Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2024 09:15

General

  • Target

    ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe

  • Size

    325KB

  • MD5

    ca8d5059de6edbdb4b0ddc061f6cf8fd

  • SHA1

    f67fd864383c55c42af4d5de17380cac755856e6

  • SHA256

    a354500c53b0042e32b9a331375eee6a572154589f9301fe827db5fc1e71d2b5

  • SHA512

    fbd633d5967b9189286b40c5f58a6338ce4a2b68544c422992f2ece8870f4771c9d72768995855604d966af18be34723db2f5f2e5a194ad89335d5dc78aa6935

  • SSDEEP

    6144:oNP9SQWPwhsDeJf9I23kJIs6R7XERVt06pkcOrpjFIZzRyKjg+eD+q:UMQwDihUswV66a6ZznU+eD+q

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

shootersiker.no-ip.org:1604

Mutex

wqt3532562345413

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_file

    nsrss.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe"
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Deletes itself
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
            • C:\Windows\SysWOW64\nsrss.exe
              "C:\Windows\system32\nsrss.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2508
              • C:\Windows\SysWOW64\nsrss.exe
                "C:\Windows\SysWOW64\nsrss.exe"
                6⤵
                • Executes dropped EXE
                PID:1828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

      Filesize

      229KB

      MD5

      393157b7ce52c73c01291007e2fafb2f

      SHA1

      b2955687957d4f187dcf6b3ced1aac7abac1f768

      SHA256

      ce58c30733cb710eb25fd69b8cb3d584e166cfd63f9b360457344803edf04376

      SHA512

      000b56341474637a19ef67d3e23af6e9e3ed6a1b9fac3dbdc347c2b0ba50ffad0b7c8b2ae0141d7ac558921abaaaedf8a0f1f9e44e5891c9ac32cffa8ad2da7f

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      bf513bc785ef1808a10cac4c64f955e0

      SHA1

      7c98f8b52ff467425bb6c48904e6fe125721ebe8

      SHA256

      6b98cca18b74278a305a40b3f21282824f92e3c6e94b306de5d06a0474de3bd9

      SHA512

      2641afda0912b02b82cd41974d09b97175fb8e7fa57b51c136148a8f8df0f93abb418fc2eea283007108a8eeb7802e1a19c5cd3ca6dbc211089ca9daf23ef8f2

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      e91804b34ca4422ad1dd973627c2a3d9

      SHA1

      0ffb7dd2577dfc0b6697ed86ddb4d97f6b97aece

      SHA256

      c50a35a17b293612cb2c9d3946779cc6526f1103fd37cb4cd70131fbe005c025

      SHA512

      90ffce6cc17103d33e8ece0d43f43f102c503af92b081e9fc668752cc84862182716b5daa6a87bcf7d6ec02c073a01d9ed9478244aaa2cf9dc174381d7518cfa

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      702e8d773193557d8f96db4a9e80c2a9

      SHA1

      be2222ae26b652c1ec454c292cda9bc0bec477d9

      SHA256

      6f0d0851223023e332fc417f2b7d822c0413d1d292daebad8a2671de461e23d2

      SHA512

      08a251e0a74f97c86d5bc0accf3547c9f4f2be2ccafd271f0de0a73a8d6e20cbc9035e651cb3ea1433a048da6c5c83aafc501f578432d3b96593908359031b87

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      c76edcc2b6543b874b3773da24716b11

      SHA1

      90ad8be66ffd5db9ac5d1e7f3b2d736fa717d46d

      SHA256

      e6f99d402bf50dac9026ecad19d50ba1baa347e3d234c0ce98b002a3abcaf8ba

      SHA512

      f7fe1e99177ed59730b0295dfaaf587dedd2e9338c0c65a5240a848df3f3581c74e6c18d87b2a1f4c9baf3841aa083f582d3339eb874ed42f6657802689f322c

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      10ef5202fdaf9785fb9067e51b880f1a

      SHA1

      91072080b8608a3e9326255a946624ca292a0da6

      SHA256

      830a9e8ea585d3fb4663e0bb11d5b3e22037a770d5300ab0eccc7088138e8a29

      SHA512

      df7688611a0e5a6357a72803f8d94bfd112a55812caf5f34e070aed9a4444a3aab63e41b6432f842fa186cd87962effa56da23884b556656d31531dd92dd7e8a

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      15895d1d7189d31cad1125c2e97b7250

      SHA1

      ae8f60d405de5d2390c2a00c912d55625886e8e9

      SHA256

      2b3c0e6f602a9b7dd2ff66d4780b8576f99454b760c56be2540b814b6c12e52d

      SHA512

      876cd804f7858fe2c4b336c71fa8d24a6b2f5f0a3414b211acad50b46e454b90cbff13c509fa22b52d199fd45376aef57a3caa4df1a6a41544bfef0137b64baf

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      4b0eaf11ac9c4698a99f7d40f833be62

      SHA1

      7c3e2d5e0e84fd43095c9202aa19d95e8951ea9f

      SHA256

      4151392f2b0398656de024ffd8698743d1207495dea6e7a1969a416928f4212d

      SHA512

      d08c1f9e66ee7209d082d2c067a4db0f765db14c8c3b32bbad8edf8ccd6692c00c5a3cf0c3de3829378e398b10b127c8b37313361c7991e13853bf77a6bf5876

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      78cfa64d2b16820f6fc72ffa903325ea

      SHA1

      16df7e4845fa774d60f271fbb2fc9e684377ebd3

      SHA256

      6f56e64d01ea179942d5d289b4d1e9dd58dc1811bf9900f436d16b27d7f5da84

      SHA512

      c03a975c2b59a9a1851727ac69e4fc7a89272409ba7eb2d86e1239196f904aa05cf23549c8ee3b8738b52c2c101855534a41d3f2c83b2bff928aeea81bb745d7

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      c26be120589db1366709e88195d68081

      SHA1

      e11604be1445f93bd32d282530d32d2a78aab9fa

      SHA256

      5ee3c809af27629e71062c82b170f7b867165d80f8558a87d61c134eba5a8888

      SHA512

      ab9dd889ce450b0b46c5f7ef6427dfe8f2806e511ab04ba616057c0dd260ded333ddbac6da4f4ff0c511c045b2bafc876a2c7a1b638285bec957701427b4fc8f

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      14c6f80810acb34de9caa111c343d83e

      SHA1

      54fe766bbcfe44567156c1e3061ee310cf1825d8

      SHA256

      da51a4e4faf65a8c46cd549010fcfe445f9072cfd0d4ca30e34987bb36ff4e80

      SHA512

      22e2a95432533412b3bbe562e9fec2a794c4da22a6b736373726c8bfaaffcb7c25e31b141185136428cacbc3c8a23470e1bc8627466734c21947a75dd3a192fc

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      f8b532c82bb52c0e1bc854f72057a459

      SHA1

      af518d8fc1f8d00d77f45976a28560d5eafd4b5e

      SHA256

      64c73c7e4e0aa70a596811b12d0ff7a1b2d393eecdffa5688bfd70fb83e28979

      SHA512

      929981224607ef40bcfc1825924ed58e89140fea5370fdf176c60f22281dda775e1187f73c8355d18c1cd74654bba94aac98aee9c00a072c35ec6e3a04d6f2a4

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      98304bd3431be54ec811188f50ab0927

      SHA1

      102a72f16a5f49f323ff7fde1338fdfa3a406958

      SHA256

      5a58111ca6e1a912c7e5a9f50c3ff29e8010d09deb8e59667ad20c5e2ded32f3

      SHA512

      f233e707e9df3bee23b7a1b03efcf985c968dc40b634068e92ac64b35015bfcd5c0299fae32917f9b8cae9280ec620bea1c3a25ffc7801c1b5d58ece8498ae48

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      0fc0b10c0bd281f6226143294a420c48

      SHA1

      d23778b73db06539ee21fde25c4d06cb6d0844ba

      SHA256

      9089c056a63947af75ef97bc3272d698378d1ae1e91f13794f4e0e23317eb785

      SHA512

      c63ac800b27ef10374ff966863a5f9d2869dd51f08ec2e46849c7d6c972522b8a1395e190177be3b554df99bd44e52026dd1ad372766b04b312db4410c15d0bb

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      55e7f3cd358c283447bc8b147859f676

      SHA1

      489063f595a95a70bca85eb507ed8f6b33bd45ef

      SHA256

      dc753f563c2302188dd0a2419fdad98bdd8e204173b00e08da2ab5795975b404

      SHA512

      e22afdea51d7691e8f9699c76867399a4d48c977d530654f0d786ade196e73edf0ea5f6b7935c1c81238b2e52b16303b879b196ebf945771777db2f4f207feb9

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      b329a93c612e8cf1aaedc6f1c80e3aa0

      SHA1

      f622566c5c85490ef3f199674bf8223a689abd3d

      SHA256

      c0cbafee0ebdc35ea8e20669430fc8e7a291eaad91d6a7e00fc3e6b96ff91177

      SHA512

      8b295866b4cdf6accb468dc7ead8384cf034c49cf1f501cb9d58cc6d1081d721af5f2b03f54cec9a51258b3b1574ca8697c2ac92e2bc880ac3540fef7164a863

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      a60234668320b277e22d0644c79f2e42

      SHA1

      572f9121dcf377edb8a4559438117a1b6ecaa593

      SHA256

      bbe00d819f82b56f12afeb7d34fd1e640db65a3ff9869ed8210d5d9eb0f7e850

      SHA512

      9ba0d8a17541682cc8fd40adddf44c62a861c7c774cabe57ad3e3f1fd75a7d50730e934d240f1abce5ecd4496e99926e21243e0cacf6ad700cf53a9e3a06180b

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      42f1d5b978fd46033faa4532f54c9160

      SHA1

      4b0a56aec3d1de5d2d8f6200226c40d5756e7d19

      SHA256

      3bff3af5e9848499239ae7f038f258b0475d277e4bf709d0983e1bc57b66ee6a

      SHA512

      b9f9925d10fdb6cc7a35016e936be245f89e81b5e6863fb769446cd6b43f8db376b87d1cbe93df75cd2ac224d0ae8af0d7207f6ea7f0bcec8a1f23bb40a72707

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      54969670862de186d2981b6bef509e5d

      SHA1

      faa0e023b20aa34f2ba362efb383e9ca3c467756

      SHA256

      d572f17066d4e84f225ff62588415e60ad688bf627608de5a1df600aed84bf9c

      SHA512

      fe64701cf68e4e77f844f3cf9b15dcd26780863d9844f3fc807ce06209d878c17383e37ef6d33be2f78207b4b5982c76bc1630966acd89741261b9db32e26ac2

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      89eef747891ad5ea24ba3742c5d8756a

      SHA1

      17369a210330052365d905489a76874c6ac89b80

      SHA256

      95a1ebdd4e7484f04e673385d0bd32b1299ccb500ad7633d51666a2be4e579dc

      SHA512

      cfb6a06aa1f9f388d2439058f87e1fe17906d851e7e9e92b8801a33b38bf52dccb2aa5d5d367408e2741d8bd5693a7eff90379a9ce27ff98786a6e7b4d198a4b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1385883288-3042840365-2734249351-1000\88603cb2913a7df3fbd16b5f958e6447_0b857b27-3438-41f8-a27a-43f96d095be3

      Filesize

      51B

      MD5

      5fc2ac2a310f49c14d195230b91a8885

      SHA1

      90855cc11136ba31758fe33b5cf9571f9a104879

      SHA256

      374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

      SHA512

      ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

    • C:\Users\Admin\AppData\Roaming\logs.dat

      Filesize

      15B

      MD5

      e21bd9604efe8ee9b59dc7605b927a2a

      SHA1

      3240ecc5ee459214344a1baac5c2a74046491104

      SHA256

      51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

      SHA512

      42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

    • C:\Windows\SysWOW64\nsrss.exe

      Filesize

      325KB

      MD5

      ca8d5059de6edbdb4b0ddc061f6cf8fd

      SHA1

      f67fd864383c55c42af4d5de17380cac755856e6

      SHA256

      a354500c53b0042e32b9a331375eee6a572154589f9301fe827db5fc1e71d2b5

      SHA512

      fbd633d5967b9189286b40c5f58a6338ce4a2b68544c422992f2ece8870f4771c9d72768995855604d966af18be34723db2f5f2e5a194ad89335d5dc78aa6935

    • memory/1196-14-0x0000000002E10000-0x0000000002E11000-memory.dmp

      Filesize

      4KB

    • memory/1684-259-0x00000000000E0000-0x00000000000E1000-memory.dmp

      Filesize

      4KB

    • memory/1684-571-0x0000000003860000-0x0000000003879000-memory.dmp

      Filesize

      100KB

    • memory/1684-586-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

    • memory/1684-550-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

    • memory/1684-1514-0x0000000003860000-0x0000000003879000-memory.dmp

      Filesize

      100KB

    • memory/1684-257-0x00000000000A0000-0x00000000000A1000-memory.dmp

      Filesize

      4KB

    • memory/1684-1513-0x0000000003860000-0x0000000003879000-memory.dmp

      Filesize

      100KB

    • memory/2508-583-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/2508-574-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/2712-0-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/2712-1-0x0000000000020000-0x0000000000023000-memory.dmp

      Filesize

      12KB

    • memory/2712-10-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/2836-548-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

    • memory/2836-8-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

    • memory/2836-7-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

    • memory/2836-6-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

    • memory/2836-9-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

    • memory/2836-13-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

    • memory/2836-320-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB