Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 08:22

General

  • Target

    d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe

  • Size

    578KB

  • MD5

    d9f3a19b955bdabcd81903883dec4dc3

  • SHA1

    2b38c3f09ea23445a4dcc33453a2ce22f5110590

  • SHA256

    d9faf6bdd1e24143662056d75b3e13539825fc9e62bf29ade39dd1747f1d4ddf

  • SHA512

    0ebdad522b07c3b9038fc229ec0fec5497f7666851dbadfb3188ebd69f91cc34853e14796c9364fa21af4dcc1b7b8aeaabd98e01ee60b5f4714da3c13ec244f6

  • SSDEEP

    12288:1+jkkdatIWuI1kfgjdtA5Z0mZjb36T3HKIS2:10kkdaOXgjMzZjbeHK52

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

jdbutler331.no-ip.biz:200

Mutex

471H1222U62R18

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    appdata

  • install_file

    explorer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    1234456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe"
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1796
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2396
            • C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2432
              • C:\Windows\SysWOW64\appdata\explorer.exe
                "C:\Windows\system32\appdata\explorer.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:2416
                • C:\Windows\SysWOW64\appdata\explorer.exe
                  "C:\Windows\SysWOW64\appdata\explorer.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:2292

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

        Filesize

        224KB

        MD5

        026df7c729126df7a7b706386ca92eab

        SHA1

        777abedfd66330964f1bba9789fa23f02aa84855

        SHA256

        2edaf62d38f5e7a8022df47bb055a4346e275296426e571c4749ce26157ecf99

        SHA512

        16ccda88a3742995ae03522556303e356a20e14f847e7a05c0350f8856565aa82c812f711c26fd776780f76f3af24fd8ddcd2b2640ad2a4f7a0fde562fd3705e

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        7c541da56020dc7790de744021f478b4

        SHA1

        416fb273320c680281370dc934b74595d3fa1196

        SHA256

        66301f94945be8015edaab8230a74af468c6a749fb19a6651fc5a83b553d51ea

        SHA512

        de0c42347d6aaf10370f16d736ef7e2cbea8e24d01c2206ccba73916bbb4b0d1f52d156a6ea161029798771482fe0a18e8c5e1305beae63d7a7aa93838d58a0e

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        1bbbcea4debb0463743d34c247bc7002

        SHA1

        1b398cf5872ee854741f7f482740b10818197e44

        SHA256

        ade66a66309d38994ce884245704a367b243a1b1070a8768811430892ee890cc

        SHA512

        fe688f6ee090f079aa1b469a2be702c285fcae5815cf26b699b1786af0ab2a9722e0bdd0a0a90027eca8640f5a8c3259eba47cd014ef6e65804192ae89c4abdb

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        d9df9ebf4d6475ea0e70658fe622915e

        SHA1

        256e7ceea87e624d90de30d70f8d1900e9d5a421

        SHA256

        2b410773bf49255ebac2df449155d3d2d5e20b8a92c9a5ef6e9dd12ad3b808cc

        SHA512

        a02a5d5c4491dcfc7acb7345123644fc1615f2d18f53863af29a274df0914a7dafe76af0fe48de7ea04cb0f1c4f2f7f3656d4ff714d7915ebe28bd54dbc81d78

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        51e1bb1dfb59d46e4a4edaf03dd6149e

        SHA1

        fe4975243fdcb13d75e7890b875f5ed017134f86

        SHA256

        363fd11c481d74f3ad7be6a6cff16d29c3f27c8d3fd01f92c2ee979d11d3ee4f

        SHA512

        dd95c655ab2fdb54fc753e94d90401a8266333d78793779ba9b3a7dc7765ecff4f3a7589d9c72f09aeaf2213690708aa0756a3a81c23106821af08c331f74eed

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        7a95aa81c224ceeb7466dba040dedd41

        SHA1

        e8ccdf28f76734d451e21731e3606aa049a821b9

        SHA256

        69522e503ee2a10d3289169bae3ffc344f851f8a7104cf9dddb7b50e4b98506c

        SHA512

        72fe0140709b8b93623ddfe291090bc672b1d564c2f80928b21deefa4574e9a8b6e7d83aca018ffa1abfef4934b8b531f03702dd9ccbbb3af9b0fb4c40e1195d

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        1b50442877aefe12960719335d536364

        SHA1

        b924dca4d71521a2cf054be0d2fcf6d11b00bca0

        SHA256

        76f1adfa19c734a97b5c52e203d6eae0c1e6486296667fe870564901be10b34b

        SHA512

        5ba7b156b743ca9b06bffbb09d59896ceee889d35aeed5da213fc229b1c79cced8ba2ac11913dc296ec83e3874241904edb5b886ffb022dc80676b9250e96019

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        dd6eeaeeee31a44aa53b60d509ef1907

        SHA1

        6ab93e261b5baefdd97fff995f003f6717a3950d

        SHA256

        e1700f29024752f226c9ceeb16dd5e02db9e101fce818274e86aaafbac93a741

        SHA512

        a12b422458a2a4d8ed81910c18c0bb7b6fa6c6f54d71f8cc93bbc88833ff1aa501864c3e82b86b6a0f339004f3599ba05fca18afc6daf10a6e1b04522ded0e59

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        e1a6bccc528042de94a680b982410542

        SHA1

        9bd8376ed3adfd3cf0d25c9ab4c1dc505703f3b2

        SHA256

        c162654e4051bf0583e4ce650ff3970abf80428155a446dd06347a2a4caad6f1

        SHA512

        f7d27dd528c74c2d5d4895f514c634cb3d836dbe1412ff08789c636d30cd8899f048affac372fd73d09de54c305ac1fd5355912df686504f8b0cac5de802af43

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        93c6a1f705d60b08022bfb613f442350

        SHA1

        3d432315a91339b189c35472d95e356ab4547a9c

        SHA256

        0adc78f21fb7ad51e86099a2c6f95bbf9438c69a59cf4bb22c5685b495c26586

        SHA512

        1f660608bd7b9efffd7cd369d1e5313de63b50912bcf4da0a6076995552a6c55c0d41d86a08fcb9b6ad3bfc2688bdb6b88cae7ea07ce684477fecf20470ddf05

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        28a2e67ac82482279ecb5da9faf7174f

        SHA1

        7d07db567757337bb1e85e83773c5e6ef87e79e6

        SHA256

        82433c549b964cd7c9050bf41805c55e51313eb5a00d8824e3c8fd0d804c2ee4

        SHA512

        ae81682fca5caf8de387a65f8a654510855e52d1eadbf65539f0d09b6731121b8c4d70eeda695f22f7f4cd2fa4316c54448dc0175e5861718361ea8e4ea783ad

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        0446a3f8893a5cb773a6f754e98c21a6

        SHA1

        cb999321a074df0b8f954c20f6bcc56e8163e0b5

        SHA256

        3ec8332a8928545edf7d1e2592b08a71997292fa3d0099e7c0bdb217a512fa8e

        SHA512

        6af2c92557cf616077f669f8e3dc4443797183accb7c5a824d558259be744db0f365b2faa14d6fd87b026b5667e377e517ad892d38a11feebb65c9c21d426570

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        e0195929dd339c5c9e7a1c16901da36f

        SHA1

        c27ec83fc4328058b16bb2839d4eda726097f49d

        SHA256

        8145ccb106a9fd67d93f3c0585b14c7b2d4df8a17b92fd03ef4e177bf12ef362

        SHA512

        6763262f1973030a23fe871b8f46cd6f07ce3ab56071e7767fdb77706137813596ebb2cb63d7d2e4d1977d0016e837c6818b3b0f2ac25cc2dd2fb5d9858dbc55

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        48a2c03584c35e305e4696eb420b60b2

        SHA1

        44f6885bb4db180b11fbf18744d05ac5884e4619

        SHA256

        be39395c8cb7f6eaf8b17a86de323d5ccd043d302d4e66e6e471e33546a77025

        SHA512

        d16883e1c7c1f21484c01f0fc072aaaf21290c0e414650e48eddf227aad777391ef59c3abe5f235209b1b2b19078041f8416e0ff02d147ea8e837b3b4cf29616

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        c06c12083492bd7d045de618671b731b

        SHA1

        21aee354cb73bb0c4171724406dc1e6a60a5642a

        SHA256

        e414a88836077d3e8b7f66e88e7140c8b4753b91917ffbb3da7767d7628614ef

        SHA512

        c3f35151ecf4a6a18e41f9421ad08fec45ec6c8dfb07983d5639639a3a1fc82a13aaf6be05abac804d09d18377242d8bb35ecd5f50d73943ab21155e9b4a3dc6

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        ccce6854f42e358795d917cd43fd2ea4

        SHA1

        9c6c2710940216a93143d2c93387c700c4a4e80f

        SHA256

        8ae09285c9263fe0dc47bc5013cfa0e58fad5286707e0de22430f2c6c5679d1e

        SHA512

        817f0dd62997b5d0d50f2b94fed2ebd2e0689068cf22fd5f7786caa9c9234f08a0988111afcef03679bba9768f10f330e4d1794c63abe94af1d602e73849552a

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        fd13fd301bc3822c294b7d69d0149e34

        SHA1

        5c9ff9d4cb697bd80f7635ab7716839da612c113

        SHA256

        d0e793939766386c093926d1e0e438c28b5501bdd91ae19d955f5a09b47d2f3f

        SHA512

        ff083bec706586149a7d3ab6f52e6397334e1382653ed406d952a637a61f353cd2fb6f77c7d2ef2943a44890d008d345fd31389faac47381e8e6914186ec0eaa

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        a896911c5eda631311122850da4c75be

        SHA1

        6f5e22e2a6ac009fbdeff1e9c84dece5cb79a848

        SHA256

        f990b01f921b3fd7f856e1509e0655a931b0356e07942005e24d3e2de9c9fa9b

        SHA512

        d8ad07ed5fd8313c3a22d32a03f6f2179abfc4c8ff6672871adfa448453c4fc3842d7d85a71dfe3ea694137ec2d91b04d44a1c3a5e61b5acd67859efe4b3cf76

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        4358f0dd29eea6e051dead88e0b43965

        SHA1

        8010d66b85b5174afb4f2f8648443610f0aa4b1d

        SHA256

        7c7edab335584465eb336a982fab33c8e715b2ff2907f52f403d2872e3ef4036

        SHA512

        26cc705b31d122e83fd94d6a0a646d7627085cb95668a7f37ab558ed2f340267d98e8455ffceb9e3d7bb105389f83b2253959d04326a19c407422106755d072c

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        19184710f523aabb018012210cb4b9d5

        SHA1

        7f53786d7d6cbbeefc17052f83d9ea62daf54f02

        SHA256

        5fa359e3d1ab44a0ccc5af32119afe2cfa2c3833802cba9a6c81de04f67da038

        SHA512

        19fcb1be87380364ee320f1afda752dacfb91d204ad057416417520cdb636bcc4fa31efe02cb7ac836e25e1abc5b5d1391a0fcd018d59eb4811dfc1d26f54d70

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        9106df26bb67a66516c468303cba54c3

        SHA1

        3ba14b009e56c26fdc2815e76d2a4c5d0780791a

        SHA256

        60ec5915018a80210517b9778ad6cb8f3983bea3d9dcf3b990b699622c4d077a

        SHA512

        6fff804f6e7825a88e3e4e1a56b4d33a9bd881bc814e05398cbbf6cfd7862f6ca6716ef738be9fa291e4c9159ebbcee79d654c6ac651ed5649eea7f5df9e1c85

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat

        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\appdata\explorer.exe

        Filesize

        578KB

        MD5

        d9f3a19b955bdabcd81903883dec4dc3

        SHA1

        2b38c3f09ea23445a4dcc33453a2ce22f5110590

        SHA256

        d9faf6bdd1e24143662056d75b3e13539825fc9e62bf29ade39dd1747f1d4ddf

        SHA512

        0ebdad522b07c3b9038fc229ec0fec5497f7666851dbadfb3188ebd69f91cc34853e14796c9364fa21af4dcc1b7b8aeaabd98e01ee60b5f4714da3c13ec244f6

      • memory/1212-24-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

        Filesize

        4KB

      • memory/1796-268-0x00000000000E0000-0x00000000000E1000-memory.dmp

        Filesize

        4KB

      • memory/1796-931-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/1796-556-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/1796-306-0x0000000000410000-0x0000000000411000-memory.dmp

        Filesize

        4KB

      • memory/2480-17-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

      • memory/2508-1-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-8-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-325-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-16-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-3-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-4-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-7-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-23-0x0000000010410000-0x0000000010475000-memory.dmp

        Filesize

        404KB

      • memory/2508-10-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-12-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2508-18-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-20-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-888-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB

      • memory/2508-19-0x0000000000400000-0x000000000044F000-memory.dmp

        Filesize

        316KB