Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 21:02

General

  • Target

    90a44c50dc408ae462d0132cf7d50491_JaffaCakes118.exe

  • Size

    658KB

  • MD5

    90a44c50dc408ae462d0132cf7d50491

  • SHA1

    846c3f856804f69f9198193c50bdb9ce4111d431

  • SHA256

    e67dbdd16d9f36f1536bbc51cf576c8f35556c208bd5adc6c3b7691233fed76d

  • SHA512

    38b1804483ff01d55b40d25fbafddc7746136c682516b038f5728e10f4d7bd608b70d775b182107d8ef693e83001f98f6fb6906ca975cf82bd0e3c009a535119

  • SSDEEP

    12288:/iSC/HRqEzUjyfTEfrC1LZRelDTBd47GLRMTb3:2AyferC1L8d474mf3

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

127.0.0.1:999

any1lolpwned.zapto.org:100

Mutex

W28V77647VOSG6

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    windir

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3416
      • C:\Users\Admin\AppData\Local\Temp\90a44c50dc408ae462d0132cf7d50491_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\90a44c50dc408ae462d0132cf7d50491_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3336
        • C:\Users\Admin\AppData\Local\Temp\90a44c50dc408ae462d0132cf7d50491_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\90a44c50dc408ae462d0132cf7d50491_JaffaCakes118.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:664
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:5028
            • C:\Users\Admin\AppData\Local\Temp\90a44c50dc408ae462d0132cf7d50491_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\90a44c50dc408ae462d0132cf7d50491_JaffaCakes118.exe"
              4⤵
              • Checks computer location settings
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:412
              • C:\Windows\SysWOW64\windir\svchost.exe
                "C:\Windows\system32\windir\svchost.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3572
                • C:\Windows\SysWOW64\windir\svchost.exe
                  C:\Windows\SysWOW64\windir\svchost.exe
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2640
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 584
                    7⤵
                    • Program crash
                    PID:5080
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2640 -ip 2640
        1⤵
          PID:3344

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

          Filesize

          224KB

          MD5

          8cfacc870b88c7d017b189df39a8e35e

          SHA1

          ab10cf227832beb884e5edd586c0e266dc22efcc

          SHA256

          c9bd6ec48f54f4e3bab057b13870f85f9bb14bfba1265127f933a70f13579150

          SHA512

          564ef8ad039b2cbfe22835c9abdda289b23bbba14a478665eda2b842391e37efe39a9755e3a82a9c86ef3c884961f9ff84ba2bdd7d20f826b6a4e0a54d7fa03c

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          23cedaab965cbd354d12507812f5c58c

          SHA1

          e5155825d32888c13aeb2432b9f5e62e5c9576f3

          SHA256

          e66cfdcefec971098a8243310ab9d5041569423fb50cfc3f515ffbbcb0842583

          SHA512

          c4856c3b0962e3993f23c67758c151204d0e755a4474175094de748212def8a03fc54711094841bc520f1a891f508679a82c651ff515c7ef993fe7e58a9a0655

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          8bf364880d0c6a44ac1e71c48502f1be

          SHA1

          f1ead03c5dcd416ac22f2eeddb928e380016fb79

          SHA256

          980671df8f24d97062f377443075982937e4da11c0927098576d1b0532f72ded

          SHA512

          7d38e18b51f45864d1a30e3c9479982a2cd376b9bd1b8030ca50579c010a4f873ec7ba12bf2bcba79db3b9499176324ab3fe4695289616519a662127e98aa764

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          71e827bde76465a1e94480ca416137ef

          SHA1

          6a2560e32b61cf78a5c327dc1d5d8be2cd9bf2d2

          SHA256

          26e8186de7d58747421747b30a422591c445dc2a399dbc225742bc69eee7f58a

          SHA512

          77a290b96c40aa4ddf264c190ee931dc62b0adf5d858b0edf066663bdcc25f50cbd922a3975f536d470d888ccfb0e0111207255d3b078d138fe48f2209146b02

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          8676c7aa35fdbf48d94999b20b605c99

