Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 18:37

General

  • Target

    dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe

  • Size

    282KB

  • MD5

    dafbe16877593a77e13dae546e1077f8

  • SHA1

    6ef2a4057cb625f723a417b2aef336679bf3cc0c

  • SHA256

    6ff0377f8c1085594b929d56db4aa7889286cadfa6e47e23cd36f8f71007094d

  • SHA512

    348e98471c17bb89c57bb6e03e711558342241ccf933c4f3971e0c7a0a915472dd1c2d0218dc8529c0d6fccff4b34c07625edf3f69b54844ea821936d5f40683

  • SSDEEP

    6144:wxJsGVyoxDNT/xQphU+jrlgzfuzt91C9NDyWId98HhqbxtHGZ:SJsG84h/xQp6+tqOYy9zo0

Malware Config

Extracted

Family

cybergate

Version

v1.01.12

Botnet

remote

C2

decksmasher.no-ip.biz:5050

Mutex

111889

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    winlogon.exe

  • install_dir

    sysid

  • install_file

    syslog.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    dex

  • regkey_hkcu

    HKCU

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3512
      • C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4948
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:4624
          • C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\dafbe16877593a77e13dae546e1077f8_JaffaCakes118.exe"
            3⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3376
            • C:\sysid\syslog.exe
              "C:\sysid\syslog.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2224
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 564
                5⤵
                • Program crash
                PID:1684
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2224 -ip 2224
        1⤵
          PID:4044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

          Filesize

          221KB

          MD5

          356667bed43289e6475d53df0df593d9

          SHA1

          8609e2e106e7682c66e9bff57d17dcc1f91f2a54

          SHA256

          b98d1a9717546517b8bcb6fa67617bbc1fa94c14729eaa2a90888314549d9925

          SHA512

          1f1757c66f666c02d52751e488a63abd3782bd34a64f9860bd88a404e88e046551536186bca62ceb5b3c2c00a8aa163f5a2ee47a5587ee3d7d6d54b8cb5ccf5a

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          01430555472f086a6633fad6bfc18d98

          SHA1

          dc7ceef23ec38101a6bf4166ea45e3208d1aec60

          SHA256

          59c863ac82d6c8cc610f78661b53a701286a8324309c529ad4d41136ded85570

          SHA512

          b1d9bb9871f4b76bbb2900a2a385029931fb4804b3456b78a3bd9f3db8797fe03f6ed606a87636515bb9de51e914a5634bb11ba93ed2f88c56339e02163d57bc

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          3d0443119b3b807d495d3680946762d9

          SHA1

          72299b8fd47ab1cd9cf4090b2726f154f984a66a

          SHA256

          de06afcddf7ab4e16ccc10b808b0722823d6fd9c6620bd8808b81ba98e534513

          SHA512

          69567912d38656f5e6f43c7410bdb83f778e49ae7daf69dca83926eb7683549410f6af6fd91cd66e83312b18da44df5c3697f21a5990dbf67d66a667ddf78b3e

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          fc85581de813af10bf5720edaa5f8e2e

          SHA1

          65f7447722c1023b9882c2f0ceeb67bf58d68546

          SHA256

          7dc0c838a4184fa9bbc6f2f495e257ba23092bb3fde735a8d94746f1c0d2f9ad

          SHA512

          9540c1747b4a51144d5de1db002231af394aac9e0b7d7f20212f9ed866c5283bd5a82403aaaf2075f8fbca5bdc3746dbd63539f442edb8ac2bc23e865bdf89a4

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          16e8406fb91ff5606551ec266be48934

          SHA1

          408f565124bde61107ce997854d0b2f433b6a7f3

          SHA256

          416ce214f036e798ee07bc80a0c564692d8a797f5896c3684a57c143df848f1c

          SHA512

          df32df1449bd34887571d1244b35a110a68fc3dd4e10a00f8deac78688554d93a931f38c998c3d9a19dbadcdf7f64c78f1432e942f5c2a20bb248b06695aa063

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          e4b51f422324d9d7547a54d6e4a3f864

          SHA1

          a284e79232dae843df362c392aa5dd72258dbd71

          SHA256

          88861bf58cdeeca98ba917c0bb86dba0be8c30e550d36c4bfea7ce0429583f28

          SHA512

          5fb5d13b5b20f49b5af7d821857c879ed285c53fcb69c14244042990d5c15e243c9f41a82058343a12f4c6e93f60e8747de740a0dbc55026861f6b32996e120b

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          f2942b53ddf1f5cccc4ee63bb2872b2b

          SHA1

          567a3b9f0d4c145004196434886762363f74c90a

          SHA256

          0b217ec568e20dad0d6db1a670fcd1e3907155541ed4bba3c75b73a76a2a9ddf

          SHA512

          652837a1f2e8f283fc178290f7cfeb4a5fc9d9bad59fb20b436fb880af1dac20b9ce01b1dd9dce93c1fd3c511cb610ea19b6770013f1b73fd6127c8bf9661b40

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          14e56ddef9ecdabc6b65e5eced8cfc99

          SHA1

          3de1a663f5112c79c37d0b200cee1f23a54508f2

          SHA256

          87397e10c7df23effaa676a4f73ddb2c28423b41a4c1fd08bac7570e7bd30160

          SHA512

          8551f8988d923ed1c92300d06c6e25153ef0d78efa81450dbce66019918efdfde879dd27431d0e24cbbbeed95cfe284d73944b27c36025f6206877b00ca5e5ca

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          bd4c64f430c1f9701c0dc509374b0cca

          SHA1

          523cd88ff901f2582b8e494661f3bbc2c36b30c5

          SHA256

          336d0f589a167ff708fd4dc94c02d4225b56969aee6c415b9b5bc0052cc77ba6

          SHA512

          4df4ad2c71ab92cedabcc576a1ea24aef7e4190a88bdaf324daa7a8c49b612f2feb2b133a3fa8d52ace511bbe18458d21c1065c6a5430e9b4791c6f3da15cd43

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          fabbec83356985457d5ca9393f403b01

          SHA1

          29ac9ec0da3ee381777921740b7cae04f0ec6b44

          SHA256

          181fa431f20143bcf4965bc41b18834a278e6b1ec60c279c5d8e7ab0974dba99

          SHA512

          7dd87ea2a119b2d973624c06f08f0f95ed4baf06ae11e19b44d4f2bdf46fda38c43b6d7ae28fb93fbe5100952516f01ddd9ff36b2a21adbbdda4ca59e42646ed

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          6d0c959326051faa10a09f4b988d8d91

          SHA1

          d6df01fdb17f923c128138919b87633855260f28

          SHA256

          d7c3c91730580b9d643eef255103899ecd8861c19e367bdde42d99a21e2f76dc

          SHA512

          065ed2f66dca4e81501afafcdf10d10034a7bf6984e0f97be9c5d7207cf914c482e794c47bf006e911adac97ae2b5b2296527ecdf5d7ed2ff7de26572443aecd

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          7102d0a5ae07a3acea7c107a469d6eb1

          SHA1

          cb25d55a020254c3f32ee40d47b61d4125fdd7a0

          SHA256

          20bd1dee32b8cee81eb64800e75558fd10e0ff837c01324da6944ecc96dcef6a

          SHA512

          81a0c4ce0390088586bbb380735d7ad4c0cccaceec3554f394c1b52cbe101bd763bb319cf1503fba92ce69176d507c19fd44c7a1d348bf564a43373007ed73e8

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          281ca167a8319c7815fbdd44be7af9fa

          SHA1

          5f92b69c964b56fac7f192b4778eab68c27f95d2

          SHA256

          eb7925b8fd3a21c751e12b99596d98e5a9f7e7ab96a9cd32f8b767cdca835f40

          SHA512

          caebb8bf0503a7b3befea473237afc9e77ff57c0d8b39925db5f682dcaf5b5f44b2fd8b492f26f114768ca1c7b795e0764e9ed288b5047c248e6d7e5e4fdd39a

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          76d691bb35dd8064c1cc582d806415f9

          SHA1

          4505fc0e3b884c4fde6740737a77ec7eb108ae5f

          SHA256

          b1710c37cf6b4022aa4e68ee8e89fa5f1c849b7e3168d157c7c56c4ef3becbb2

          SHA512

          9989dc235ca840195013e6f5300679d945ab2df3a3f8ea908ab9711059c037e9d23c5ef4899b08c77b911c7dc21e777ca072008adbf4aa5fef54e9d860303f26

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          9e76990e8505e42d8ff882fbf5745063

          SHA1

          9b0cc3691ba6452e5e7fdea3cab054e1910e6e59

          SHA256

          34368047dc0f762f550951669d6171727ddcc3e43bfdf3e14bd8e37c726d12b4

          SHA512

          584a09e8a1f9fa0f127b206d837da14b842ea61e01e26188ead334b44e820e8d485565df08ee7f7006071279365d99ab7d2b9247f7e5c850cb4bac8b5915395d

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          bd9b563068337c76d362a085d1d5a610

          SHA1

          6ca7d35004c6ca1be45588e22a057382f0852901

          SHA256

          f039103da2f154a1750b9ac7a367e92ff53712424331ee5bf36b090e81053ca3

          SHA512

          74ce8d9f40fa65c3f8ba4b0624fc81eef9b420290e4972cf8904fcb50af7c590cdc90d70d9f72596fd31c0d7c8b9b04e855aa00f3fd27f2c04141c6131452de4

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          2947c53c31b1c34ed12434e7212bf2f3

          SHA1

          cf88882cee09a3b561e0b319d32384071062b122

          SHA256

          a77c7e02ce89169fff977e4d81603174ea477ea0b6e5d160137882dc6fb3a26c

          SHA512

          8a16c72b6766ba330304c1f6cfe9ea35b138db00f7eb7a9ed12b56b10ce003b3320328e07a8b225529dee443fb01faef7651f1250ca92c4d4417c8e122348e52

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          2241255a702c7aa8519bde0c0a1f36e4

          SHA1

          469fc1b083dfcf92a91f5ab31df9b173656d56b3

          SHA256

          29f992412213f73d7411b47c3c2f00e6164d1219748bf455620e846380bfef47

          SHA512

          668bd338fac119a7aa80c903909d5a601459fd63455b3fa25b63e57ab2b6a302f7e318b3af83f810c242a7509c356e8d19d696afc760bfc65a14497df4abf5b8

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          f0c6f3031eab0c6301bceca64355402c

          SHA1

          81762019181a86fed6c041c00a92e94097ba9e43

          SHA256

          2246ef38cb6d0c3819fdacdd2f8769bf7ae0c8db60d43084e8009e2680ff8b3a

          SHA512

          939b389848eba09d7c3a3661aa51851488dfff99c9626e0562810eda5e7ddfdee43f26c61526ac19bc90681ea9ad857d895432be81d36fef4c0a8ff9d4891045

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          50a9ff825a770e0b339008d7b13f85aa

          SHA1

          661e370a8e8ad8ed463f846e7fb8db43f8003cc8

          SHA256

          f0804744bc2a03a0c48bccab37a55892572440da1f4b3b854fac618db7b4e70e

          SHA512

          a3c0330d5347da75b31d144262ddf6d5ee8fc1a3d5606b104f91a8db62302f9215efd28a247a54aa472a4d5861f6600821556c9a86b82350b22cbd8913c35c4b

        • C:\Users\Admin\AppData\Roaming\logs.dat

          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • C:\sysid\syslog.exe

          Filesize

          282KB

          MD5

          dafbe16877593a77e13dae546e1077f8

          SHA1

          6ef2a4057cb625f723a417b2aef336679bf3cc0c

          SHA256

          6ff0377f8c1085594b929d56db4aa7889286cadfa6e47e23cd36f8f71007094d

          SHA512

          348e98471c17bb89c57bb6e03e711558342241ccf933c4f3971e0c7a0a915472dd1c2d0218dc8529c0d6fccff4b34c07625edf3f69b54844ea821936d5f40683

        • memory/3376-160-0x0000000024130000-0x0000000024190000-memory.dmp

          Filesize

          384KB

        • memory/3376-138-0x0000000024130000-0x0000000024190000-memory.dmp

          Filesize

          384KB

        • memory/4948-158-0x0000000024070000-0x00000000240D0000-memory.dmp

          Filesize

          384KB

        • memory/4948-67-0x0000000024070000-0x00000000240D0000-memory.dmp

          Filesize

          384KB

        • memory/4948-68-0x0000000024070000-0x00000000240D0000-memory.dmp

          Filesize

          384KB

        • memory/4948-66-0x00000000038A0000-0x00000000038A1000-memory.dmp

          Filesize

          4KB

        • memory/4948-7-0x00000000008B0000-0x00000000008B1000-memory.dmp

          Filesize

          4KB

        • memory/4948-8-0x0000000000970000-0x0000000000971000-memory.dmp

          Filesize

          4KB

        • memory/4972-3-0x0000000024010000-0x0000000024070000-memory.dmp

          Filesize

          384KB

        • memory/4972-63-0x0000000024070000-0x00000000240D0000-memory.dmp

          Filesize

          384KB