Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 09:19

General

  • Target

    da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe

  • Size

    296KB

  • MD5

    da0a59474c6e5ea11965c20a57651037

  • SHA1

    2ead2fa59cc821e6d8d608ad67fe192e2232001b

  • SHA256

    a9c2ceb933f283ace77d83eb3d8cfd497675dea59e11069ebe89c3f9035c878b

  • SHA512

    b5b63181c5a8e879b4797c4fc684bde44bfd2f3a7e491bb2de21e3ff0f6b73bf2f788ab21ebc5e99fd4c1113648f0a139f03306afa271703b4e440f37a446b36

  • SSDEEP

    6144:/OpslFlqChdBCkWYxuukP1pjSKSNVkq/MVJb2:/wslBTBd47GLRMTb2

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

127.0.0.1:81

Mutex

U87TWI3Y7U10PC

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    12345

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1236
      • C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:632
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1112
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:1684
          • C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe"
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:956
            • C:\Windows\install\server.exe
              "C:\Windows\install\server.exe"
              4⤵
              • Executes dropped EXE
              PID:2596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

        Filesize

        224KB

        MD5

        e2efeb981f61bcbf7a9b1f13d1fd3b78

        SHA1

        a469b425adf2bfeac3cc97bb46f9ecfa3a437303

        SHA256

        e0375b92bcbe76fbb55d9a22553dddfbfbd359b24708180891e2e88e8cff5bf3

        SHA512

        3b4b75cc65d825e69cd782ab483ac01d9356a7e1cc449cf9561201a9c20c5b60bedc16b6d18e63cac5eedc996c2d453043d34ea1a2a811aaf23799785339da83

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        82b83b770b303dd5831bad4095389d41

        SHA1

        be8922857e6accec6dafb9d1b3e717b0d6aeb3f1

        SHA256

        4e2c3eb3983367f9ce9b1d8b270cff543c0bee4c7b273d2bbf71f27121cf2964

        SHA512

        72f8c86c2818837c3ed8934875b949133fa805789071345b66d60d58dbbbfdce46a0ff8aa11ca3cb158c08060b5aba2e2fab2ce1930bac5d23f4c6f2254e41f5

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        d44dd2533e8453dccffd167efb002e35

        SHA1

        ee4d37380d398bfa680e1ad7313643e3832a1d52

        SHA256

        5f172e6d6bbd35664da9997762939fefcc4a22f142b3ae698d03ab3ed14b43df

        SHA512

        5d29dbe0d845ee79d4d392c9fe058e4ca0d4f05a57b713f1434d0b31bfc4230227aa341e7d998dcb9e20f905e5485978a2e381dcdf5b9b36fe21143b06df95b2

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        20ef875ff0b5999adb961708c224becd

        SHA1

        c73ae0ef66949e0d77968632d297d96a88204ec4

        SHA256

        1a7c734d2f08eb32864273e0064b365a5f6903b11c2366c6b8d30ebcf20d8040

        SHA512

        6841139324c26bc9160ed4a13b149e63c8f6cec174ac95093eea74982a6edc66d23ace5f4a4492d7297933cb9cd783e55c918052f08229cf1278d2a531492c21

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        846ba634d163366ae36697c356215c9c

        SHA1

        d3b084ccdbee294438af533ca7705322cd5e9f93

        SHA256

        c8066c686b3b0f302e39c5cf59756716e0ac72aad8b9c0f80fa2c2773c806d86

        SHA512

        1a2595fde95f8397087e2d107c20b9e97904f6b4837714cfee1157d86595ff0e522f68de23c3ea6b5717e6a8e0a538fbfdc8bb32c61853303509e3491fdfe7a1

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        7599025639f3194f4b9ebb9898addb74

        SHA1

        7645e49b0f94e014d38a5af65e0f43d9d1fc497e

        SHA256

        b9d09565e7b7e766d443622a20fad8bde5bb314a98e05c158b6352e299534f92

        SHA512

        290b59a25b77e58580992f56db02c75d414b2f4af0e61c8286edc37e05ca5168452143756b3c2ccd66fa7e918ec512e6b0e206dca906ca08c9b3123c7df62e8f

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        6e4ee40c485fd6b80d49429ccfd5bd8c

        SHA1

        b731c2c7652606a02cd5c15a2fa17af69b42922b

        SHA256

        59853edbc416e1460456d90a2151ad715b100b8fcc4a1a2a88218ee97363932a

        SHA512

        69a90b03bd4c51199c4c150d57aae8837980be16006b6f807b774619a9239d9a3f330cfb9e5c090358b1da2012f1412f94b958151025369f24c4e486eb53fff3

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        161851dc0b0fb3a1d4668a98b0001cc9

        SHA1

        78238d27adaa2710b48d3d703c6ab9f9f8407ed0

        SHA256

        ebee44071325d7f8e3988d7687e10007813d81676150e4351027d9c0f7cf954d

        SHA512

        4f49988a1560cf38fcb850d73648ed8c333d9e9e22edd78abb47fc76c54864e4aed5a8bdbe3d1bc7401475d90d8dcc0fa175a52cee3124210956bf6d763195e5

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        b4bd5e5129730475b6256d53cb6972e4

        SHA1

        0b3d8f7b8b3b4cdc2ebfc8db7597ec80d18658fb

        SHA256

        94de9a1ccb02864ab29c59318f84b570b4f41f1eb517815c0ffcfe107331d5e0

        SHA512

        fa7dd5826a5279753af15021e92a349f4d87e9118b38ea8e8133071c7b64d468c23a6e17dfca885679062ef9771dcaf0d1165f13f87d0ce53bd8ee7e751aeced

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        2632dce56f367c65c5384d6d0f4cbc77

        SHA1

        34275891d66826ae2538091e5b2f9677efdcdb03

        SHA256

        b8133d4748d1f4df99a061020f31bb5010e03803214e112927313a77f4e88b84

        SHA512

        de94fdfaa53b868d295ac785904262898703d518629ed4fae64fb741f004cb234f6bd816890e9f6ea3fd3748f439d1de430152e00846186e1dce38acd0c7c758

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        fa3ade80bf407c0e9314a657cce8ba9b

        SHA1

        47ca17d1589fec24d06bde3041fc9cb49af2cfa1

        SHA256

        6aa46992cb5f4a73c10f12c58ea67fb63d870ca1bce65b8c2f056b347fa2a350

        SHA512

        9b795b78a887f2e56cdc2ea782d07fe2f0632cb8a065dc6d8624b162c87d73678a79debcc149d2ab132c8932e8fbac866e70d7c26b4924a6529352e56d00cbeb

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        eb84aa2f5cdc93a0726571dcf73bea11

        SHA1

        8352e213e481d8ca6891b32dfc3fe6113f19c4f3

        SHA256

        2fec5a4b8e7704bb0164e69ebc7cb65106ddc0e7a813d2e1447890dbacdeb94f

        SHA512

        0e7cd3712cf6e60ccbb17b5f8a01c434331f974ad227ff20ed2956b27559a63dc40fee61cda009c46353feef7ea14b2795364de36ec78fe04a0bafb0c3e4c934

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        1fa8b3b2bdbba96264809a8bce379343

        SHA1

        76c145f0334f653098ce046fcdff756992b78ec7

        SHA256

        dd519089a799eb49dfcb465eb41ecca26367629c2f0997ee2ce7659a098231ec

        SHA512

        3d6706abaf3af2afc9f0cf297b3db581cdcf35709e9a198a27f045fb84c424276fe094dee423ef6022b8e7b62c47106d4ad417c3fa2cbb19d2e360c218e90181

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        9383cf925e2773be76a54d4cdaae3c8a

        SHA1

        e991dc006b15cda399180bce937d5e03616cdd15

        SHA256

        c85e427195582008e3dbb02f97bf1b1c3a3fff31b87009af89acf3d8a4779fce

        SHA512

        c2d269b2b67a770b2d3bc1e95b8be9f78d27d5dfecef79f4ba42cb6143bcf12dd9832cc29e7c86577d310b0c58e2d61b468da39a12063355f93f051d5380bde2

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        1eb11d7edb09d09b5569046a851b645c

        SHA1

        a92ac13561597213bf72ee46437c1438cd87ab4e

        SHA256

        3a2ea623677f69edc89df30dbcd5250e9f43de82a35f7fd46bc3c1da711dc037

        SHA512

        ccdb3793e10163d99d7ecfd68af31ea91d691ac969a42746ba4de9dbbeaf30adcf30bfed9c48442208c5c0487fd9561212c938a76c6239214f5d4136f6ef4926

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        c7003d916e371365c44cc9ed1c3c9435

        SHA1

        4b562fce68e26681bf8959a60008f738fb99a651

        SHA256

        e1c34263043f915537f468ee53aa600bbbc1bcaa36b30a324bcd32c41ec569c9

        SHA512

        a24755d836722069a3eeacd515437395482df95536698ecb1f2c70f80ca10ce75253b1380e457d1fb514576f852eb5876f3c0d82b744120a2e74da2133e158c4

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        5af8d18efe2ea38a4b7436beff83f317

        SHA1

        7157b0bfefd79532867779c4400b31f18d18303d

        SHA256

        938084a61280b2ab6634469a7bfffddee2801b008b761ec4f9a794c3a6201dc0

        SHA512

        b9c908758e725ba7fd3a4638d76a10b8987739e385400cb7f1353aa3595e8a72f42c4b0cb495dd608252dc54026aba5e0d413b9b5ff1dd6b0207bb7b5671d557

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        96eeb0776a6163325351ce920c4cb785

        SHA1

        e491f6fa2a69f76952f1846f351fd9eafecde22f

        SHA256

        767610920f3c4938d6438800e4483c711012013280e6d5ce265675544ea3ee63

        SHA512

        a92c7b86e5b65dff79eebae204eb856f0f1bce22291660843e0f05aa2e85a1a785a807f97c29efe47014abae2d147baf84b734122f8ec64d39636407d92cb90c

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        9b870fdedbbd27efbf968c25c27fe097

        SHA1

        4178865aba5ab845bc43bd8fd821c105d30a2192

        SHA256

        1bcbb0de59651eac331576003b81b52d16966d0939d45ec7c76ddf4e220278b2

        SHA512

        f7c5e3ad33d2c4172410012bada3980cdcc6473e662ef8531a7651c919cecc0b7eb88393554044915ccafb4ddd68a1f1d598ee0bbbaf808e26c4983f5d5f81a6

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        ced8c41671c3995f09366371dd1b28e0

        SHA1

        3f9efd5608e1dea701e1b868a49691421926e975

        SHA256

        c11c68e5a4c633aa2459099128928e6c194998073d8accff6fc261899e399be4

        SHA512

        3369346c83f3c82b58b3bc88614a3cc98a52f9c56e22b63e865e343e92da9b3b9e4561e2d4a5f2b67e301e759b9819d118034b97da233580c09764a3391e2242

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        9ada3d0b24979954dbbbb817e2ac3ff0

        SHA1

        cf0c91bc174c2475f0888ada6c7beadde825686c

        SHA256

        c967cbe7467c201d6828dbd8a9e0e3c4e61eec0a6b86734ace96e45675832432

        SHA512

        84ef55a50f2bb3a10293956936a39e00711a41484f736600488896df77554e6ee2776986f9e6f8ffeff6f341ef127282201e440ca4f41b3e0f54cbb9f532dee4

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        c0eac95b86a1fbef6809c03036dff2e7

        SHA1

        0df4b5f9b827f501616958623976d97c4cb09c98

        SHA256

        ad7b002dbd13f53a891b14fa369ee9f9ed6de8dced631cb2733e4d67bdd0faf0

        SHA512

        56bc39d34f25413df30499fafa88b78644b847b54656c3050af36433d29eb77e410e58cfe71c88ee621d8ebeecd023f7723c5d2d88261fb845a15752671e5e27

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat

        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\install\server.exe

        Filesize

        296KB

        MD5

        da0a59474c6e5ea11965c20a57651037

        SHA1

        2ead2fa59cc821e6d8d608ad67fe192e2232001b

        SHA256

        a9c2ceb933f283ace77d83eb3d8cfd497675dea59e11069ebe89c3f9035c878b

        SHA512

        b5b63181c5a8e879b4797c4fc684bde44bfd2f3a7e491bb2de21e3ff0f6b73bf2f788ab21ebc5e99fd4c1113648f0a139f03306afa271703b4e440f37a446b36

      • memory/632-2-0x0000000010410000-0x0000000010475000-memory.dmp

        Filesize

        404KB

      • memory/956-883-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB

      • memory/956-857-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB

      • memory/1112-247-0x00000000000E0000-0x00000000000E1000-memory.dmp

        Filesize

        4KB

      • memory/1112-248-0x00000000000A0000-0x00000000000A1000-memory.dmp

        Filesize

        4KB

      • memory/1112-526-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/1112-879-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/1236-3-0x0000000002E10000-0x0000000002E11000-memory.dmp

        Filesize

        4KB