Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2024 20:19

General

  • Target

    cd8807dbdfa59786457e1dbfcc473746_JaffaCakes118.exe

  • Size

    822KB

  • MD5

    cd8807dbdfa59786457e1dbfcc473746

  • SHA1

    4960570494abff02eb1500228fb401e85137ec89

  • SHA256

    418d1476e7e4b5c964545709c37253a7e2c0ba0e6dc775771205bd308f55fa11

  • SHA512

    5661708014696e344c02a35295e4530b4bf0534de97f5ca5903257d3837194ebe2e6f63043e272bc6744f8a0f983f7eb940436ba1c7bbce9e42fb672bca06d19

  • SSDEEP

    24576:SALtwCc26uGi2VCHXSBzTaDMsAQRN5Ryn4qTU:fLWpYgBzsMsAQRN5qVY

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

C2

moustapha123.no-ip.info:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    explorer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3496
      • C:\Users\Admin\AppData\Local\Temp\cd8807dbdfa59786457e1dbfcc473746_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\cd8807dbdfa59786457e1dbfcc473746_JaffaCakes118.exe"
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3464
        • C:\Users\Admin\AppData\Local\Temp\cd8807dbdfa59786457e1dbfcc473746_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\cd8807dbdfa59786457e1dbfcc473746_JaffaCakes118.exe"
          3⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1864
          • C:\Windows\SysWOW64\install\explorer.exe
            "C:\Windows\system32\install\explorer.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:6784
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 6784 -s 620
              5⤵
              • Program crash
              PID:2416
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6784 -ip 6784
      1⤵
        PID:6968

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

        Filesize

        588KB

        MD5

        0fe77c7df1da831e2f6b04fd38c52ce9

        SHA1

        249e3a852d98ffd025e54628383b5b21ff8da30c

        SHA256

        c5e9937ac07e2527559869c4425f4ec3f1704d4ee47f1d460bae7461606018da

        SHA512

        76ef00cb7c1c93c332ae1bbbb087d8842343a37871d978a28b64589dac58bb30ad4e620e64a7466288a165b784ca9c9b909265879979eee3c771cbb7b70b01e4

      • C:\Users\Admin\AppData\Local\Temp\wki6DDD.tmp

        Filesize

        172KB

        MD5

        685f1cbd4af30a1d0c25f252d399a666

        SHA1

        6a1b978f5e6150b88c8634146f1406ed97d2f134

        SHA256

        0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

        SHA512

        6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

      • C:\Windows\SysWOW64\install\explorer.exe

        Filesize

        822KB

        MD5

        cd8807dbdfa59786457e1dbfcc473746

        SHA1

        4960570494abff02eb1500228fb401e85137ec89

        SHA256

        418d1476e7e4b5c964545709c37253a7e2c0ba0e6dc775771205bd308f55fa11

        SHA512

        5661708014696e344c02a35295e4530b4bf0534de97f5ca5903257d3837194ebe2e6f63043e272bc6744f8a0f983f7eb940436ba1c7bbce9e42fb672bca06d19

      • memory/1832-17-0x0000000010470000-0x00000000104CC000-memory.dmp

        Filesize

        368KB

      • memory/1832-1371-0x0000000002240000-0x00000000022B3000-memory.dmp

        Filesize

        460KB

      • memory/1832-0-0x0000000000400000-0x00000000004AB000-memory.dmp

        Filesize

        684KB

      • memory/1832-32-0x0000000000400000-0x00000000004AB000-memory.dmp

        Filesize

        684KB

      • memory/1832-1370-0x0000000000400000-0x00000000004AB000-memory.dmp

        Filesize

        684KB

      • memory/1832-10-0x0000000010410000-0x000000001046C000-memory.dmp

        Filesize

        368KB

      • memory/1832-6-0x0000000002240000-0x00000000022B3000-memory.dmp

        Filesize

        460KB

      • memory/1864-1390-0x00000000104D0000-0x000000001052C000-memory.dmp

        Filesize

        368KB

      • memory/1864-1389-0x0000000000400000-0x00000000004AB000-memory.dmp

        Filesize

        684KB

      • memory/1864-700-0x0000000000400000-0x00000000004AB000-memory.dmp

        Filesize

        684KB

      • memory/1864-1368-0x00000000104D0000-0x000000001052C000-memory.dmp

        Filesize

        368KB

      • memory/3464-687-0x0000000010470000-0x00000000104CC000-memory.dmp

        Filesize

        368KB

      • memory/3464-690-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB

      • memory/3464-1385-0x0000000010470000-0x00000000104CC000-memory.dmp

        Filesize

        368KB

      • memory/3464-19-0x0000000001140000-0x0000000001141000-memory.dmp

        Filesize

        4KB

      • memory/3464-18-0x0000000001080000-0x0000000001081000-memory.dmp

        Filesize

        4KB

      • memory/3464-1427-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB

      • memory/6784-1384-0x0000000002230000-0x00000000022A3000-memory.dmp

        Filesize

        460KB

      • memory/6784-1388-0x0000000000400000-0x00000000004AB000-memory.dmp

        Filesize

        684KB