Overview

overview

10

Static

static

3

eaa1e56520...18.exe

windows7-x64

10

eaa1e56520...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eaa1e565206319fcfa8ca690de786e79_JaffaCakes118.exe

  • Size

    488KB

  • MD5

    eaa1e565206319fcfa8ca690de786e79

  • SHA1

    809dc122fc73a847fe29dc43b1d00041424e8654

  • SHA256

    0aeefe914a443c0ed3f831d8c82e430e0d015d18bfb9de19eb8de7d627a1051e

  • SHA512

    0584b865d372bc80b329095b2182b2d9694cf00180020eb93d70ab93e9939ab2fff1a345e226504bb9474218bc09f9aeec44c4c7811443d16dfbc030dfb451a8

  • SSDEEP

    12288:7MsSZqixHCUXsRHug2b0y7H2gK9/l9OENuWqqt8IT0:EZq9xVR2b0y6xhrMqtU

Score
10/10
cybergatediscoverypersistencestealertrojanupx

Malware Config

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eaa1e565206319fcfa8ca690de786e79_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eaa1e565206319fcfa8ca690de786e79_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:836
      • C:\Users\Admin\AppData\Local\Temp\eaa1e565206319fcfa8ca690de786e79_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\eaa1e565206319fcfa8ca690de786e79_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4440
        • C:\Users\Admin\AppData\Local\Temp\eaa1e565206319fcfa8ca690de786e79_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\eaa1e565206319fcfa8ca690de786e79_JaffaCakes118.exe"
          3⤵
          • Checks BIOS information in registry
          • Maps connected drives based on registry
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:1336
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 676
            4⤵
            • Program crash
            PID:2824
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1336 -ip 1336
      1⤵
        PID:4860

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\jI82l\PCGWIN32.LI5
        Filesize

        2KB

        MD5

        d8dce68285998dc44797e26852cdd2d3

        SHA1

        427623c0583b3187ca8583c4d55c3f78c92644d5

        SHA256

        31b1d9652d40121b9645f9bad990c467f3646671254f68fa3361a8634c50bf08

        SHA512

        d0c2c9b6f5da2fac1960e1fbfc22ca1f80c68d711fa1d6bb4293491046f0fca01d2fa269983b652814d6c6c3e6fe2b128b7fd352bed2ed1d1ca9fab64a4b0066

        Download Submit

      • C:\ProgramData\jI82l\PCGWIN32.LI5
        Filesize

        2KB

        MD5

        b58d3550968ec83c8c520603fead0ef4

        SHA1

        84f94c6ecf488bed02db3f55e538d3efbc35ecc1

        SHA256

        b6896967d88e8a9ec7df7239407321c2388c2549db86a33d1c453cb6e3fea471

        SHA512

        cc7d3b9a3055aab6f618d18933a4220915c976d4d056bb802a88aab0d1636c68bcab8e71d4400853143672d0b919f56282f0bdcce213cc7fc96a5db384c8aa92

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        222KB

        MD5

        477dbfb5be56439c4097f7718e1f5c6d

        SHA1

        b85861174809b10568246f9e2440e6d9c9b2f27e

        SHA256

        b0d44459f59f1e62a48d1c91ca39473dd448b6b625cb1ac293273397dca68820

        SHA512

        50028e435092a494362d95e82f9e944f279ed2b33e6123695a62da9f50ac352eb4e249de277b3740cf4b381d96d04a8c3b7c7a32cd859ab7b7779c9009ae6e15

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        5ec8cd9ee465e9d48ceac04b74fb65ac

        SHA1

        90a6ba8c83744bdebcffb91886ec39567f2e7e79

        SHA256

        4f41a1472b0940595a4c2fa6f360e847f3aa53ca6d4154d8655ec37043c7164e

        SHA512

        e39d588feeda92d9a7f17e1b8751cd3b167cb51c42f9468ce9b8eb7e299e5c2b40a156d3c7014b897108fe37e7d8eb0793716ab743c9b31bbe140a03337c2c61

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        a1060668d52559008b46912c12312f90

        SHA1

        2e556d5dd4b920be8e9a4e27f2e955f74c481904

        SHA256

        8553898c44ec06b1fdd6de349d9d14eaa0b7e0d3e0f5a4e3b9a1c802d9960692

        SHA512

        8d73fd745b468fe4f74ba5b7e5a6966f36987330a42ce46568170fe6b41491434267321036dcf554b62e6e4da07a47561117ac4d75adc79d812b0aba7a1dfd59

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        fafd11216ffc4ab8e1068b50b4364596

        SHA1

        d9ef99d46ead2289e113b24069317711a91e9336

        SHA256

        9d7eb519163dd6bb1538b9e731e3c6a7eec0cc4e513a13cf65feaf5bf7875ed5

        SHA512

        7c634c84435b11c6405d369ba46d184e97a4631aca65d1c81cd98499c389f53fe2ab2472505185e4ddac3a3f3fe0c45218fa2ba20ce82eacade160d726bb6a4f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        c9f8bc1c902c4325aa510d494a8b293a

        SHA1

        8ae638406df74c94b2d3186c462104b08f8805f1

        SHA256

        d035997cd0dd1e7e7474936e991191c91a275a5fa7857791707a49b5b1ccd8cc

        SHA512

        6af6168499553a79b41bd0a430829a1bb0cec3fe08f00363fcd85a313edc6dbf45f5d34dffeed436e21163e4f0b6e2acc2aca0e8c227168d52c138f3c8543125

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        bbfa68a2aec55eb6198e778dc72352b6

        SHA1

        bf2d84bd2fe8ae5442b09aed7d6ecbded4274ab9

        SHA256

        6407fe2637329f61e6c8e4eb8ffa988aa69c03147152e5f6d96a8d407c4d30f2

        SHA512

        3749d5ef93676bcc3bbcab78d12d52ddaa841d20d16daa98ecd02a13f07b7d52ad10c035a2e301fe4025af78a1b2161b3c43b1758897fc012ee718a39d5e0b07

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        97a4f6fec887599369e804438f8e6f8f

        SHA1

        20ec9ed6c1d4359ec56036cdc100bb2e824183d7

        SHA256

        30ab37541ce55bc965e9c4c72c10d2d1e36a13d9c9dc3794ec3e04d26067d5ad

        SHA512

        38807f47b1480a9359ec9075cba321a359bbade015518d08dce814fa23f1d10188d1f41f4cd6470c9791296b70ecc8b5eed7e9e61ff5c1836aa31b7ab58283ca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        03ded8d2307f569044f6a9fee3fde559

        SHA1

        2dd0b2ad65351f8dfdb7cf60e3c7cc16d0531275

        SHA256

        fc934ec490fb5169304079abac9bbcde07aa513c26535c47688f3b2550aaea13

        SHA512

        49cbf65471056d36e9b8f2eac556b1c591f5d69c5a5a23460708f1d590ed79a118da451154761d8d2f9f015d3d3d43af30da295f3b757ee09c140ea82a878325

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        a67fae26fb41bb396e91beccb13a933e

        SHA1

        8259e11bac2b0af75add1555f36d9c9cd0a7d928

        SHA256

        36c5d13e30df652526228a528f797025158dcdd9b8613732a55659c37d2ff78b

        SHA512

        2a8cc1aa6f410f7c15e70eb026dd2a801175c8890df8b9a091517019f1513b291f6d14e7d9979eb99783fac181fa47bb59bad470a349b844dd459caec2835ef8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        6124b3fd1c19411e53429973a78d857e

        SHA1

        4eaa466e786aa949a4d6d15b520ca3f76d8f1a43

        SHA256

        2144dcad660be920edc09a71a05c9154f0ece9cadb9b4830640bfdcaf54fc13e

        SHA512

        4640108f125cb6b0c7b754bd898d60bf2b35ec72d690ccbf42d4fd02903bdfc0bdee7a3888cf46a81cd709650e5c324727f7dafcf1766a420a9a6501432337df

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        c6c3779cd48dfbf0201f8b5fbfd382ab

        SHA1

        98412a5d3f423c672208b75c81c1fed03c29a93f

        SHA256

        fe238b5ebb93c3d79b4e1bd6df100045d3c226de3376ac780be23408f6842d83

        SHA512

        e228e9674760dd52a3fbd6528471da40c246548712e8cdb1d5b96e5b126ba73b1cac6b32d48610d8ca3565169f60ec87cead9933d740ce15e16eb8bd8f697995

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        43b2ecc84bc8fd00c910cc12231dc889

        SHA1

        de7e59d14a32c9588c86a28a50e61be177fba322

        SHA256

        3ff92a9ee5c449c99b8945881822952029761dc9342e1f42b64ea825af1bbe41

        SHA512

        68f94519815e3776c09e3d317c260e9335a2f6f0544da696c1d6b26f9753a2a2294a5b51ad12938a87eedd032af47246ded0fc6e796477e7d2c703f8b1d6e444

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        69587e71b84dcf4875c82b10dc094714

        SHA1

        fcf276a7c92e3ffb8a82ae34d249170b67f4f87e

        SHA256

        a992142ac197ef30d90df83c112bef8b7aabb36aa5bb56691ea7ade9234b3e8f

        SHA512

        fc2235afb94a1b4c11e4190adbc86a1b4a19a189bed8bd5c827881e0e5b77f62a5b3322fc2844ca05d62e46594528502be754326bdb3a88a3c28b72e76dd2af2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        e6d2187f875ff830e405ab6fa770117c

        SHA1

        38d4f8e429cdbd39e83a94a03906617953d51fc1

        SHA256

        e5ab053701e87f5f15a7c20e521c9b2a14a52b503e14cc684bb332aa0fb17855

        SHA512

        33d8deadc64a2a8ed812ae1ca2e65ade477e2885777a2c40763ec971c2cc380653d262f125bf6d050a419d9423e7a64ae1a0e0e94018477d4c565d433b6048f2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        a2b7813acf0ebbbae84a5d17447c7598

        SHA1

        955b7c7961bc420ee59991071ea99555a4a08c51

        SHA256

        d610253fdbeaba847db7bb10822f8eca78c73b65c393defdeb2790b193bebe1c

        SHA512

        22f98fdbdb1178393c40fa3960204e83a6db0a535096179e64e061f630433284d50a4ec56a40aa5e93c0dd54e385ed6b867dcd7122edabdc7c111d30d012b922

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        29b77e350b6b9d0234f75af62b5774e2

        SHA1

        3d7a61839f63c545caa9ac91dabf3fa458d2c885

        SHA256

        c479f2a884eb5975f4939b46840fecc30f8cf06abff2c0c63f36b0641ffc7459

        SHA512

        63d13dc3b7e551210676663380e6671b714054020958a51b28deb7987b637adedd0f28da2c7d5e79068ea4d300ceb26272113e463a6051b41d1fac607a67c2b5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        88ff395b89f6cc843d4456a76545189c

        SHA1

        cd77fd3f5d146abfb66eb7b76583f6504e77ea87

        SHA256

        01a9f33254dbc00e83fa9b7c130558d9419e383b15aeb8a7be2a26328c54f7b8

        SHA512

        982a2ab64cf1b50a512af39fdce358a639a1601cffd18aa5f500aeda3f309be7113af4fd6d4fbf3d0aacad734f730f603b8aa53ee99f9d4f1716a315aa040fce

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        3f386b2da9d0abd5f51c290b877d2e92

        SHA1

        6f04f34051e62e10f0f04d84fa5aeb9c2b293290

        SHA256

        6cfbfcb72dfbea692d230fd9fbe31e78851ada2da1935bb543c8c693a2ea20df

        SHA512

        9143793a4f181d6b4c800bb69f540be3d58f68865ee0c197f6a058f2baeca29108d09256b17be3420c1ee8d596b6863cc9bc2fb127252e6c627c189b854eb750

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        794131b25359e75483fcbf48439c1a7f

        SHA1

        7a4313dc0c772ddac59eeb32e155edfe0059e9c2

        SHA256

        34355e937180ec58964ceacdc1b43de261532f54f8da03e62c51c1cdd47f0545

        SHA512

        0cc53ac11a537beda2051d474c1ecd7dce55cd859a269ab7922644c88626be56f7b6cb1398c643ffb882455ee48941fcfe8fc1d22f14db2d1cf51269e5d6d5a8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        464bad384edc30afae351bbd30c4d4f0

        SHA1

        79e84e94a5f9357ab5348b3817c47747b212f402

        SHA256

        d80fe90da81616c507da2e2b5a8e59e2b1bc22c852678aed92c9481f5ecc60c6

        SHA512

        e4ca19a3fed6b122bbdbd1efc366c7bb6d017b31bff26d43a9dc4813992afadae0b41e75fc5db8a23d48f354442edddf2db2c9110fb1f33c17ad03c5acae477d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\cglogs.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        Download Submit

      • memory/1336-108-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/1336-107-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/1336-118-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4092-1-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4092-21-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

        Download

      • memory/4092-81-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

        Download

      • memory/4092-0-0x0000000000401000-0x0000000000403000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4092-40-0x0000000000401000-0x0000000000403000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4092-39-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4092-7-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4092-87-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4092-4-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4092-6-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4092-18-0x0000000010410000-0x0000000010471000-memory.dmp

        Filesize

        388KB

        Download

      • memory/4092-15-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4092-2-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4092-3-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4092-5-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4440-84-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4440-23-0x00000000005E0000-0x00000000005E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4440-22-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4440-25-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download