Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 13:39
Static task
static1
Behavioral task
behavioral1
Sample
8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe
-
Size
428KB
-
MD5
8bc27496c7189e9ea5ae88a018f38894
-
SHA1
b5b93df1532147e520297d000cef7eb45e6b076e
-
SHA256
5bfaaae7b70020c9c4d71b8b092202ce88b9a54770b27152ca8bfa7c4e4a726c
-
SHA512
4a9c356536bdb874a740bc845c8250a76fb8f4d7c7aa114dcc084d70c3afa368f1b02c789f3a40d77ce135dfe2ecfab90c84ee960a5108edde3494da2c95ab56
-
SSDEEP
12288:sQVS36f8ACc1OrIVpxIUkHVg96k6xjvckn:sjCCcorIfpwjvc
Malware Config
Extracted
cybergate
2.2.2
victim
mranarchist11.zapto.org:81
***MUTEX***
-
enable_keylogger
false
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
start.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Start
-
message_box_title
System Report
-
password
srd3m4nta
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Extracted
latentbot
mranarchist11.zapto.org
Signatures
-
Cybergate family
-
Latentbot family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\start.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\start.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YI7E7HNU-GDXY-T38W-P513-J071002E5L00} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YI7E7HNU-GDXY-T38W-P513-J071002E5L00}\StubPath = "c:\\dir\\install\\install\\start.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YI7E7HNU-GDXY-T38W-P513-J071002E5L00} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YI7E7HNU-GDXY-T38W-P513-J071002E5L00}\StubPath = "c:\\dir\\install\\install\\start.exe" explorer.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\start.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\startup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cr.exe" 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\start.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1664 set thread context of 1996 1664 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 31 -
resource yara_rule behavioral1/memory/1996-13-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1996-12-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1996-17-0x0000000024010000-0x000000002404D000-memory.dmp upx behavioral1/memory/1996-14-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1996-11-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1996-8-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1996-5-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1996-4-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1996-680-0x0000000000400000-0x000000000043F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1996 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2504 vbc.exe Token: SeDebugPrivilege 2504 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1996 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1664 wrote to memory of 1996 1664 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 31 PID 1664 wrote to memory of 1996 1664 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 31 PID 1664 wrote to memory of 1996 1664 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 31 PID 1664 wrote to memory of 1996 1664 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 31 PID 1664 wrote to memory of 1996 1664 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 31 PID 1664 wrote to memory of 1996 1664 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 31 PID 1664 wrote to memory of 1996 1664 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 31 PID 1664 wrote to memory of 1996 1664 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 31 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21 PID 1996 wrote to memory of 1200 1996 vbc.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
PID:2576
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2600
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5a73fbabc4105c3688d2d1ad0b5a338b0
SHA1116fb275f4a1532182a454a0a13c192a637ed77c
SHA2564e2de398559710f2feb8b655ace65c46059838c1e45a5afc6a9e97ac39fe801a
SHA51266fbea109776bff011a0f4773cc83861308e2bb26e0684a73fa0b7bdcbb0f79e027341f80a1a8f4da5845b216bfefaa2f064f728cd1ec2036465a3d9babc61e7
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98