          SHA1

          9fda3acd9746e81e3c227dafe8d7a41913d2102f

          SHA256

          6327c277b800ba162e7b2f0a21f5288e13bfd08d5b813924db6aebe39df2999c

          SHA512

          90f7d27497eac69d22784a662bd8d30d8e9c60972c3828a32cdbe7f35aaf80f9641959d84f84b495a27856b9b82287b2f6eb641c7d8ba72b7bf8b6c07d96902a

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          f90b24e198132c5918d6dcf4e50948ff

          SHA1

          4614cd95cc3413ec4eb4fa4f80d69eed735ba2c0

          SHA256

          90b3a60ec7645c38ed2a7bd3f11450d7916d4a62b2464fa5f4a846794c639425

          SHA512

          1c10f1fa99a80ddf5904b9929c232ba8ff878b90db04bc7dbc2a1574c00b107b9c1d61cc4074b80b926407d30dca7abdf82cf758357245f261a1dc7ce4dfbeb5

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          4b5ee7fd08b00584cfd0e752e33fea28

          SHA1

          74e647bde1598749c5b45390db4c7ac32ab3b873

          SHA256

          7f8ef10e2ffa559e4681eb84f36db87874bae38f77dd5cdbc3f8b91ab55f2535

          SHA512

          aa72d8fec053170688ff4a85990df3532425d154a3b4d4dad2c7b858168ea0190f0832a793eaf9dcee3a351137c56971d5400a8b2d75bce442dbcf8405611ae6

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          efd588a54f155352c0ff2d44d70e92c5

          SHA1

          05af0ae680d6fe17eb1a109f519695990b6d2dd2

          SHA256

          104b5a9dc786bb1e75400c01585e09e84847995cbe002411558b9475f8f3061f

          SHA512

          0f0d7fa3f7d37de8978b920fff10f1eae6fcad29c86778dd6e24c4b50b9d7b787142de059c61fc9beac08e4bb5bd7e9aaaac07cfaac07aa237dcb80c33e97890

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          a8f2d08c7d1a80931b6e2a16871444e0

          SHA1

          f43e47507a51f7a1ffe15fab707b37a151e031b3

          SHA256

          955bfee4f610b78db2cf34f5eb722b911979273ba027b0b5f80101ba34097a8e

          SHA512

          485c6e6cf0c6198cd8583f68292a7b97e031c1b5d69b6afdf7a8db93436d9db66dcf2d507719564d742166aabc4c58f6bbbee827d12245d2411d18a34ace1c45

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          00fdf4c95454e406a32f0c44f3cf65e8

          SHA1

          5469e5f86ccea9b2706ce428e1e883b204212d4d

          SHA256

          db89bd0e771a5747934520305a71e0656eeef8a342d0bf02e3c56bf799a3be16

          SHA512

          01dec591364d1423c64fa5344a8d5eda5a33f6ef9346892dafd3185d3a8abd541726bb962187d7d7e3dafe301400e90705c0aec12a11b23fc268df63cee0cf0f

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          4b81b48e993c697a8055ffd28783bb13

          SHA1

          38b51924380513d00a3cad7570a80323a9ba683c

          SHA256

          018300df0bf9d5e9aec7f576886f2f9a05266943a27a8dbc2d5830d2be1e0b5b

          SHA512

          a3ff862f6994c399b4403f4c34eca7216f0f33a3dc79da50f36ca423d9bc1759f59a27326e71d50b9f495e6448876e399bbcc648a74cfa95f985b3c588fa737d

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          0e5aa1b7f8a80ffdef3e75a11f819ae1

          SHA1

          d481a04c319b3a4f9710e41b3fc1e4e23f9517f1

          SHA256

          e2743f3f52d71b70d79f1aca2e4c1ea3ee6dee1a1a3bd1f53686642bef716bd8

          SHA512

          0837280c92bbd86480fe3ae01db84a7db97df9d9a1b85ca24ddfa74db1798f0bfef2b90f96ecd7c61541e22b307e40f2dfb3f76d288c4e489ac50338c9e5a491

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          6923e28bda15a368abc6d0d222933c59

          SHA1

          5b5db66b55536d604aedde122e56b85c3e814c46

          SHA256

          2b273c42418bd6a1550c19ccc2bd0a850765bf5f4dd19d500c03d7317f5b6556

          SHA512

          e605b300875c01bafd0bcaf377a2cee210b4ffc46f8c15fbe3e2b3585325401d310faa9d74119dcb1f6015472b24cac5de76107351090e50c28f62967cd75de2

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          087cb7bb82619f641eab70e831bb7e17

          SHA1

          7bcbe2fc65ee7b6403cd58fad074813ca15d0b35

          SHA256

          323b7745650db171b34137e605df3fd24bd0e604b03bf47632a7015afef4bf9d

          SHA512

          53fde767ecd03cd88590c6b6904a9dd8be74e58ac74906fe8f4a795e22505a0e0b520f2eafdcb1c6f6aa601353896bd339b8d19e9b012aa37a2580dbe5bfa13e

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          0ecfddca83c8dca3bfc2f51c616c2762

          SHA1

          348774010c850e954c262b77d5198413b4599c74

          SHA256

          6542c54a020fe8d9995d85233754600ac49d02c2e60f5eb4d7908abf5a49b51e

          SHA512

          251966485d3add1a7c266116430600a04c232225c6cd83c6f34d83412ae365acd7f19e3e50933460f7276bd4b6cc2749721d63c6a5b3c41b07607e37f56e5092

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          5bfe6a036094c322642285c8fa44e2e2

          SHA1

          122d1ce68076275e65c567678a1487718bee886b

          SHA256

          fde1bab7a0a1045d56cf6906b534eb49345a0c61d5ba0791848d0541d0c9e5db

          SHA512

          e53c4fd32692c41f23cf0aff24c954d7a5d8db526e7e0d406433a5b556af5640605a6fe64cd6850394212421032fcb59571461b663465d563c728218cdf1d479

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          ef56295d92d45864bfbeb184a02910c0

          SHA1

          e50edd00dc8194ddc7c564276ebe5b3bfbed943a

          SHA256

          307c3d26e5a2ce210aa5e688aa600c15cd9d815791d304d750ac58db487f7f67

          SHA512

          b0424134ee7e02b63bf5f5f9eb187e11035d9d14a80a0817a80320f302851a403203b932cbba63cd057f920892eb1fb1cad0fa1fb9f969eb2415fe477983f1c2

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          f44ed9a78ec4e25e0138873631c69b3b

          SHA1

          60de1fdc5c701a63fb2346bbdb75a1e845ed80f7

          SHA256

          bc9aa6edf4ec3767e66c5e7a1ea3d9ddd159c3fa7788708674c493bad780b7d3

          SHA512

          89d43d8529e27751cc65d8d3c3752ef69ffc536d177b4617abfc8451f4b83606ccb97ca691097ffe929884d2ee6d5261ed0b161f4f4265c90ac9fd28e15be255

        • C:\Users\Admin\AppData\Roaming\Adminlog.dat

          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • C:\Windows\SysWOW64\windir\svchost.exe

          Filesize

          658KB

          MD5

          90a44c50dc408ae462d0132cf7d50491

          SHA1

          846c3f856804f69f9198193c50bdb9ce4111d431

          SHA256

          e67dbdd16d9f36f1536bbc51cf576c8f35556c208bd5adc6c3b7691233fed76d

          SHA512

          38b1804483ff01d55b40d25fbafddc7746136c682516b038f5728e10f4d7bd608b70d775b182107d8ef693e83001f98f6fb6906ca975cf82bd0e3c009a535119

        • memory/412-147-0x0000000010560000-0x00000000105C5000-memory.dmp

          Filesize

          404KB

        • memory/412-174-0x0000000010560000-0x00000000105C5000-memory.dmp

          Filesize

          404KB

        • memory/664-173-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/664-75-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/664-13-0x0000000000910000-0x0000000000911000-memory.dmp

          Filesize

          4KB

        • memory/664-14-0x00000000009D0000-0x00000000009D1000-memory.dmp

          Filesize

          4KB

        • memory/1732-3-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

        • memory/1732-146-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

        • memory/1732-70-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/1732-29-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

        • memory/1732-12-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/1732-9-0x0000000010410000-0x0000000010475000-memory.dmp

          Filesize

          404KB

        • memory/1732-5-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

        • memory/1732-4-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

        • memory/1732-2-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB