Analysis

  • max time kernel
    30s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 08:32

General

  • Target

    a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe

  • Size

    317KB

  • MD5

    a0dffd0a644a6454364b5a466c99ab14

  • SHA1

    b5445107743830918c3544d56c2755d23bf5f663

  • SHA256

    ebd767714eaeb627c430dd1f29f7e3e54ce99fc1697dbc90f34404ab002ceb45

  • SHA512

    bd5e5434a1c4fb663e47c7239b01f0b53fc6c7d1a4b7818830c026e36f806cad74b492ba4cb254d6afe1e476cc36aa752661717b7ced6e47636272e94760531e

  • SSDEEP

    6144:eBylvANvONAB/Xc9Q1+L2U1Fz59gL5WIHZXqk+mB9rptOVpl:eo45n/MjZFPgL8I0xmxtO

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

tinyminymo.no-ip.biz:100

Mutex

J86XK6HHG7L212

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2780
            • C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe
              "C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:2816
              • C:\Windows\SysWOW64\explorer.exe
                explorer.exe
                6⤵
                • Boot or Logon Autostart Execution: Active Setup
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2364
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                  PID:2288
                • C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe
                  "C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe"
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1532
                  • C:\Windows\SysWOW64\WinDir\Svchost.exe
                    "C:\Windows\system32\WinDir\Svchost.exe"
                    7⤵
                    • Executes dropped EXE
                    PID:2700

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

        Filesize

        224KB

        MD5

        661fda20ad62cd2ee6f43c76349ad750

        SHA1

        1932f0a0a3882bdc0c1f98c7db156973629a0fa3

        SHA256

        9ebfea5ce30e55ff1e3fe5c05b29b2bf6cd85393cf8ef0afa331edc1746e8f5e

        SHA512

        0fea2582b81eb9304ac4dc8a0439148b039958b7102f796f4a689adc9ad3648946e16cad41137db8238168cb0700003ba1eaa9f6a1dda1e1f2e3b62d0eff63df

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        7d1503b8ba121fa0e112eb80812fb30a

        SHA1

        c4e8dc94fa94426e13968bfcccefd3ef1e0da82c

        SHA256

        e9eda03c2700dc5d76ca847808dd3e0c44e7248aa91e1a003bfb0321cc388868

        SHA512

        e6608c78baf75598b5371d948f6e525c28863e8258ba54c338f2345562fea7d3e64c4d48cdeeb6aaea6abcedbe62be70a56c25498a6be5dd7096e5757d65517e

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        e777c711988d6f62bd60f551cdac8468

        SHA1

        55c08babd9a3c7a292218828b56ad45fbb59f2f5

        SHA256

        d2825d4d8787585cec6e35b2b7e475f1401738da5a106044512f772d3d65c018

        SHA512

        f7028d1d12c3538ee782959c739d39ba45a900889c41d66eb1071f15e9bb2725efe9030438c9ba5808a5162af611158d1ac5e71445298ebf03b6a79967ff75a7

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        19f5c030f9998620a2e5c33aa96224a4

        SHA1

        f5b2366ff6547a02d42135c37458f9de52dcb79f

        SHA256

        986e18e358cc13083c28ffae59cce9d3554001c12d829560ea18b930a4ba5f43

        SHA512

        06f618ea69dd7c87fec972cbd6eb9501984cd09fe1c4d102077d4c99bb8d4f884e85036069f94af5f3033a6d808ae5e8db8363be5d50b06ed95f200c879646a7

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        27eb6fac00c445b0e618f62d4df2e21a

        SHA1

        c067a12bbd202be1ed69ea7ff0fcb890546c8675

        SHA256

        97bd5bb9a614faae463eb829b8b676c6b82cdbd1526d85ae7b273ba71213388d

        SHA512

        c6a16a4362e886b38fed7ae9b8cee4738089651bf2099e4fbfc1f67ea229a3f475e552e7a909abd2b4ed915dc2b4a963f556bd4c6538e78a0806ee1451b7d4a7

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        6b3d530295212391bf721f3cfc280fba

        SHA1

        e0cbd764564d416d990b1266800d24bb4bc53112

        SHA256

        413c026a92dc0aac348668cf6bbc71f01c5343a0d89ff897a50c6845695bce1b

        SHA512

        a589cff48030aee8c2b7dc5d90d81a85f780fcb208bcc6fa0a95135b38d59fe3961a3a4a0a0ff980047bf7e3bfa588a1dc24e14a5c536b7e0ac9f01fe10c4fe8

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        3dcad518f478fb49722aea0a44ea859e

        SHA1

        77e17b9d31c5b8adc7ce67a4f639ecec302d51bb

        SHA256

        031499914a2a591de394e315b183c834cc294f2b2b421f9840e3ed1d86fa8ad2

        SHA512

        8b664cb667d3a2db075eb2a33e3c92c86b1e98ba02fd3b99be7a9e60abe93014696d32c0d0ee7b2f7eac1afcf7e9649def1618ca6aa91b545948f001e0627792

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        8eb9be4a495704f30f9344a8fd1869d1

        SHA1

        b12ae1c0b376a1e16d1d507b4c13fc24b75de754

        SHA256

        4405e9a64acda2fc2e5f79620133aca968efdbaaa9b38650aa4d515c95ad8922

        SHA512

        861685330e39955a117ba42306120b4df607775a2165894f86a269b169f08cc754b59dffd1e6fd4552ef2f5caa7c9c6ef4145b87eac10e87b2c428f0390d1e5a

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        baf6052fc8ec19f38fedddf1ff744a4d

        SHA1

        ed9b36d00e45d4cd41585013413afe2d532ccddd

        SHA256

        3aacd72fdb7d9645d67992ae5efd28ed90db90e82121094955831ee3ed3949aa

        SHA512

        c0f651f8c1dff43272e36955edb2f536709a739c5420e0ea489b89cb99a84a81a4b62b1171649ef6a74d2b70646ef52aa14602041227ecf6b404bf1be5e5c34f

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        499053571e173878b31edda96d3eee2b

        SHA1

        2d246336082500f263d35d5f50462f862d9dc87c

        SHA256

        4454f701e7d8e3a57e73a5dc19626060f36d637c7f42aeb80e757442caae00ce

        SHA512

        0ddbb307f85a26291a1c9388a5d6e346dc0280c12f26f88f98cc322a8243dbc2dc3cca90120c8444d302c6a43902eb1d61759488947989ac3752dfa886e1f8b3

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        51e815e8753da6b0cb58fb1fcbcf13b8

        SHA1

        3ae7230e823854367d633cea3eadeb123b06e27b

        SHA256

        6412bcfebaa143d08274ad9918ff6cf0c3fca8ca0d7827550894e5ddc57cc557

        SHA512

        147eaf91fe832c0c77251fa4e14db8fc98e413c08a31e708d121cda5a9d5e2937b4d8bf76ddab6a2e5719b166fa746189516ac6c89180e9c99c1cc8c66fb037e

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        6474a6a477a7fdadd0e54090175a0a74

        SHA1

        3b5787dd9f4b178c58380528ae2b1a69708c952a

        SHA256

        55e648e4da2f5ebc78cf0fbd5aa2099726cd9f5f1d2d6fee0a2eccb0543b0339

        SHA512

        6a14cb6ff8c9b6ba4796ca7b83109c5d3b132cd836766e9e0170083e277a0449977b98f420f7659d1a49c1054c5de56b7503772f84270b2c9b1a088d169e697d

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        e3e3283de638521c06ba586bb2d9833e

        SHA1

        46cdc85c76617535799027a837e839c61e22c3bd

        SHA256

        dd960fc48a6ea2b73fc5a5cc6cd363e2485b0a45ee4e890e7635931f43a04f31

        SHA512

        8121d3fe8524cab098590ed3adfc005b7f4e17acfc761ccae1e4c98f8e4b8294a01b3f71e6dc7521c1001952891714aed24b4a8392a64c388510459c832f9cea

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        23695b2ba72a55af184b278a4aa1fbf1

        SHA1

        76844a86fb1f93775227d750280de8f5381ca1ac

        SHA256

        42f4c3fad6412cb87c29aad6d237ff26ca8cbc2aa3b450997a3e7633863a863b

        SHA512

        7f54c7c5171722ea514a60ab913ac5d0d5c4c7357edb47cf3fc977967ef347fc7622939538e9d4df45e033f95a2324f3fccb2864d5e9e1852ca8a3299f3bf4c3

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        540f39e88eace102879d2fb1ba6a1084

        SHA1

        da2c2447dd126a85153a1a40c5b7aba3bd07f5f8

        SHA256

        ad983b1e51325baed2c78b19680f7d2f3d7481670b5f33e943db0e0313e2e8f6

        SHA512

        a601c4fb0d0bf87d2c5e986acbd4512578013f62a7ca41b94d5b950e43b2fa32b68019d1141b570cbaf134945dfbca1c6a9150ad924921858137b59072e9f754

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        9fd1e3af5ecb311a2b38ff6127e7e36b

        SHA1

        d87ab4010854444f470baed218954c1098564b3f

        SHA256

        d8a212fc27afc77436c47d0ed52cd164f64e7e43a39d4e01b26038560e0b2dbd

        SHA512

        6b31216d9fbe186988960b74ffcc295e2154de2fd3d60048b7c498ce74923677bc6b12c532fc864b2ae298459e1e5f97c5dde5c60d9ce955d09586290663ebee

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        5e7901b2a37d50dce13a0bfc2430882f

        SHA1

        4894b51407c7bd7fbb0c631eb5c07f47d7e88772

        SHA256

        f8bd2c7d6f4a537e478dc88c349f4d201ca8a164c017527b40c5d604a95ab184

        SHA512

        7f7b0b32199337fc080884e1f54d8f0d28f911496cd42f3ebfb6531b21df45d8e93d2db34c76bdc671e096e00be0c3572a32701edd72b6d20d9152ec2fe90ce4

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        0294b1a8ab4cc8416595922e8a778e91

        SHA1

        e440575d28e070b2e228e92005a3d5146ef91734

        SHA256

        2b5d608e8658d481bc950064c246095a9f0686548847a9a120312551be5acb94

        SHA512

        83e3b97db29f8b6b9d19e2e09a003ed48494b7a15b90a705e0404c046ce846dc9f5220c61e8b3e61c165a1547607bc35398f8e33984871cd448e74ac5e1df6e0

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        e55148520f9bf8df9a58742dd5ee694a

        SHA1

        db8f02bbe7f1af6d06a8e38fa1fdb72feab4908a

        SHA256

        98b42ae797c05e55882a3f53375242bc392820f168bbe134ff116341f165cddc

        SHA512

        dc0e9672fa5d1e4f063c1193180e12040f86ae51cedb7b267f8384014e0b26f321c9e6e0cb33a70ed11dff821c318a6b705a2989c627a0c7fff534d0ac22b96d

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        289f35be665528403c7a60994e8061a4

        SHA1

        76d7f543f236cee8d7d4f673c1a7ba6c565dd262

        SHA256

        acf33fe1ac658b318e06094d4ef2db95f848719c0f1cea7b0d0c5158d70633a8

        SHA512

        a9a163c40e70f866dd90a5ee5440265e61dc0483cef5c147916365fa710f097df82bb05309e180c0c9f094cc0bfca187bbebab0b4f098053d2c72b391fe88aa4

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        0bd96f53027b0f129ac0132dc8e4a88d

        SHA1

        10e149384734494b121cc65ff3dc58d05e08492a

        SHA256

        6edf4bdcd26dfd6c500b9621afa1f29dd1c1ec9a1d65ff826157c6681cbdcaca

        SHA512

        f9f7644e8063dc911cbca9d1bbba7a6342edf8466ff79f78ab0bda42294b528e049ce809cd0a09247b8a9b162be2d93e76f6f9b6a097fd3db6f106423263ba2e

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        f09624b46c1212381108adb9e4bac7e9

        SHA1

        2cb1e567dff3631cd621b5e2b949dfc631a7c3bd

        SHA256

        eeb1c950cc7041c1f8e8ffb1aa818db41dcdfcfe3d5d3a5b27eb7c57db932aa3

        SHA512

        8a070018115fcdbfecfd11b5a03a2ecbfe73a3b93acd3e208d9a470dd6f84613b340dc244df7decb4467fa9f733971fe45c8f8ca7a326b8cfc2e583b490ed961

      • C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe

        Filesize

        308KB

        MD5

        70b587b81f55269db181349a1b0a4dd2

        SHA1

        f75cc3c1352d5acd35de436969a7ca134913cc67

        SHA256

        5e7f8b8cf274709e45b0c26cbbbf899668659a49747ca29a9411de97cba68215

        SHA512

        1b0a66f79a36392494937f917048045034a9e16981a2c2c43e5b68a93d9ad7c0c66d4029864095076cba5584b43bd63148ad055a5c501b94bc911267ce35d3a5

      • C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe

        Filesize

        299KB

        MD5

        b9eb469e1255121c399e785e0bb4fa42

        SHA1

        281035db917e25c4fdb54df26bc407857459ce08

        SHA256

        56cead34c53a980d0daeb27bd30125a0c1589626aeeac735c3724eb9b1a19ed0

        SHA512

        bc7cb3d907f2027c6d76e20dd7aa5c22e63c33a23c37871da51eb88a73d7c298c24d2e947e79ae9ea201744276188a81be54e324b1513cddcffda41939afa21b

      • C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe

        Filesize

        290KB

        MD5

        63976084b4c862f2b33edb5fc277b4cd

        SHA1

        b544ffd189a5bd28eed2f75e18ade9c1fbdce8c1

        SHA256

        4b5b33efa246df31b7e853667d943faed66ba15de74f0ed4f95584383fca16e5

        SHA512

        fd83abd932683e52e7b076acfaa485100a0c0dfa3843337fadfd4a9cb54de4938f26d0036562ad6c6439585b880b60bca0dc0c145657505eb3b6ba528a54168f

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat

        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • memory/1204-26-0x0000000002D70000-0x0000000002D71000-memory.dmp

        Filesize

        4KB

      • memory/1240-12-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

        Filesize

        9.6MB

      • memory/1240-16-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

        Filesize

        9.6MB

      • memory/1240-13-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

        Filesize

        9.6MB

      • memory/1452-969-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

        Filesize

        9.6MB

      • memory/1452-0-0x000007FEF570E000-0x000007FEF570F000-memory.dmp

        Filesize

        4KB

      • memory/1452-7-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

        Filesize

        9.6MB

      • memory/2816-25-0x0000000010410000-0x0000000010475000-memory.dmp

        Filesize

        404KB