Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 02:42
Static task
static1
Behavioral task
behavioral1
Sample
2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe
-
Size
886KB
-
MD5
2960846e6080ad7fa5b7d174799df74d
-
SHA1
c591249a2be3f985afd05b63d0dfc69c4ced3bbd
-
SHA256
a85ea87b1c76f1e80318f5d0624e7ad80562ca511cd574fea89043f0c9c6a5b3
-
SHA512
aa5d090ee79fd34f2c8f5585d50f8951590a03327ab9a849f48794174ddbeb34a6ea1a4b82dc2f6a23d1ac643bb26ace842c1db53ec9d7f15cc9c75d610c12e0
-
SSDEEP
24576:S81EdVcV1cJkv0BisK2pNokiJW85+oCZWVWXF7uLW:SZzBKC6kiJD5+oCUVWXFCLW
Malware Config
Extracted
cybergate
2.1
vítima
felipebm795.no-ip.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run erro.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" erro.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run erro.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" erro.EXE -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} erro.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart" erro.EXE -
Executes dropped EXE 3 IoCs
pid Process 2676 erro.exe 2828 erro.EXE 2608 erro.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2676 set thread context of 2828 2676 erro.exe 34 -
resource yara_rule behavioral1/memory/2828-19-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2828-21-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2828-26-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2828-24-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2828-33-0x0000000024010000-0x0000000024049000-memory.dmp upx behavioral1/memory/2828-37-0x0000000024050000-0x0000000024089000-memory.dmp upx behavioral1/memory/2828-30-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2828-29-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2828-28-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2828-295-0x0000000000400000-0x000000000043C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erro.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erro.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2828 erro.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2608 erro.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2608 erro.EXE Token: SeDebugPrivilege 2608 erro.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2676 erro.exe 2676 erro.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2812 2268 2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2812 2268 2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2812 2268 2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2812 2268 2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2812 2268 2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2812 2268 2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2812 2268 2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe 31 PID 2812 wrote to memory of 2676 2812 cmd.exe 33 PID 2812 wrote to memory of 2676 2812 cmd.exe 33 PID 2812 wrote to memory of 2676 2812 cmd.exe 33 PID 2812 wrote to memory of 2676 2812 cmd.exe 33 PID 2812 wrote to memory of 2676 2812 cmd.exe 33 PID 2812 wrote to memory of 2676 2812 cmd.exe 33 PID 2812 wrote to memory of 2676 2812 cmd.exe 33 PID 2676 wrote to memory of 2828 2676 erro.exe 34 PID 2676 wrote to memory of 2828 2676 erro.exe 34 PID 2676 wrote to memory of 2828 2676 erro.exe 34 PID 2676 wrote to memory of 2828 2676 erro.exe 34 PID 2676 wrote to memory of 2828 2676 erro.exe 34 PID 2676 wrote to memory of 2828 2676 erro.exe 34 PID 2676 wrote to memory of 2828 2676 erro.exe 34 PID 2676 wrote to memory of 2828 2676 erro.exe 34 PID 2676 wrote to memory of 2828 2676 erro.exe 34 PID 2676 wrote to memory of 2828 2676 erro.exe 34 PID 2676 wrote to memory of 2828 2676 erro.exe 34 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35 PID 2828 wrote to memory of 2800 2828 erro.EXE 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2960846e6080ad7fa5b7d174799df74d_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\start.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\erro.exeerro.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\erro.EXEerro.EXE4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2800
-
-
C:\erro.EXE"C:\erro.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD5b40af310f1ea6ab267839396cfc3f288
SHA1d195e7622ab88334dd6cd17c12f160a9b53da8a8
SHA2567ef9af800140c377d35a2989a1e1b0d9c8832f35e50aed5e3d48ce70bc406ac1
SHA51261fc6009525a8805fd4f2a0562049d821007804ec8ecfec44c461b5dd049f60c5f68afcd917ca8b5ccd91fdf3f06f2cd54a4d50581a15ab663887b169e5d5808
-
Filesize
15B
MD586f3c87caff4d7973404ff22c664505b
SHA1245bc19c345bc8e73645cd35f5af640bc489da19
SHA256e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb
SHA5120940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024
-
Filesize
795KB
MD5e06f506e5b3bbf0e6992f1e40ab2d30e
SHA15225946a1a795f44b4919a3cc732e4719f0e088d
SHA2566b944586c6d12115c36370697c9077c3973915182feb18394af8c175e8436afc
SHA5127a26628cb0d7d8fb725c370d1cc8f411f59cbe97a1b28cdc12d6da0047da7d4cfb3fef4cb2bf0b0cf3cb67dd18b2ecd9e2dbb2ef97adb5d5a17ecc19e0f1f0ef
-
Filesize
14B
MD54d893d367926b3eacb7bcfe5696afb0f
SHA1cdb19a16b6247403ecc048b537aa7c196dbc9e68
SHA256d2b0af95cb34add3051f9925abd8731482197b520ef4d9982023e746036eedf3
SHA512bc12e5c441c3c4ffe96de0efcb96ec831fb40520653b514495d50aa769b839f411c1cf00b269d94e358f36b57c01071a5e0cc6ce73f12bca4513f3ca20abb1dd