Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 04:16

General

  • Target

    dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe

  • Size

    283KB

  • MD5

    dbcb6ce8cd611d2f325902be00b7bc7a

  • SHA1

    4485e20149d54b24aade15efeb789aa4ed395cae

  • SHA256

    436232240571a649272155704072854375cf25ca874662d1116ab4470486c5c9

  • SHA512

    a0ebeca67b32f8e9394cae8b112632a20267321fd2c74c9a78df6e812b0a8abd5ae1c43f115191e12abe57fab24901318fcbad514faf183c2327759ef9e6096b

  • SSDEEP

    6144:g4ABF+npAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK:PUnGLE0kuGnESB

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

C2

server111.zapto.org:100

Mutex

4HX428QM2HKQB3

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    rudll

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    12345

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3320
      • C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          PID:4532
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:4848
          • C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe"
            3⤵
            • Checks computer location settings
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3436
            • C:\Windows\SysWOW64\rudll\server.exe
              "C:\Windows\system32\rudll\server.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2724
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 564
                5⤵
                • Program crash
                PID:2580
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2724 -ip 2724
        1⤵
          PID:768

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

          Filesize

          222KB

          MD5

          4afa223f16032a16b66529866b02bd14

          SHA1

          1666588ec77c44b15889ff6ad778144b3fb358af

          SHA256

          a626e9b0ac7cd23951ad496ff9b07be0f6a9a3e24ad2f70e18a2ae75e5481496

          SHA512

          8b61fa355fbd7536deb630c0c5e1aa1e38ca296ebbf7afb9fe5319a42b8f5913cb0f187e2e345a1614542be4b60d6f885642e80fd16b00b9be45e42da1db8d7a

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          837859bd9c291671b62215a1df86a180

          SHA1

          af4898e5ef91ea5a3f36aa1b5028a207a018e9cc

          SHA256

          dce010fd02bfa3b6b7d513fb5dc7f3d74b7fb66b315852be1eb0f3bd56a55c41

          SHA512

          b051cb0bf0c262db9b9bbbcaafc1f98c8232d5efdd4cf9fdd4868f84a1497c65a7972c62ccdf8b806f90bd42e5716a3262545f2f26fc153c8feac08dc1fc62ea

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          18541147fe4253ec740b296263437821

          SHA1

          a3ec88344dd307366c61daa7d5899471bd5a9768

          SHA256

          92884a3508b44742fb126c4f551d232d29f20bf78668f438f5a5e1e93b7f4f3e

          SHA512

          25b6809e9943420b585477ceaa08fc418fab545c40b2a8b88455b7b15f8a0c8df07db02fce3b376cdecc197b2d52e4c3d9c7c41af8ca9f01b4a3bc08fdd2afb5

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          0a8d4fbe5c978e6b32eafff0d29ac904

          SHA1

          72e01a99512aa56170f90a3831587715765bcdb6

          SHA256

          9790987340cf505cb2054435f0ca090b8d33e827324675e23235a2f33ef6d185

          SHA512

          e119682d6dfc1d0fc59bc207db9142390d86e7bed0013e8b8c39cc71f0cd06b272bbef47f8e3fbfd26f2cc9c6302f14883a36328de44213ada3f7b6ea89ba45a

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          effebf1a74ecdeecfabea78edc32f154

          SHA1

          8cef9455087434e40dd8bd18e120e2ad09f65d9f

          SHA256

          8172d1761797a2723ed2044cfa14325530b671ba34c3bedf002ccc16815949b7

          SHA512

          df0d03bedd3e1a4487933c065abb5a4d05d6653affe1952194a50e3108fc75b28a3be1c476566372c7d5db0b69ad86075ba799def7ad5ae15dff491e9b60b1da

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          595ba09f2da22dec7403705aaf6ffa97

          SHA1

          c9a57db7417633ea581948303b3496d98658401a

          SHA256

          847e8e3481acbd0ccb32ce481168c5659e4c351bfe635ace9352768dea9837cb

          SHA512

          63b0185193fee59de8f6822dea06355c690fd74fb219536c1d13989946772b46635a5ba15a2cdf7bf4ea22135783530b8811bb17fd155eaf3069ed26e8bbe9d7

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          7968fda4fa932bf5309cf2ac82b63cf7

