Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 00:44

General

  • Target

    9edcd10eef30eee0315732ac3f22a717_JaffaCakes118.exe

  • Size

    379KB

  • MD5

    9edcd10eef30eee0315732ac3f22a717

  • SHA1

    1c9766b8871a607a9f400e6a276c9865646f63e5

  • SHA256

    4580ae34fdd3bb1b72ab5a734a74356ef68d8df0d1d033334ae966c61fe228e9

  • SHA512

    3168f4068de89333fa12670ff2acff8cebd789c0c627438df75dad58d85bfd6f1fcce5bdfe09b8f07c560856d7b5a33b5c4b58bcef9da171ce5e87263496a2ae

  • SSDEEP

    6144:N6ZxARAW+fYtScitAW9DJ1ECOCHaR4UDFJWo3LU1Zpc3nT3QZ28a/Tk:N6ZzJnF9DJjDnQFJZLwZ+3nT3Q085

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

iconixx.no-ip.biz:1337

Mutex

561ME6H74DCB56

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3428
      • C:\Users\Admin\AppData\Local\Temp\9edcd10eef30eee0315732ac3f22a717_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\9edcd10eef30eee0315732ac3f22a717_JaffaCakes118.exe"
        2⤵
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:512
        • C:\Users\Admin\AppData\Local\Temp\9edcd10eef30eee0315732ac3f22a717_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\9edcd10eef30eee0315732ac3f22a717_JaffaCakes118.exe"
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:972
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3324
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:5084
            • C:\Users\Admin\AppData\Local\Temp\9edcd10eef30eee0315732ac3f22a717_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\9edcd10eef30eee0315732ac3f22a717_JaffaCakes118.exe"
              4⤵
              • Checks computer location settings
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2620
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                • Maps connected drives based on registry
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:4952
                • C:\Windows\SysWOW64\WinDir\Svchost.exe
                  "C:\Windows\SysWOW64\WinDir\Svchost.exe"
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:8
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 584
                    7⤵
                    • Program crash
                    PID:3980
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 8 -ip 8
        1⤵
          PID:4140

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

          Filesize

          224KB

          MD5

          0b2eabc8bc31f5ad7a2205e605aa4001

          SHA1

          273b8cb0b8783fe1e6a3eeeaca7be2a1b0fc08e7

          SHA256

          88d2aa53dfffa4aaba71b317723ae480688c31f3066514defd4d7ed706ba75fa

          SHA512

          a434740c47125ddf17005c080442d5a06d7b65f5a966d3d1cd3d5440381227a11b410a0f297106d5ab5aa74f41672f8e07ad9409a17ff877c31e38101a7d7357

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          d20f549a58aeada187b437c2650720d8

          SHA1

          c71b24d808c2fb3f137f99e229ef404359835343

          SHA256

          314a8c2ce7234e63ca1d9bb8a357d13cab27d10f263b7b6ea270471f022f4f35

          SHA512

          d38519c2278ae8b2c9defbd6945d2a09c06898dc80b265c5d55fa004c1e0e463e5d26e397ad03aa8be5b3a81bfc1e3468352caacb3991797cdd8119e85ce494a

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          8fbe340d1afb07d937701da5b9fbed48

          SHA1

          b0f6b1d4ccd837ee8ba82cf96086afc09da8d582

          SHA256

          1f7fca47e9d607a7b039f616ae700bcfa962a0f87c2ae1817cd49ec10c34139f

          SHA512

          bfb107dd4f2220846801bf076df2ecb6ef476fb6c19e755cc6940d8d2c9cb12cfd0925b925bec0556048a090def213d950cba12f27756a2243f1b1b694ea65ae

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          0a5573ff86e8fd50a45020969f7111f8

          SHA1

          579bf0660d04dba9afa0f8921abdfc168980e0f8

          SHA256

          a46430e0b19def55cb0492df6c62327161453f5d3cec8ed5f819bd21a45b6b9f

          SHA512

          cb7ab97f88d67b6a52b475fa5a18d22b99a177553e211ecadb62637ec3111b23828cd82a0af6333dec4719c1a8c948856f035c852ba566d6206646507aaf396c

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          b5b600086971c724f84b2d4909b3c0b0

          SHA1

          0c07330fe549c30208edd5deb76c43745da5fde4

          SHA256

          d1258c3b972c1f5fb04a0be08222241c431ff2eeecb6b41071b15d90dd5464c4

          SHA512

          3d76e4aa5c0d4acc23ba89935f58524d708f7f9577727f7954a5efabf7be3ed0c4ea1601095e7dd19c0e941c130b9905a00b6fa2df6834b135cee0cbf2351f11

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          2e08430eabefaefd5d51251592fea9b1

          SHA1

          66f838db005eb8b627c3bff091306200716a11b5

          SHA256

          a13cbd96e4bb245161043489ff15203192477f18af41b1eb235186a53a52f910

          SHA512

          0e06d3235d8171ed223202191f57a779633ab7c7207e8e62206004f069c0e8ab26fee30e298083cf2c44db1fdda98b2a356e676d8d3c050646ed8ab4e92eaa2b

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          ec5e667dd9a5693c96bfba6b29bca81c

          SHA1

          5fcac1d4c76997ef7689c9301269b86cb16d69a1

          SHA256

          af32dc5bbbc3cefcdeffa8f84cff60105aed823b3487920ca71f2edde2d39bae

          SHA512

          8d40f165a124b3f6739686efe752058615a295594d9bc8100946e9175b23808c61d478e9672ce406b5363530b8c43abeac257b1bb58b230293ddb26f4a8ea16b

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          e7917a13458a3523f01a7093efa61ef0

          SHA1

          b673153244afcf7839c13566e218b70f0205a9f7

          SHA256

          ca30c29aa8cefa46c756331d28ba03c60420f8f60a06546a297bb7dd189a1a7f

          SHA512

          ff07e774f3f34fe0d103269be13c213800a3098100a8631a626e395d87e112a980f2f65bc68ae9b26f0fe431b23672e0b35ba0ff83c3c223ec10dd876075aada

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          9016d90ac8c2d588f885e1ca80fc0284

          SHA1

          fc4f1d73ad3deb2085cb897d265fb82df3e29f38

          SHA256

          a260599c5440aa9d84bc08e39d137589fe69e9c44b40bd5386ce8a009e297d57

          SHA512

          eac2a4158b0927e859047e3bdf4d9ea95c2f8462b5fab14368e83c992a6657053dbc7f93ff8d0bbeefe821aeebaca01aea206e12a01056bf4d64a3d1123a4a08

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          e8f29c114a76904c1bec56523558f480

          SHA1

          3869da7398f8540c6f37793108b42040832e89eb

          SHA256

          8cf88c8bcd6ecd7b38181d2dc37affc353923fc51d19d483b37c1bd838110c7c

          SHA512

          225d6a98dc630b008fda883aae0244eb9f4db20d1aca4db83f2655d1762eeef45e73baf753e49b1b726eef2a9096ff045ebcb0e0f5198bd44cca43921242596f

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          68c5df824ae4268bf00189e96306835a

          SHA1

          3770f1c7a6e399e2d53687a54c6b4ee5d926858c

          SHA256

          6981f25ae79db5fde8cfe898e23568d413f62ffefa6d576d2f47c516571015e0

          SHA512

          4db728525b92d512d1ad30a55a04e4227d406f1923e5f98cff175fb48fb663678dd8cb1460d0369567215b101d9fb647a06d6e431dd49e1056084c4e7177f2bd

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          6dd24a9964d0c502ee3e0138c5aa69c0

          SHA1

          c352f50f02ea5448e91f5db97782053be2d549e9

          SHA256

          051dd9bc64a3ec6605a7838c6f7420491e9f738b2f3150633cd5871c25227398

          SHA512

          18a1e9452353a60260430179078bc1316d6b74f65d31e7366d1ee9983fc7ba8816f52dc73fadc1ff95fbefb2b15437ac8804de2b56eaedc898de9edc429b3b48

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          b06c3e4e5d0b40fea52865c2d5578610

          SHA1

          7a4d6839181213acc5875ed34d5990ffbc796dea

          SHA256

          e152a2f4b08425e30393402ccee8dd420f21cec80c962e3ebea26d61a33b4ab1

          SHA512

          1868500a1d03c17f0b2029e08091f864668323946fa26fc810e9582ce12847c469d4fc2b440918d31a273d4030cdef2c0554f58653b59310474da94af9e542c3

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          e5c38b389548b17fefcf85d3ba507881

          SHA1

          c429aea11a33a67d546c8a709e960cc4d17b7850

          SHA256

          ccbbdbc8d9fb4150f3fc967d2cab4ba0e9e4810b1a537f6cc72aa9b88927a86b

          SHA512

          4f055aed48107be4cf797cd999117e5b91800de6485f60a007aeb5191c4f916348f2a24d9c0866ff91e066fb33ea98716ce65b32f574e2454b8e76a5a4d34782

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          4fe18d129be8a76253e50c9e4e9b2eed

          SHA1

          44411d5f771362b7a3cd630f70770b1d85531024

          SHA256

          9dbba10290f4c75f8e50d43fff55dd11fac2b4003262d735b34c8b7f6f47c4d4

          SHA512

          e6d606f7bb899dbdd72d377b5cd47fc103dc21044c6df035611c29961a70bcce2f7f82fbb42696e78816bbd83e88bc6d2a21e6c5f7532c997376745e28c60ae8

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          24c603ca291a537a8cde7426e44f6188

          SHA1

          b0862d8709cdd4a7f23578c3f759ad1d8e17113d

          SHA256

          78b6ddbb3a2b534ddd86ff61508a2416f629d47a57d12156ac50683951ffef2d

          SHA512

          1c2376455a28abd109f5a8beeea240dd01bc30132c1c306c478325204d4c0b2bedce12f31c6799839d3a72a55af58b0ee5fb5ad98d4a7cd30852f670c59dae37

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          e155c5d4d3cf724e09b56a70dcbe1bc5

          SHA1

          f66006bc746470cce62874ceea529ec0e81d6e90

          SHA256

          b5c53b20a3edd4577e2fd2c5ad858e732c4149047d751bdab78b2867f9e5ebd5

          SHA512

          351d7b33d169e5b57b4a8926ace6287ac28b3b20dda062a5c35b5b7767da8e4864e08c8d263e869076afcee712a793d87c409c9bff89bc4f392cb9e06ff2a695

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          7e38094d3fdc6f67adaa87744f3cdb81

          SHA1

          e0118cc508dff07a39c57fe267e7cee9604477b6

          SHA256

          004c533bf66bfb5b6487534282a16b5cdb050c003344eb325ae2337afed2b89f

          SHA512

          23be5686996883b9abfe0c93e54819a5ee1a2794a6c7a9496f81bd0c11590368447957b43789ace88f24faa7890ae56b052f245e4f7b8d20fd7f04d9e8289d3f

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          cf3255b5a31c1a4cb89104fed93ebb59

          SHA1

          b5c4c4da79ece044052994a7aa0a3209e1a06272

          SHA256

          7314d278dec5068411ba8441764bd3cc13fa63a184537b922f6fcf193b72e71e

          SHA512

          eddd53d410c47cab57da43a67c455b0f3ef3d301491dbcd7c04b7a14c8fcfb9d583f3c6a0f1b0db2081ab11bf42acb141b0527a4fff16ee53b9119ddedb7edf7

        • C:\Users\Admin\AppData\Roaming\Adminlog.dat

          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • C:\Windows\SysWOW64\WinDir\Svchost.exe

          Filesize

          379KB

          MD5

          9edcd10eef30eee0315732ac3f22a717

          SHA1

          1c9766b8871a607a9f400e6a276c9865646f63e5

          SHA256

          4580ae34fdd3bb1b72ab5a734a74356ef68d8df0d1d033334ae966c61fe228e9

          SHA512

          3168f4068de89333fa12670ff2acff8cebd789c0c627438df75dad58d85bfd6f1fcce5bdfe09b8f07c560856d7b5a33b5c4b58bcef9da171ce5e87263496a2ae

        • memory/512-0-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

        • memory/512-34-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

        • memory/512-1902-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

        • memory/512-1-0x0000000000401000-0x0000000000402000-memory.dmp

          Filesize

          4KB

        • memory/972-72-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/972-6-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/972-4-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/972-5-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/972-7-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/972-149-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/972-11-0x0000000010410000-0x0000000010475000-memory.dmp

          Filesize

          404KB

        • memory/972-80-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2620-150-0x0000000010560000-0x00000000105C5000-memory.dmp

          Filesize

          404KB

        • memory/2620-177-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

        • memory/2620-178-0x0000000010560000-0x00000000105C5000-memory.dmp

          Filesize

          404KB

        • memory/3324-77-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/3324-16-0x0000000000E50000-0x0000000000E51000-memory.dmp

          Filesize

          4KB

        • memory/3324-15-0x0000000000B90000-0x0000000000B91000-memory.dmp

          Filesize

          4KB

        • memory/3324-176-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/4952-212-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

        • memory/4952-1903-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB