53fba68ebed6a8cd9b8272

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          dd5fba7facbfd191b931badcdecb7727

          SHA1

          8657f65d03e939410a8da527384ced81fa1cda64

          SHA256

          5cbc5abb9e36da6dbdd017d45a00be4203fa545e368188910ddef0183b6f3962

          SHA512

          5a3005d6c1e8b4ed9d1dd918038df763e0f7f3ff815977be4c9841f48342e30c30283ae6b1e94beeb581b3577b129b0b6c3f350bea7c65ac01735ca49fb77959

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          493c08d0e3fa67f7cdb3b1ffa0cb29c9

          SHA1

          907694aea8da190c6593c191f245b6b152bb4eaa

          SHA256

          6fed762c249fd2d1257a67e60356b4ca5302123f678121810d97707831c89188

          SHA512

          23e47a7973ba96efb8ae2fc76f4c2a0ee1d2ab53fa979eaca143df2f006f27cb43943999be08eec5a435e78a07ba9b2aef1b4f1d4383140834081cb7cf7589e8

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          c12ae814b9a5edd761f86377f6c7d474

          SHA1

          2aa61eb93fdcd4e1442ccdde3dc5def2b17d65c0

          SHA256

          d7791a15872f8170b8c4e5df3db30c66214e905b94e13c23259b463034e2b588

          SHA512

          49a8651e7c82877f3695c1e0d98a36036453585a7fa0550216211bbc8e30f0a0608677fc027ffdb8ee7a807ef4a92317d6984c108f0877fbfffd70ea7d8566a0

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          41fecd568c4dac28e5ff48e988928a57

          SHA1

          b4c491986384f4c6ba3009bc7a4a93a46d4354f7

          SHA256

          0f081b0e5780789f81aa5b654013c9f5fb22868e93691d9f123d00a2d17897d9

          SHA512

          a671cda55af1f02f1744835f0d9e9b25c7dffe36cce56173ccdba1d07c6c8d8d7585aa0ca759af12c9a60cf26a102d442c5f0b963e0e6ed0bcfdd61398e45dd1

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          c257e217d724928b76da00c9cda7b0f5

          SHA1

          21b422486008cbaa20b2aa3a04950c29ef68029c

          SHA256

          5a6e3a319e85b25e69ff7f2cb1bd6792857f5be40fde8d5b9694dbaeea8f4cbf

          SHA512

          29335d79fca42f3c46079ab3e72b47957580e44b0da13bb1b28d3ff94bd2aef96d0a1cba6634cef391d29697af6b3071d5147ddf48f443eace98f75c501df4b4

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          ca978e5a2bcd715dbcc8573188ac48e4

          SHA1

          86c82ab3eb6c593928d9048b0eaf430d428defcd

          SHA256

          b4a4d6ed1b8df9d9b1185f6a83ff1b1746f7782d3584a4472dbb0e5024d88a9e

          SHA512

          999e444cabf21f25b0492edc2ce31d4f558a89efd45fa95a14d4345c0e52664a8c6429c364c521297184888f0a43c72c2aba6bed6be635e40ffb641ea56eebf1

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          a656477bd5db2fc9c4e65d45ee16cc7f

          SHA1

          eafe3b2d9ed43f0e2c9d21fc7036619015bbe345

          SHA256

          6e4dd3dbbd7c76cfa4ccc49e20929d609ddc9453d8e8c3c46586990d7e182caf

          SHA512

          f93c84d9f8f38b08c8f526c3dab4257ee3a3e1eb06df7fbc5f1c6a5521ce34995de75b541df7d6768243ce2895519bbd217e81dc9180b86c8252509496b23657

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          5177c8b800bcdaee8cf66fd3f7dea094

          SHA1

          6169d6a18c4ccf61a8599a239065a22900c918cf

          SHA256

          dd644ab1e1a764b3a749841d7d5d0cb7bafab606156e5955f219f980e582f9cc

          SHA512

          c06f579ceccb5bacc9d144b1edb7dd93a65b25bcffc211b44578971dd1335d153386042231f2e75ac6552f71ea917eabed0b0f4c6435f4117f684054fc51e79b

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          2f245389c3e668a492d46c115b1ca03f

          SHA1

          04e9fcab4f56ea96179ece0caa0099e98c0def25

          SHA256

          1dbe135a0cf338179e4cb2c7d13ce67ea1fac3657ac9f67d381eac454f0e855c

          SHA512

          cb4575d6924e78c60981aea2030db8ebbc89964a9fd1803ab5eaef32703fe68fa8e0f0945a324d4fe3f1d0a021bbcdc281adf051191d60257be72fc302c20ada

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          362b5a497c5c116edef43e8c5d961b54

          SHA1

          96697a8d25c8937441daba3ae06b9cc54fa673bd

          SHA256

          5f003b95e2a7074019011664b20bee944c311021f5d46c60e06b7b3471a440ae

          SHA512

          cbabecc176fb10fa20f143c711ec0889938d38c16324433fed6460b5c99b68ca9a853957db52a6dc90a694a7eb9e8cc627df6aa352c1a2ac3e7843ac42faa229

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          05d3eb2a0d519b83fa83286506c75284

          SHA1

          b03a49e991740cfb0330c0f29168361d8c8843e4

          SHA256

          1cbfd3f7f3de7b157451727de9389677d463993f7da32c628cfdcdede89765b4

          SHA512

          e8ea2d5bb67a7d5ced646a33ab9bfd16af2c4815d849b54822b54d522ff43440ee1c463811cd9a95776eb21e5842d44c713f59d661e845c8c78da1922c210dea

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          b761f1c19e4310b4a540afdd7cf57e96

          SHA1

          8490a06e916d87220701bd9178909b612daf6d5a

          SHA256

          f957e8ddadbc0a872a9cb1ea1b7843ee59563644d10f69d3035edf0592df77a2

          SHA512

          6b289e66fcbc7a07ea27dace57cc1bf31321bf88a2a2ca3b1b3daf16efd76b71c3c75f8ffeb6305873f76eaaabc88bc00ee05cf0a7a44ade3d6dbc8f25b59fcf

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          2dae94114460b7633790869e8f0edeb4

          SHA1

          b52df1b13adca9a3e7fff9b5f1b2e23c353c3737

          SHA256

          520b89a1fe113ce7072626f19a1073bf8acb8faaf488563541f06726d92f2a7b

          SHA512

          4bf1663dd8eca9d88dcf193f334edc18c637de31b2c73ef69ff775369088429f6ec7f1eae7f6771191d66f7b115220beedc38aedb75cf645b488d4a20c58b6db

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          de7bff1e2ad340d86d9f0180ceda104b

          SHA1

          b76a1f8db89e0de96aaf8f78022645f32ee33cc7

          SHA256

          6d12ca435830195d732ad4b6686e7342473cf6251b13f3a4b74df0c9b8fa2416

          SHA512

          83acbf5b4edb531f700b8e2237ce3beda6d2e61119b4d58306c8298e88ce700674ef4afe79e621bb8698ab3b202f41c10d5240c4ec492b6b109287142d1e06ce

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          46c6e91e6b8ea15209f5a1b897ab0868

          SHA1

          68f1d85a36e5dab2d559da3d5e2d4f3013ac7662

          SHA256

          b7239b980df9795fec9c200379e893b5f5fbcec906646158e64035988e4a7f87

          SHA512

          b430bcfaa050bdeb7ba825861d0a4a8ee219bee13ca90058fee66ffbf13f382e25ca94e6252a7e84e9e8898cad88a51705f2424ff912e8d98074e5495346650e

        • C:\Users\Admin\AppData\Roaming\logs.dat

          Filesize

          15B

          MD5

          e21bd9604efe8ee9b59dc7605b927a2a

          SHA1

          3240ecc5ee459214344a1baac5c2a74046491104

          SHA256

          51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

          SHA512

          42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

        • C:\Users\Admin\AppData\Roaming\zkHrWvUYWU.exe

          Filesize

          457KB

          MD5

          9b24f78266073aed6e00462cb31756e2

          SHA1

          603e0d50a9b9464a0a7d70dd0bfb06191918ea6e

          SHA256

          f8c4d7333771ba91143b8122fe3b8a20b624efc6f2ed9a9899bde7d025518433

          SHA512

          3fe6b0af07cd3b4661c3d84003c5b6d644727ad2826e273875f9f01aad4bb8bfc7eef7f02087c0dd5aa5d5c64797721dabfddae6ce6bedb83969fc64c6c845fe

        • C:\Windows\SysWOW64\Svchost\Svchost.exe

          Filesize

          1.1MB

          MD5

          34aa912defa18c2c129f1e09d75c1d7e

          SHA1

          9c3046324657505a30ecd9b1fdb46c05bde7d470

          SHA256

          6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

          SHA512

          d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        • memory/1192-18-0x00000000029B0000-0x00000000029B1000-memory.dmp

          Filesize

          4KB

        • memory/2284-0-0x0000000074841000-0x0000000074842000-memory.dmp

          Filesize

          4KB

        • memory/2284-1-0x0000000074840000-0x0000000074DEB000-memory.dmp

          Filesize

          5.7MB

        • memory/2284-1294-0x0000000074840000-0x0000000074DEB000-memory.dmp

          Filesize

          5.7MB

        • memory/2284-1293-0x0000000074840000-0x0000000074DEB000-memory.dmp

          Filesize

          5.7MB

        • memory/2284-2-0x0000000074840000-0x0000000074DEB000-memory.dmp

          Filesize

          5.7MB

        • memory/2616-940-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

        • memory/2616-17-0x0000000024010000-0x0000000024072000-memory.dmp

          Filesize

          392KB

        • memory/2616-7-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

        • memory/2616-6-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

        • memory/2616-5-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

        • memory/2616-4-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

        • memory/2644-10-0x0000000074840000-0x0000000074DEB000-memory.dmp

          Filesize

          5.7MB

        • memory/2644-8-0x0000000074841000-0x0000000074842000-memory.dmp

          Filesize

          4KB

        • memory/2644-9-0x0000000074840000-0x0000000074DEB000-memory.dmp

          Filesize

          5.7MB

        • memory/2644-1296-0x0000000074840000-0x0000000074DEB000-memory.dmp

          Filesize

          5.7MB

        • memory/2644-1295-0x0000000074840000-0x0000000074DEB000-memory.dmp

          Filesize

          5.7MB