Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 16:05

General

  • Target

    9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe

  • Size

    808KB

  • MD5

    9c8a51cb4d779dc24989313c6fe6f93f

  • SHA1

    5a13e58224c236ae8f9cc388bea00f7857e07314

  • SHA256

    b217b5ea2241fd7e935b1338c125dbb065d3aa4fcc8dbea51caf8d21f03ffe9a

  • SHA512

    96fa838c89a384ec053bed623a890c8f34af0123c52b3aa4358d55aeeb4fbd9b6dc88f332a2251a18ccf5d7fd73807a2c71f69d80a23f50c3278365d3b483415

  • SSDEEP

    12288:IjB29iPCJmRdkR2ys5zUEM+G6Er2GafBWs7K4dDEtWqPHhFFPVW+JiVu+bCI3ZXQ:IsiOVmzBI2LKWq5rPZ6u+bCI3ca4

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

slmendy.no-ip.biz:82

Mutex

27C608CYSY7PWF

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:4744
        • C:\Users\Admin\AppData\Local\Temp\server.exe
          "C:\Users\Admin\AppData\Local\Temp\server.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:4872
          • C:\directory\CyberGate\install\server.exe
            "C:\directory\CyberGate\install\server.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:368
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 576
              5⤵
              • Program crash
              PID:5056
        • C:\directory\CyberGate\install\server.exe
          "C:\directory\CyberGate\install\server.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4492
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 592
            4⤵
            • Program crash
            PID:2880
      • C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1260
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4492 -ip 4492
      1⤵
        PID:4624
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 368 -ip 368
        1⤵
          PID:3888

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

          Filesize

          224KB

          MD5

          8036fb4553ba25098196cc66f530bda3

          SHA1

          aed57d29093099db4e42766b72190a5d0aca8eeb

          SHA256

          0069f112b5a0c7ef77275e1c965873e993359e47676ef1db053b96c5c346bbdf

          SHA512

          05d610ee1089c77c39d24111fb724e5de7e6733cace00d6ecc2dd6110ee4e0a12e4197179f92b423159f4415352a4855d319674be7e9e9471dede4e3ded526c6

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          67de8b393f82783ab52e2aa089b49a02

          SHA1

          268e1d399a4bb97dca01d3caeaa241824a14bc59

          SHA256

          d8180698a61f6c255adc4e84aed9ca3376b2594c65dcd6d5a9a4a9f878d11670

          SHA512

          c88dc37a018ba0948c929d6fae1ee00fe37d2bf3754d993122a4cfcd0161b3b9813dd53a689290359b9115e11baf18be1f7a292d433bbaeedc5e7ac541ddda97

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          f394ed6152663fe6a7899eadf89231ea

          SHA1

          af067a6f680d5accd0422def09a11595ba51d23f

          SHA256

          305dc23393ebeaf7195d56ff74a5684d6b48fb5dcee1d932e51be1342ecaea35

          SHA512

          81bf5a2560575fd14b36f38cd242ec8a56378024781bc5d6aeaeb71c694d08dad2671a21959af58340d00b6ecde278dd08220e9c2c4f65d7142d306a292b7b63

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          92b586e31cd066892602e8c32c2decd9

          SHA1

          1083a3adacd0319301a214d3e8ea46e32e140f7e

          SHA256

          59bd849c58540ae46071b9143a66f4cb6ad1acf414e27ccc90a56937be654d8d

          SHA512

          5b08b342743d98aade7bf7743f3a70c09b83b1597bc9a00769dbb5904bdce38b49d7a8eadcab312ac7d13fa164bdb2c9b513034809e252581e0b6113ff34fa28

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          9f68219f51c6322694b14769a7aa46c0

          SHA1

          aceb6102c868568cc15b53bb970db75fa0cebe73

          SHA256

          8d737b0edba706bdda4c69f627a1b6da46d44d9cb6ad39e27e3e93b9a9d81e01

          SHA512

          175be3a7531993f5bdf9f4726c4936bf2f68182201a3f9ca3d4c09aafa65711bbe4c37c081e0dfc6bd8f4bfaf132d2a463e6c5ec27451385018766190b1664dc

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          1591eb0454e2b152fa2b1780fdce1b35

          SHA1

          c0ca61d18d0503a5731acd005be3fdd46c140832

          SHA256

          da615d4c9170a4a01c0ad7549abb42a1c0a2b87d6c1b6d605d5553215d5523cd

          SHA512

          6f13154fbe2db7b3eac314b6226dfb00f7bd0529066c1d79d4416dadfd6fe7a6c70af4eab034e9fdae1f0da366a64cb91588fc0239df108cc25bc755d2a0cd2e

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          559f6b9a49b3798b723ccac46751a028

          SHA1

          85f2972a30e497be55e949c74c65168616dbab7f

          SHA256

          3a900b817bd5b90f3d485517e938efa667ff6c61afea03e8bbface1844f4636b

          SHA512

          147c4da80f58d6c21add778fd10191643adf8016622215ed85c46efab4efa324b0d371478a585b68562698459d87e2fc76a66c70fce4f04b086a2d9b09088474

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          cbb705b5c90bf2158e00e93842ce8439

          SHA1

          f632b1b5b672afe4bca242dab80f4dc60ec090ac

          SHA256

          300b967e8f1fa5adb9301ca728aba3368cd302dfbd510ec069715f0001618b4b

          SHA512

          b0b21db2632f9b2bc20457e73811ef540898cd35aae966d12e19834a79bf7d98559e6999be763ed7a5b7c1ddc3aa28f66ccec2d49599948fa9699d52a7606395

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          7437354ef2c5b1162a436442ddf5d481

          SHA1

          140a1635f007745775f9fe140c6af491aa7abca2

          SHA256

          135952843f0af0c63ee44000b87733e76ebbc323b235f0d2198e6cf0848ca1e2

          SHA512

          12414f65523940226c7b410a5b437b92de8d1231e436bc38539b6d3e098d9baa1d8720c8522f69c0a8a488e412bfd4890bb16068df744c5aadf7897875a31fd5

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          dcc41ede84ea2c314ef5818effadff08

          SHA1

          486006c75a4804581d6490a10e0bee7b5ebd6476

          SHA256

          5c3e83dd91e837b6ee926e5f83906b61f1145030754e6fe03532440b4c9babfb

          SHA512

          95ec1edf9c0187984b842a5882d88665d0a8a6ec263d1410553911e4eb5204eb8ced6495890016dd6f66484241ca687e5df76a23ec59727e6e482804bd81da78

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          4191ac91e3e58003dcdb3bf3234be668

          SHA1

          af99cca328704a1cc9870d3b972ff2e65885a6e3

          SHA256

          950c2c1e504e3944a65baeb786172f89a725dddea1ab80ceeb5eeecdf4edb0a2

          SHA512

          5ecdc3438e0a0241a86e1534c664fdf228abe489368f4764c54cdbb6e02d0f4b291f2b976d8211d30b63592df1038132c6de184fa53dede08fcad597d38b0a06

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          93a22fb8ba2c0c34403c0f1f82f1c96d

          SHA1

          5dbc4337983e72cd9413ea64d81cd65ef30f38db

          SHA256

          dd9207bf575506ab6a2409cbf3210a24a0bb1d05c82f2d8dc948cbc42a0bd068

          SHA512

          190b80f4330445336b69f4877151b053e3ab953a78edd87a9e4ff93d811cbd9359dcbd028c2dae4d8fcd45ed99de00107eb68e24f2ccd95cec83754975e2eb83

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          15182f4d8bf2107639aab26d5587186f

          SHA1

          5297ca86d14adfb87d2464a78288583c48b766fa

          SHA256

          9329a371a1baa9f4e0edf51b3012c43ca886ededf4501564b40df172fcbeb548

          SHA512

          aae80852a308abbd8ca96038cd37e2b477a51a14f3599fb3ebf4dda9e114442ff241a1f9ea0b4971183f3a276351187c8be3f1e97cf3efbca88b9ab8059f753b

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          a5b0e93c3d1159851c24fc6b2719cae3

          SHA1

          784d8f4f72d439a91b2a887d429513ba080b2185

          SHA256

          179e262d0ba82448bbf86813fb6e18dd5fddbd40b9a2670c328b63b9303c95bd

          SHA512

          f3d7d6d18a7c5df95b6ef516543a5ed7a5a4dfdb7c287015babf999915f7e70e957d180b5c0820529f27592578b8d71715df0cd204f9a5b2174070daa186d0eb

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          58680eb2aea34ab682b19d9ae420cfdb

          SHA1

          321fb8893600982bd28ed6d0ae3e0e1c4666c33b

          SHA256

          7deb7b47d76fcc7bdbd8b6c2f52d22a8469f31ab284abe59f82e511cdd28f16f

          SHA512

          ef5f42e4bad18b134355582633f06613434f2b2b785abcd393f575c7ba5924a2478c59c8ae105ae05e2cee85a4d95fcd064cbab4a96c25ae21e8725311d60228

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          c56e32a8722bec9b049d7878bf36fc0a

          SHA1

          d10830d523c06146bf817aa0d456b19fd435e1b1

          SHA256

          32f0f5f17352de603ec1db20e231311c880bfcc6eec708ac97b8c70945f5d41d

          SHA512

          76ff851212dbf0f1615c0e6e5d3a17b642db0cb7d368652ae9b033b77ada34c9b05a8b1609d1ccbf088fb345c720f3694613829e162723d6df716bd35d17936e

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          fd3345b62bd083a38a22c70960d82227

          SHA1

          bfee1bdcd960a4ce765595423c91dce82c0ff128

          SHA256

          1b55cf216d1cb70dd5228a4d3e985480d998f5ead357879deb53115653dbd555

          SHA512

          ef454944a042f3ef8a82c7c05a626f6f5f1b56bb9fa9c22d42e0ea4a501c8328e737304f297d9cf15b564aa92db15a5a671e6e8285908a11b1d84c80ca7b30bd

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          057b19fbe0313974e9e9e05f989c7d5a

          SHA1

          493815a61fa40d01ddcdb30c22d35cd36720d6d4

          SHA256

          d0d247fb801979e92904003992916a67203c91b567af678c4c53f46792d275c8

          SHA512

          6e511a0f4ddf16093c01db7afd93d76ddc70e88c940101666d1e1f8acfedd6b467e406fd8aca6a22994b8c4316da2042436f52bb6779e7333dfcd2d3fb72d68c

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          4bc397ef89114eea542b917ae4705f8e

          SHA1

          f3d8f5e677c78956ed8634e52d315d8e653ea49d

          SHA256

          06c587ae46e8b63b0421bb030db721c8a93ee4b85ec3b0ad8ad72ad073eca50e

          SHA512

          403cdc0af5dbb902415ddc91c11d655b24e1d5d85299f9aefbeb826a7bb3c74bccfcf04c942d01cf41a25b4f0fb16cff24d1a7c53865e1beb198016473ae5744

        • C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe

          Filesize

          318KB

          MD5

          105e2de7ff993e325b0afbc8bd9085a7

          SHA1

          ee9eb98832870352141c680934ea3caa98dce6a3

          SHA256

          8d01394f944bc4b98cab4623ed4a0beaa2d70bf781c15f1db61c89e1b12bd16c

          SHA512

          eb4042aaa98831ca32738029ecb3885b07255a23f6738cdc32583a1770a4e375c314c133abc7b3946f9e93b4cf747b7c32bc30b962222758000ca881d78772f0

        • C:\Users\Admin\AppData\Local\Temp\server.exe

          Filesize

          274KB

          MD5

          b4c2453ec83037d2cb018903469ae3d2

          SHA1

          f7a0d3dc15fdfb932ec252ab68a86e59f32e5f01

          SHA256

          c65bd349584d41d031e0177a9ce6ae77457c5513dbeb281358c3ac5509202bfe

          SHA512

          911264c770ad94468c6e652b4dacdc2c9a040697cf1e5b7a743e6588c834365be53fbc9881cd95ceaebb3290a2527ab60e7837bcfd4a6475f5f59e0c053ac7aa

        • C:\Users\Admin\AppData\Roaming\Adminlog.dat

          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • memory/368-126-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/452-26-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

          Filesize

          9.6MB

        • memory/452-1-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

          Filesize

          9.6MB

        • memory/452-0-0x00007FFFD72A5000-0x00007FFFD72A6000-memory.dmp

          Filesize

          4KB

        • memory/452-2-0x000000001B730000-0x000000001B7D6000-memory.dmp

          Filesize

          664KB

        • memory/452-4-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

          Filesize

          9.6MB

        • memory/1260-123-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/1260-24-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/1260-124-0x00000000005F0000-0x00000000005F1000-memory.dmp

          Filesize

          4KB

        • memory/1260-27-0x00000000005F0000-0x00000000005F1000-memory.dmp

          Filesize

          4KB

        • memory/4424-94-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/4424-34-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/4424-122-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/4424-30-0x0000000010410000-0x0000000010475000-memory.dmp

          Filesize

          404KB

        • memory/4424-11-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/4492-129-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/4492-190-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/4872-36-0x00000000005C0000-0x00000000005C1000-memory.dmp

          Filesize

          4KB

        • memory/4872-127-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/4872-38-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/4872-35-0x00000000001E0000-0x00000000001E1000-memory.dmp

          Filesize

          4KB

        • memory/4872-98-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB