Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06-09-2024 00:00
Static task
static1
Behavioral task
behavioral1
Sample
ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe
-
Size
440KB
-
MD5
ce33866944eeda1ad36b78d9939ae3bb
-
SHA1
d19bbee5a0a9c0e94bd43073ffe9c9d44f460d44
-
SHA256
34c53ca48436162aa4fcffcd516ac8a096eeacfae7703f3c1b512a600a7e9136
-
SHA512
4a1facf23ec6529623810338c810b26be61404fafd6102d3088a18a955810ef2c352626176a762f7dc5b29da35d0d65cb0a7cb91f70eb1f99a3e90674a584b5a
-
SSDEEP
12288:LBF9a2BpCEHjmaJHN6TOjGvXP3Y6F+lBt:FFUCpti+t6TD/3Y6cl
Malware Config
Extracted
cybergate
2.7 Beta 02
vítima
mzagy-mncy.zapto.org:83
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
win.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
E502.tmpE502.tmppid Process 1376 E502.tmp 2116 E502.tmp -
Loads dropped DLL 7 IoCs
Processes:
ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exeE502.tmpWerFault.exepid Process 1384 ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe 1384 ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe 1376 E502.tmp 1732 WerFault.exe 1732 WerFault.exe 1732 WerFault.exe 1732 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
E502.tmpdescription pid Process procid_target PID 1376 set thread context of 2116 1376 E502.tmp 32 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1732 2116 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exeE502.tmpE502.tmpdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E502.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E502.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exepid Process 1384 ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exeE502.tmpE502.tmpdescription pid Process procid_target PID 1384 wrote to memory of 1376 1384 ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe 31 PID 1384 wrote to memory of 1376 1384 ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe 31 PID 1384 wrote to memory of 1376 1384 ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe 31 PID 1384 wrote to memory of 1376 1384 ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe 31 PID 1376 wrote to memory of 2116 1376 E502.tmp 32 PID 1376 wrote to memory of 2116 1376 E502.tmp 32 PID 1376 wrote to memory of 2116 1376 E502.tmp 32 PID 1376 wrote to memory of 2116 1376 E502.tmp 32 PID 1376 wrote to memory of 2116 1376 E502.tmp 32 PID 1376 wrote to memory of 2116 1376 E502.tmp 32 PID 2116 wrote to memory of 1732 2116 E502.tmp 33 PID 2116 wrote to memory of 1732 2116 E502.tmp 33 PID 2116 wrote to memory of 1732 2116 E502.tmp 33 PID 2116 wrote to memory of 1732 2116 E502.tmp 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\E502.tmpC:\Users\Admin\AppData\Local\Temp\E502.tmp2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\E502.tmp"C:\Users\Admin\AppData\Local\Temp\E502.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1204⤵
- Loads dropped DLL
- Program crash
PID:1732
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
325KB
MD51e6f5f4c728275d50f8054a1594e1b9a
SHA10f725131651633dde3f5fccf1c061a153c98f7a0
SHA256d423b4fc200fe5d97276e332e3fb3ea13b38a727ea20b3fb434e3a7258069a78
SHA512aa39535c82518cdb42cb0c2903a3c318e4cfb3eec53989d6034e21ecc9b06f49b27d215983389889f581c2cd809ac7107f1b7d359c9f16c8bbb8d76c185d6a8f