Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 00:00

General

  • Target

    ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe

  • Size

    440KB

  • MD5

    ce33866944eeda1ad36b78d9939ae3bb

  • SHA1

    d19bbee5a0a9c0e94bd43073ffe9c9d44f460d44

  • SHA256

    34c53ca48436162aa4fcffcd516ac8a096eeacfae7703f3c1b512a600a7e9136

  • SHA512

    4a1facf23ec6529623810338c810b26be61404fafd6102d3088a18a955810ef2c352626176a762f7dc5b29da35d0d65cb0a7cb91f70eb1f99a3e90674a584b5a

  • SSDEEP

    12288:LBF9a2BpCEHjmaJHN6TOjGvXP3Y6F+lBt:FFUCpti+t6TD/3Y6cl

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

vítima

C2

mzagy-mncy.zapto.org:83

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    win.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ce33866944eeda1ad36b78d9939ae3bb_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Users\Admin\AppData\Local\Temp\7AED.tmp
      C:\Users\Admin\AppData\Local\Temp\7AED.tmp
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Users\Admin\AppData\Local\Temp\7AED.tmp
        "C:\Users\Admin\AppData\Local\Temp\7AED.tmp"
        3⤵
        • Executes dropped EXE
        PID:1696
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 188
          4⤵
          • Program crash
          PID:4992
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1696 -ip 1696
    1⤵
      PID:4740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7AED.tmp

      Filesize

      325KB

      MD5

      1e6f5f4c728275d50f8054a1594e1b9a

      SHA1

      0f725131651633dde3f5fccf1c061a153c98f7a0

      SHA256

      d423b4fc200fe5d97276e332e3fb3ea13b38a727ea20b3fb434e3a7258069a78

      SHA512

      aa39535c82518cdb42cb0c2903a3c318e4cfb3eec53989d6034e21ecc9b06f49b27d215983389889f581c2cd809ac7107f1b7d359c9f16c8bbb8d76c185d6a8f

    • memory/1080-0-0x0000000000400000-0x000000000046F000-memory.dmp

      Filesize

      444KB

    • memory/1080-9-0x0000000000400000-0x000000000046F000-memory.dmp

      Filesize

      444KB

    • memory/1696-8-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB