Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2024 00:00
Static task
static1
Behavioral task
behavioral1
Sample
ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe
-
Size
440KB
-
MD5
ce33866944eeda1ad36b78d9939ae3bb
-
SHA1
d19bbee5a0a9c0e94bd43073ffe9c9d44f460d44
-
SHA256
34c53ca48436162aa4fcffcd516ac8a096eeacfae7703f3c1b512a600a7e9136
-
SHA512
4a1facf23ec6529623810338c810b26be61404fafd6102d3088a18a955810ef2c352626176a762f7dc5b29da35d0d65cb0a7cb91f70eb1f99a3e90674a584b5a
-
SSDEEP
12288:LBF9a2BpCEHjmaJHN6TOjGvXP3Y6F+lBt:FFUCpti+t6TD/3Y6cl
Malware Config
Extracted
cybergate
2.7 Beta 02
vítima
mzagy-mncy.zapto.org:83
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
win.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
7AED.tmp7AED.tmppid Process 2880 7AED.tmp 1696 7AED.tmp -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7AED.tmpdescription pid Process procid_target PID 2880 set thread context of 1696 2880 7AED.tmp 86 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4992 1696 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe7AED.tmpdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7AED.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exepid Process 1080 ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe7AED.tmpdescription pid Process procid_target PID 1080 wrote to memory of 2880 1080 ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe 82 PID 1080 wrote to memory of 2880 1080 ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe 82 PID 1080 wrote to memory of 2880 1080 ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe 82 PID 2880 wrote to memory of 1696 2880 7AED.tmp 86 PID 2880 wrote to memory of 1696 2880 7AED.tmp 86 PID 2880 wrote to memory of 1696 2880 7AED.tmp 86 PID 2880 wrote to memory of 1696 2880 7AED.tmp 86 PID 2880 wrote to memory of 1696 2880 7AED.tmp 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\7AED.tmpC:\Users\Admin\AppData\Local\Temp\7AED.tmp2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\7AED.tmp"C:\Users\Admin\AppData\Local\Temp\7AED.tmp"3⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1884⤵
- Program crash
PID:4992
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1696 -ip 16961⤵PID:4740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
325KB
MD51e6f5f4c728275d50f8054a1594e1b9a
SHA10f725131651633dde3f5fccf1c061a153c98f7a0
SHA256d423b4fc200fe5d97276e332e3fb3ea13b38a727ea20b3fb434e3a7258069a78
SHA512aa39535c82518cdb42cb0c2903a3c318e4cfb3eec53989d6034e21ecc9b06f49b27d215983389889f581c2cd809ac7107f1b7d359c9f16c8bbb8d76c185d6a8f