Overview

overview

10

Static

static

3

8bc27496c7...18.exe

windows7-x64

10

8bc27496c7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe

  • Size

    428KB

  • MD5

    8bc27496c7189e9ea5ae88a018f38894

  • SHA1

    b5b93df1532147e520297d000cef7eb45e6b076e

  • SHA256

    5bfaaae7b70020c9c4d71b8b092202ce88b9a54770b27152ca8bfa7c4e4a726c

  • SHA512

    4a9c356536bdb874a740bc845c8250a76fb8f4d7c7aa114dcc084d70c3afa368f1b02c789f3a40d77ce135dfe2ecfab90c84ee960a5108edde3494da2c95ab56

  • SSDEEP

    12288:sQVS36f8ACc1OrIVpxIUkHVg96k6xjvckn:sjCCcorIfpwjvc

Score
10/10
cybergatelatentbotvictimdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.2.2

Botnet

victim

C2

mranarchist11.zapto.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    false

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    start.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Start

  • message_box_title

    System Report

  • password

    srd3m4nta

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

latentbot

C2

mranarchist11.zapto.org

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Latentbot family
    latentbot
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            PID:2576
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2600
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2504

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        140KB

        MD5

        a73fbabc4105c3688d2d1ad0b5a338b0

        SHA1

        116fb275f4a1532182a454a0a13c192a637ed77c

        SHA256

        4e2de398559710f2feb8b655ace65c46059838c1e45a5afc6a9e97ac39fe801a

        SHA512

        66fbea109776bff011a0f4773cc83861308e2bb26e0684a73fa0b7bdcbb0f79e027341f80a1a8f4da5845b216bfefaa2f064f728cd1ec2036465a3d9babc61e7

        Download Submit

      • \??\c:\dir\install\install\start.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • memory/1200-18-0x0000000002580000-0x0000000002581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1664-205-0x0000000074C60000-0x000000007520B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1664-1-0x0000000074C60000-0x000000007520B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1664-2-0x0000000074C60000-0x000000007520B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1664-0-0x0000000074C61000-0x0000000074C62000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1996-17-0x0000000024010000-0x000000002404D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/1996-12-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1996-14-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1996-11-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1996-8-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1996-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1996-5-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1996-4-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1996-13-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1996-3-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1996-680-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2576-419-0x0000000000280000-0x0000000000501000-memory.dmp

        Filesize

        2.5MB

        Download