          SHA1

          8f2c3b6071bf11cc110a8a8a2937464557e4a0c8

          SHA256

          b71e7bedbba8d6b7ff03c12e24292342df93c4fda5e02a5eaa5b7f391466d1f2

          SHA512

          f36219052f5d85e4f39e35a8fd84cfab657d3ba5f4a7c629a180c72abe5dca768b19034fe63afff9c8e0ece59315a921e3024b37ff559c728149d3b7df5ef721

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          61fb1244a55b8747ad533b3f01028d35

          SHA1

          cbafad79f9fcc4fa0e06ada9d4fdf2d0f21ddf11

          SHA256

          bb70b1dc0813504fa1866d4b3c0e9274e4acc35ea0baaa95503ff0e48d946783

          SHA512

          cd7dd8b8f9cf7cfa791f60aa32b7984346c50d8e3ca581c27926919a168d0dfaca331d62c16c5a1a0e7ff3091730b3aa520eac15a5e7184424c513586f875cbf

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          1f435515ddbbd47ca28f24e1bcad5118

          SHA1

          e9c14ba11de7588caedcf7c571b9d5a84087f75d

          SHA256

          0397f8cf76ed666be22891c9f3f039f0e353f22b29971bb60fefe68ade004569

          SHA512

          d4d7a20aebfe32d84ab7155151f024632de8d0f91414ef27c47e60279a8a9318ce47ad9aba32116b3f5e20321cc377790b9abc5b9357bcdeb3add8eeb5d11421

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          8d184bc3bd6106a13e1e468b938e41f6

          SHA1

          c0995989c548a18fb605c6de3695eb6d76e83a11

          SHA256

          1e003c951c92f54b2d9f3145366db86d823703f14ec97b2d7947abe25860c93f

          SHA512

          41a33df185761dad1e4cf286cf4da981db70a3aefe19e827aa4d49f6e6a937094633a15a21a5e16e15a2c43b57e73456e3548eb1628849c8ee29fb23a8f80d1a

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          a1f2fbdef616cd03612ae8b90b42cb40

          SHA1

          7e73d383b8d2d5afe593a2634a34339dbadac998

          SHA256

          a614bbe3e4b3a0f9291cac1d99a732144d849bbbb6b5dfb1d2eab185acb2e205

          SHA512

          d9e24220841b74d15c252e948a22e343429b1c7364ab4af89d27e1438bcf4835abe73e06a05df89562d49cd924023ff2fd187955727d00afc1f1eb0124cd6f69

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          51532b9ee1959324173532e903d30a5c

          SHA1

          dc08ccf97ac8c1f25ee101a47600365cd10fcd05

          SHA256

          2015930ce44c35fd7d43648b6eb3715513d8874b1d63112eea39695a64b45792

          SHA512

          85944f40b073dacb91c0252cf6794f49fcd2f1be375ac24ad4becf881494dad89d4f9fb4e030966a68905c944fb91d01a6f55974462167a2ca66747af014cbea

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          6dc42cd6f5e888a773382a761b409cf0

          SHA1

          6362c110c94cf1394c384bef37b41adef2ebe3ef

          SHA256

          05d1cf00dfcb97af7523e89426821b0b565e5bc176072db3a2d7ae9048ca2df0

          SHA512

          45cd1d8626754a63a128e5ee795196a4f46d1ea7d968572674061ae85f3ad75b8965b276cf3f72598b9baeecbccab9e94b2a7d7117f54798fecc15ca1f6852b1

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          ec2a7edb747e9f09ef8d5d8f86900488

          SHA1

          7eccbb65e66cc4d14b4b3d0c925e695f7930cec9

          SHA256

          d5b38f47443ffc735620dd640efa3a38096f6f931656f113d4f14cc4cb3be197

          SHA512

          5ccfe9f3c8215f4b98584347914f818e7bdc35d71c17ea7b86dd134866ff506e0b89a917efcdc9e9ef52e2615fcfcb43630f08a261e5de1848daf7b8693d3bae

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          5562ec3f95fe90b5b80b0223416682bc

          SHA1

          b50b201427589ed5318b5f52086afe62c10f5626

          SHA256

          323372802dfe1dc1b8857074b7601c37028b4abec74adec317ee776a66b4d104

          SHA512

          20e591e99a451f423aae62bfcee24deeac69acd63a00a6e392e88eb77d2ac417432911eb58e70d6ef7169bc45b59b5e9c04e9e6e997c4e55cbfe748fa053c6e9

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          f9fea3934298445eaa738fd35cb79539

          SHA1

          aa2c566fabeb00d260818071cccfe0f7a44f0604

          SHA256

          5726942d689018946d812bf68df06a901f1458947d289b2c8ac40820eef60b38

          SHA512

          8bbc74985a191d13d8df0459bdfa4e0bbe6fabc77ef266091cb91da6c318f03323b48732408514b28f325907c5f7dec78d14de02ab41586d812b5e96fcd24584

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          0ab508821d9e57ceab16f252d022289b

          SHA1

          55070a7a5fe988a0397495655c4b1569bf3a0feb

          SHA256

          5709e446ff6741a7d2c811a67ca522ff1777d59eb28af49c26130290698f96fe

          SHA512

          ec4e4c94140d602aadf823d395d79c63ff654cc76b9f5f2a332c4a8ae611331086faba98ae13229d8775a074d388425eef26e0330aba211e94e0f27c47db1093

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          2fe1b3dfa927d221fed4a8c8292d35ca

          SHA1

          75f3a7f4a1028b4fc42e65e7b5537e84f0a316fd

          SHA256

          aeb803abb6f97f03df34b6edbbde9f221e61fe19a3670ac8cb330e3263f4bcbc

          SHA512

          5a37fc513c40301bf9e6ff87b7c35161011f91fb4b7447d4b3b7b95118c44b750b8392e2b5b0f19aafd7db86d7d950f2a7ba86c2375a7c7a5fd891f7c1408f0e

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          e5ce4c830d873378ebb0729a6d2f8e96

          SHA1

          0a2a28ab9155b9a2c2760d9bffea8c6afcd053a7

          SHA256

          7f9675a9d526d451707faafa0309d99c7717ef5db822357d40762a9c47b3793a

          SHA512

          86ac8390dfa42a6ccf38d06bb77feea98cb790b549906d7a0078ea9c7f79b0fe450626cd7d695757b33a17ba073f6fd79f9fbd9fafd66dd00cbb03b420057c8d

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          ae4a8c74bcc5c47a4daf2e8f17302262

          SHA1

          6bfd2dc955df36b695e713643df45795641c57b6

          SHA256

          c5faa1a46ca9e95f6ac4568ff61f02626c731669c2ed0490fde4e071d6ef95fb

          SHA512

          5c78107b1874b3d5f63a63879249fcf475dfa501355d945a8ddf85d72ba748c90527cac215e4d9e2b504f04e89be889ab81df340b69adafc926eb5ea34c67add

        • C:\Users\Admin\AppData\Roaming\cglogs.dat

          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • C:\Windows\SysWOW64\rudll\server.exe

          Filesize

          283KB

          MD5

          dbcb6ce8cd611d2f325902be00b7bc7a

          SHA1

          4485e20149d54b24aade15efeb789aa4ed395cae

          SHA256

          436232240571a649272155704072854375cf25ca874662d1116ab4470486c5c9

          SHA512

          a0ebeca67b32f8e9394cae8b112632a20267321fd2c74c9a78df6e812b0a8abd5ae1c43f115191e12abe57fab24901318fcbad514faf183c2327759ef9e6096b

        • memory/2312-63-0x0000000010480000-0x00000000104E1000-memory.dmp

          Filesize

          388KB

        • memory/2312-6-0x0000000010480000-0x00000000104E1000-memory.dmp

          Filesize

          388KB

        • memory/2312-2-0x0000000010410000-0x0000000010471000-memory.dmp

          Filesize

          388KB

        • memory/3436-138-0x0000000010560000-0x00000000105C1000-memory.dmp

          Filesize

          388KB

        • memory/3436-160-0x0000000010560000-0x00000000105C1000-memory.dmp

          Filesize

          388KB

        • memory/4532-68-0x0000000010480000-0x00000000104E1000-memory.dmp

          Filesize

          388KB

        • memory/4532-7-0x0000000000F90000-0x0000000000F91000-memory.dmp

          Filesize

          4KB

        • memory/4532-158-0x0000000010480000-0x00000000104E1000-memory.dmp

          Filesize

          388KB

        • memory/4532-8-0x0000000001250000-0x0000000001251000-memory.dmp

          Filesize

          4KB