Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 13:39
Static task
static1
Behavioral task
behavioral1
Sample
8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe
-
Size
428KB
-
MD5
8bc27496c7189e9ea5ae88a018f38894
-
SHA1
b5b93df1532147e520297d000cef7eb45e6b076e
-
SHA256
5bfaaae7b70020c9c4d71b8b092202ce88b9a54770b27152ca8bfa7c4e4a726c
-
SHA512
4a9c356536bdb874a740bc845c8250a76fb8f4d7c7aa114dcc084d70c3afa368f1b02c789f3a40d77ce135dfe2ecfab90c84ee960a5108edde3494da2c95ab56
-
SSDEEP
12288:sQVS36f8ACc1OrIVpxIUkHVg96k6xjvckn:sjCCcorIfpwjvc
Malware Config
Extracted
cybergate
2.2.2
victim
mranarchist11.zapto.org:81
***MUTEX***
-
enable_keylogger
false
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
start.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Start
-
message_box_title
System Report
-
password
srd3m4nta
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Extracted
latentbot
mranarchist11.zapto.org
Signatures
-
Cybergate family
-
Latentbot family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\start.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\start.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YI7E7HNU-GDXY-T38W-P513-J071002E5L00} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YI7E7HNU-GDXY-T38W-P513-J071002E5L00}\StubPath = "c:\\dir\\install\\install\\start.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YI7E7HNU-GDXY-T38W-P513-J071002E5L00} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YI7E7HNU-GDXY-T38W-P513-J071002E5L00}\StubPath = "c:\\dir\\install\\install\\start.exe" explorer.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cr.exe" 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\start.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\start.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2256 set thread context of 4740 2256 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 85 -
resource yara_rule behavioral2/memory/4740-3-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4740-7-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4740-9-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4740-11-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4740-13-0x0000000024010000-0x000000002404D000-memory.dmp upx behavioral2/memory/4740-18-0x0000000024050000-0x000000002408D000-memory.dmp upx behavioral2/memory/4740-35-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4740-64-0x0000000024050000-0x000000002408D000-memory.dmp upx behavioral2/memory/812-69-0x0000000024050000-0x000000002408D000-memory.dmp upx behavioral2/memory/812-68-0x0000000024050000-0x000000002408D000-memory.dmp upx behavioral2/memory/4740-72-0x0000000024090000-0x00000000240CD000-memory.dmp upx behavioral2/memory/4740-76-0x00000000240D0000-0x000000002410D000-memory.dmp upx behavioral2/memory/4740-73-0x0000000024090000-0x00000000240CD000-memory.dmp upx behavioral2/memory/4740-127-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3708-129-0x00000000240D0000-0x000000002410D000-memory.dmp upx behavioral2/memory/812-145-0x0000000024050000-0x000000002408D000-memory.dmp upx behavioral2/memory/3708-157-0x00000000240D0000-0x000000002410D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4740 vbc.exe 4740 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3708 vbc.exe Token: SeDebugPrivilege 3708 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4740 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 4740 2256 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 85 PID 2256 wrote to memory of 4740 2256 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 85 PID 2256 wrote to memory of 4740 2256 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 85 PID 2256 wrote to memory of 4740 2256 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 85 PID 2256 wrote to memory of 4740 2256 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 85 PID 2256 wrote to memory of 4740 2256 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 85 PID 2256 wrote to memory of 4740 2256 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 85 PID 2256 wrote to memory of 4740 2256 8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe 85 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56 PID 4740 wrote to memory of 3520 4740 vbc.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
PID:812
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1372
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8B
MD50bc0689b7dee031660838dfbfaf3a94b
SHA1a77228e8560b445fd8d71427dd4fb8ca5b640943
SHA2565f074aed994eb7a48fdde1cb59b6145ce135946a380bebb524a08b87b0ec775d
SHA5121f60bde4e3a012a655bca9663e2fc73dee5246065c525564c50ee48ca20c133110a69fd931b66b0904d550a4ef87c9f53f36094ae2c240db554582913a3a3b1c
-
Filesize
140KB
MD5a73fbabc4105c3688d2d1ad0b5a338b0
SHA1116fb275f4a1532182a454a0a13c192a637ed77c
SHA2564e2de398559710f2feb8b655ace65c46059838c1e45a5afc6a9e97ac39fe801a
SHA51266fbea109776bff011a0f4773cc83861308e2bb26e0684a73fa0b7bdcbb0f79e027341f80a1a8f4da5845b216bfefaa2f064f728cd1ec2036465a3d9babc61e7
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34