Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 00:00

General

  • Target

    ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe

  • Size

    440KB

  • MD5

    ce33866944eeda1ad36b78d9939ae3bb

  • SHA1

    d19bbee5a0a9c0e94bd43073ffe9c9d44f460d44

  • SHA256

    34c53ca48436162aa4fcffcd516ac8a096eeacfae7703f3c1b512a600a7e9136

  • SHA512

    4a1facf23ec6529623810338c810b26be61404fafd6102d3088a18a955810ef2c352626176a762f7dc5b29da35d0d65cb0a7cb91f70eb1f99a3e90674a584b5a

  • SSDEEP

    12288:LBF9a2BpCEHjmaJHN6TOjGvXP3Y6F+lBt:FFUCpti+t6TD/3Y6cl

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

vítima

C2

mzagy-mncy.zapto.org:83

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    win.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\E502.tmp
      C:\Users\Admin\AppData\Local\Temp\E502.tmp
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\E502.tmp
        "C:\Users\Admin\AppData\Local\Temp\E502.tmp"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 120
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\E502.tmp

    Filesize

    325KB

    MD5

    1e6f5f4c728275d50f8054a1594e1b9a

    SHA1

    0f725131651633dde3f5fccf1c061a153c98f7a0

    SHA256

    d423b4fc200fe5d97276e332e3fb3ea13b38a727ea20b3fb434e3a7258069a78

    SHA512

    aa39535c82518cdb42cb0c2903a3c318e4cfb3eec53989d6034e21ecc9b06f49b27d215983389889f581c2cd809ac7107f1b7d359c9f16c8bbb8d76c185d6a8f

  • memory/1384-0-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/1384-21-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/1384-23-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/2116-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2116-16-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB