Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 04:16

General

  • Target

    dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe

  • Size

    283KB

  • MD5

    dbcb6ce8cd611d2f325902be00b7bc7a

  • SHA1

    4485e20149d54b24aade15efeb789aa4ed395cae

  • SHA256

    436232240571a649272155704072854375cf25ca874662d1116ab4470486c5c9

  • SHA512

    a0ebeca67b32f8e9394cae8b112632a20267321fd2c74c9a78df6e812b0a8abd5ae1c43f115191e12abe57fab24901318fcbad514faf183c2327759ef9e6096b

  • SSDEEP

    6144:g4ABF+npAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK:PUnGLE0kuGnESB

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

C2

server111.zapto.org:100

Mutex

4HX428QM2HKQB3

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    rudll

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    12345

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2092
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          PID:2496
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:2864
          • C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe"
            3⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2856
            • C:\Windows\SysWOW64\rudll\server.exe
              "C:\Windows\system32\rudll\server.exe"
              4⤵
              • Executes dropped EXE
              PID:1788

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

        Filesize

        222KB

        MD5

        4afa223f16032a16b66529866b02bd14

        SHA1

        1666588ec77c44b15889ff6ad778144b3fb358af

        SHA256

        a626e9b0ac7cd23951ad496ff9b07be0f6a9a3e24ad2f70e18a2ae75e5481496

        SHA512

        8b61fa355fbd7536deb630c0c5e1aa1e38ca296ebbf7afb9fe5319a42b8f5913cb0f187e2e345a1614542be4b60d6f885642e80fd16b00b9be45e42da1db8d7a

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        e8c28cdfa11f2a59702bf7d274076622

        SHA1

        62e0abe020a024bd72239de6abfa0492fdbef14c

        SHA256

        d7bce855cb6c5109419b2b9a52733dff84227615cf99e440a94713a179090dbb

        SHA512

        ccaa0c7158b9b5280326127b72eeaab71740f0d88f67da9ee03605337f4cbe83f82339f8d119725de3a7edc6cea79dc46107b364947519f9cdb544aca02abd8a

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        837859bd9c291671b62215a1df86a180

        SHA1

        af4898e5ef91ea5a3f36aa1b5028a207a018e9cc

        SHA256

        dce010fd02bfa3b6b7d513fb5dc7f3d74b7fb66b315852be1eb0f3bd56a55c41

        SHA512

        b051cb0bf0c262db9b9bbbcaafc1f98c8232d5efdd4cf9fdd4868f84a1497c65a7972c62ccdf8b806f90bd42e5716a3262545f2f26fc153c8feac08dc1fc62ea

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        18541147fe4253ec740b296263437821

        SHA1

        a3ec88344dd307366c61daa7d5899471bd5a9768

        SHA256

        92884a3508b44742fb126c4f551d232d29f20bf78668f438f5a5e1e93b7f4f3e

        SHA512

        25b6809e9943420b585477ceaa08fc418fab545c40b2a8b88455b7b15f8a0c8df07db02fce3b376cdecc197b2d52e4c3d9c7c41af8ca9f01b4a3bc08fdd2afb5

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        0a8d4fbe5c978e6b32eafff0d29ac904

        SHA1

        72e01a99512aa56170f90a3831587715765bcdb6

        SHA256

        9790987340cf505cb2054435f0ca090b8d33e827324675e23235a2f33ef6d185

        SHA512

        e119682d6dfc1d0fc59bc207db9142390d86e7bed0013e8b8c39cc71f0cd06b272bbef47f8e3fbfd26f2cc9c6302f14883a36328de44213ada3f7b6ea89ba45a

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        effebf1a74ecdeecfabea78edc32f154

        SHA1

        8cef9455087434e40dd8bd18e120e2ad09f65d9f

        SHA256

        8172d1761797a2723ed2044cfa14325530b671ba34c3bedf002ccc16815949b7

        SHA512

        df0d03bedd3e1a4487933c065abb5a4d05d6653affe1952194a50e3108fc75b28a3be1c476566372c7d5db0b69ad86075ba799def7ad5ae15dff491e9b60b1da

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        595ba09f2da22dec7403705aaf6ffa97

        SHA1

        c9a57db7417633ea581948303b3496d98658401a

        SHA256

        847e8e3481acbd0ccb32ce481168c5659e4c351bfe635ace9352768dea9837cb

        SHA512

        63b0185193fee59de8f6822dea06355c690fd74fb219536c1d13989946772b46635a5ba15a2cdf7bf4ea22135783530b8811bb17fd155eaf3069ed26e8bbe9d7

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        7968fda4fa932bf5309cf2ac82b63cf7

        SHA1

        8f2c3b6071bf11cc110a8a8a2937464557e4a0c8

        SHA256

        b71e7bedbba8d6b7ff03c12e24292342df93c4fda5e02a5eaa5b7f391466d1f2

        SHA512

        f36219052f5d85e4f39e35a8fd84cfab657d3ba5f4a7c629a180c72abe5dca768b19034fe63afff9c8e0ece59315a921e3024b37ff559c728149d3b7df5ef721

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        61fb1244a55b8747ad533b3f01028d35

        SHA1

        cbafad79f9fcc4fa0e06ada9d4fdf2d0f21ddf11

        SHA256

        bb70b1dc0813504fa1866d4b3c0e9274e4acc35ea0baaa95503ff0e48d946783

        SHA512

        cd7dd8b8f9cf7cfa791f60aa32b7984346c50d8e3ca581c27926919a168d0dfaca331d62c16c5a1a0e7ff3091730b3aa520eac15a5e7184424c513586f875cbf

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        1f435515ddbbd47ca28f24e1bcad5118

        SHA1

        e9c14ba11de7588caedcf7c571b9d5a84087f75d

        SHA256

        0397f8cf76ed666be22891c9f3f039f0e353f22b29971bb60fefe68ade004569

        SHA512

        d4d7a20aebfe32d84ab7155151f024632de8d0f91414ef27c47e60279a8a9318ce47ad9aba32116b3f5e20321cc377790b9abc5b9357bcdeb3add8eeb5d11421

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        8d184bc3bd6106a13e1e468b938e41f6

        SHA1

        c0995989c548a18fb605c6de3695eb6d76e83a11

        SHA256

        1e003c951c92f54b2d9f3145366db86d823703f14ec97b2d7947abe25860c93f

        SHA512

        41a33df185761dad1e4cf286cf4da981db70a3aefe19e827aa4d49f6e6a937094633a15a21a5e16e15a2c43b57e73456e3548eb1628849c8ee29fb23a8f80d1a

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        a1f2fbdef616cd03612ae8b90b42cb40

        SHA1

        7e73d383b8d2d5afe593a2634a34339dbadac998

        SHA256

        a614bbe3e4b3a0f9291cac1d99a732144d849bbbb6b5dfb1d2eab185acb2e205

        SHA512

        d9e24220841b74d15c252e948a22e343429b1c7364ab4af89d27e1438bcf4835abe73e06a05df89562d49cd924023ff2fd187955727d00afc1f1eb0124cd6f69

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        51532b9ee1959324173532e903d30a5c

        SHA1

        dc08ccf97ac8c1f25ee101a47600365cd10fcd05

        SHA256

        2015930ce44c35fd7d43648b6eb3715513d8874b1d63112eea39695a64b45792

        SHA512

        85944f40b073dacb91c0252cf6794f49fcd2f1be375ac24ad4becf881494dad89d4f9fb4e030966a68905c944fb91d01a6f55974462167a2ca66747af014cbea

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        6dc42cd6f5e888a773382a761b409cf0

        SHA1

        6362c110c94cf1394c384bef37b41adef2ebe3ef

        SHA256

        05d1cf00dfcb97af7523e89426821b0b565e5bc176072db3a2d7ae9048ca2df0

        SHA512

        45cd1d8626754a63a128e5ee795196a4f46d1ea7d968572674061ae85f3ad75b8965b276cf3f72598b9baeecbccab9e94b2a7d7117f54798fecc15ca1f6852b1

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        5562ec3f95fe90b5b80b0223416682bc

        SHA1

        b50b201427589ed5318b5f52086afe62c10f5626

        SHA256

        323372802dfe1dc1b8857074b7601c37028b4abec74adec317ee776a66b4d104

        SHA512

        20e591e99a451f423aae62bfcee24deeac69acd63a00a6e392e88eb77d2ac417432911eb58e70d6ef7169bc45b59b5e9c04e9e6e997c4e55cbfe748fa053c6e9

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        ec2a7edb747e9f09ef8d5d8f86900488

        SHA1

        7eccbb65e66cc4d14b4b3d0c925e695f7930cec9

        SHA256

        d5b38f47443ffc735620dd640efa3a38096f6f931656f113d4f14cc4cb3be197

        SHA512

        5ccfe9f3c8215f4b98584347914f818e7bdc35d71c17ea7b86dd134866ff506e0b89a917efcdc9e9ef52e2615fcfcb43630f08a261e5de1848daf7b8693d3bae

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        f9fea3934298445eaa738fd35cb79539

        SHA1

        aa2c566fabeb00d260818071cccfe0f7a44f0604

        SHA256

        5726942d689018946d812bf68df06a901f1458947d289b2c8ac40820eef60b38

        SHA512

        8bbc74985a191d13d8df0459bdfa4e0bbe6fabc77ef266091cb91da6c318f03323b48732408514b28f325907c5f7dec78d14de02ab41586d812b5e96fcd24584

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        0ab508821d9e57ceab16f252d022289b

        SHA1

        55070a7a5fe988a0397495655c4b1569bf3a0feb

        SHA256

        5709e446ff6741a7d2c811a67ca522ff1777d59eb28af49c26130290698f96fe

        SHA512

        ec4e4c94140d602aadf823d395d79c63ff654cc76b9f5f2a332c4a8ae611331086faba98ae13229d8775a074d388425eef26e0330aba211e94e0f27c47db1093

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        2fe1b3dfa927d221fed4a8c8292d35ca

        SHA1

        75f3a7f4a1028b4fc42e65e7b5537e84f0a316fd

        SHA256

        aeb803abb6f97f03df34b6edbbde9f221e61fe19a3670ac8cb330e3263f4bcbc

        SHA512

        5a37fc513c40301bf9e6ff87b7c35161011f91fb4b7447d4b3b7b95118c44b750b8392e2b5b0f19aafd7db86d7d950f2a7ba86c2375a7c7a5fd891f7c1408f0e

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        e5ce4c830d873378ebb0729a6d2f8e96

        SHA1

        0a2a28ab9155b9a2c2760d9bffea8c6afcd053a7

        SHA256

        7f9675a9d526d451707faafa0309d99c7717ef5db822357d40762a9c47b3793a

        SHA512

        86ac8390dfa42a6ccf38d06bb77feea98cb790b549906d7a0078ea9c7f79b0fe450626cd7d695757b33a17ba073f6fd79f9fbd9fafd66dd00cbb03b420057c8d

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        ae4a8c74bcc5c47a4daf2e8f17302262

        SHA1

        6bfd2dc955df36b695e713643df45795641c57b6

        SHA256

        c5faa1a46ca9e95f6ac4568ff61f02626c731669c2ed0490fde4e071d6ef95fb

        SHA512

        5c78107b1874b3d5f63a63879249fcf475dfa501355d945a8ddf85d72ba748c90527cac215e4d9e2b504f04e89be889ab81df340b69adafc926eb5ea34c67add

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        86ddcdf3ea6adefdb1f00b3ddbf7ad6d

        SHA1

        f7eda63a3015c4f14d9cc17ef55109b0a9ee5d67

        SHA256

        7e85fb3a2f925c86744c85a0c1abe8e2410977e860e0bec83cdde0bfcdaa7232

        SHA512

        56999b6fd0a31f34cdefc55c7d261901f5214f3f95dd0ad516022e722b2e2796bfde33001f57ca541b026c929e52d40dd8bda9b2b90c5ae56e518de25e438e33

      • C:\Users\Admin\AppData\Roaming\cglogs.dat

        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Windows\SysWOW64\rudll\server.exe

        Filesize

        283KB

        MD5

        dbcb6ce8cd611d2f325902be00b7bc7a

        SHA1

        4485e20149d54b24aade15efeb789aa4ed395cae

        SHA256

        436232240571a649272155704072854375cf25ca874662d1116ab4470486c5c9

        SHA512

        a0ebeca67b32f8e9394cae8b112632a20267321fd2c74c9a78df6e812b0a8abd5ae1c43f115191e12abe57fab24901318fcbad514faf183c2327759ef9e6096b

      • memory/1224-3-0x0000000002520000-0x0000000002521000-memory.dmp

        Filesize

        4KB

      • memory/2496-246-0x00000000000A0000-0x00000000000A1000-memory.dmp

        Filesize

        4KB

      • memory/2496-248-0x00000000000E0000-0x00000000000E1000-memory.dmp

        Filesize

        4KB

      • memory/2496-527-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

      • memory/2496-879-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

      • memory/2856-884-0x0000000010560000-0x00000000105C1000-memory.dmp

        Filesize

        388KB

      • memory/2856-857-0x0000000010560000-0x00000000105C1000-memory.dmp

        Filesize

        388KB