Overview

overview

10

Static

static

3

8bc27496c7...18.exe

windows7-x64

10

8bc27496c7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe

  • Size

    428KB

  • MD5

    8bc27496c7189e9ea5ae88a018f38894

  • SHA1

    b5b93df1532147e520297d000cef7eb45e6b076e

  • SHA256

    5bfaaae7b70020c9c4d71b8b092202ce88b9a54770b27152ca8bfa7c4e4a726c

  • SHA512

    4a9c356536bdb874a740bc845c8250a76fb8f4d7c7aa114dcc084d70c3afa368f1b02c789f3a40d77ce135dfe2ecfab90c84ee960a5108edde3494da2c95ab56

  • SSDEEP

    12288:sQVS36f8ACc1OrIVpxIUkHVg96k6xjvckn:sjCCcorIfpwjvc

Score
10/10
cybergatelatentbotvictimdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.2.2

Botnet

victim

C2

mranarchist11.zapto.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    false

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    start.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Start

  • message_box_title

    System Report

  • password

    srd3m4nta

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

latentbot

C2

mranarchist11.zapto.org

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Latentbot family
    latentbot
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3520
      • C:\Users\Admin\AppData\Local\Temp\8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\8bc27496c7189e9ea5ae88a018f38894_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4740
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            PID:812
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1372
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3708

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\UuU.uUu
        Filesize

        8B

        MD5

        0bc0689b7dee031660838dfbfaf3a94b

        SHA1

        a77228e8560b445fd8d71427dd4fb8ca5b640943

        SHA256

        5f074aed994eb7a48fdde1cb59b6145ce135946a380bebb524a08b87b0ec775d

        SHA512

        1f60bde4e3a012a655bca9663e2fc73dee5246065c525564c50ee48ca20c133110a69fd931b66b0904d550a4ef87c9f53f36094ae2c240db554582913a3a3b1c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        140KB

        MD5

        a73fbabc4105c3688d2d1ad0b5a338b0

        SHA1

        116fb275f4a1532182a454a0a13c192a637ed77c

        SHA256

        4e2de398559710f2feb8b655ace65c46059838c1e45a5afc6a9e97ac39fe801a

        SHA512

        66fbea109776bff011a0f4773cc83861308e2bb26e0684a73fa0b7bdcbb0f79e027341f80a1a8f4da5845b216bfefaa2f064f728cd1ec2036465a3d9babc61e7

        Download Submit

      • \??\c:\dir\install\install\start.exe
        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

        Download Submit

      • memory/812-20-0x00000000010D0000-0x00000000010D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/812-68-0x0000000024050000-0x000000002408D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/812-67-0x00000000039D0000-0x00000000039D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/812-145-0x0000000024050000-0x000000002408D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/812-69-0x0000000024050000-0x000000002408D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/812-19-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2256-0-0x0000000074D02000-0x0000000074D03000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2256-17-0x0000000074D00000-0x00000000752B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2256-2-0x0000000074D00000-0x00000000752B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2256-1-0x0000000074D00000-0x00000000752B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3708-129-0x00000000240D0000-0x000000002410D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/3708-157-0x00000000240D0000-0x000000002410D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4740-11-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4740-64-0x0000000024050000-0x000000002408D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4740-35-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4740-18-0x0000000024050000-0x000000002408D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4740-72-0x0000000024090000-0x00000000240CD000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4740-76-0x00000000240D0000-0x000000002410D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4740-73-0x0000000024090000-0x00000000240CD000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4740-127-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4740-13-0x0000000024010000-0x000000002404D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4740-9-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4740-7-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4740-3-0x0000000000400000-0x000000000043F000-memory.dmp

        Filesize

        252KB

        Download