Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 12:28

General

  • Target

    a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe

  • Size

    816KB

  • MD5

    a1eee904abb3c639915572bec0dc29fe

  • SHA1

    1d61e03327d1d2826afa57f1b134bab18095494a

  • SHA256

    f5a962180342c44e0aa8bef3a9b608e41f55bb5a8dc9360e9b8d1510705304fd

  • SHA512

    b8493a6c8869ed1c7f41d39ada905c4453ea4bdeb63885224450e09d5f97ae77c01b356eb0af1ec2503e6e6b047494676f10be7daff76e6366ef6ee261662f1a

  • SSDEEP

    24576:IZ3+tZM+EF/UB1QquZgEhvScDc02AlIJlEFgv0G:kyt1P5eZc05IJqgvF

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

strikeagain.no-ip.biz:100

Mutex

RM5P17J07A1207

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    "Map2.bin" could not be found.

  • message_box_title

    ERROR

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4432
        • C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3704
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3712
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2272
            • C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe"
              4⤵
              • Checks computer location settings
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:4864
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:2160
                • C:\Windows\SysWOW64\WinDir\Svchost.exe
                  C:\Windows\SysWOW64\WinDir\Svchost.exe
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:876
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 584
                    7⤵
                    • Program crash
                    PID:5012
                • C:\Users\Admin\AppData\Local\Temp\tmpUI.exe
                  "C:\Users\Admin\AppData\Local\Temp\tmpUI.exe"
                  6⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  PID:1804
          • C:\Users\Admin\AppData\Local\Temp\tmpUI.exe
            "C:\Users\Admin\AppData\Local\Temp\tmpUI.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            PID:2480
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 876 -ip 876
        1⤵
          PID:3228

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Java\jre-07\bin\UF

          Filesize

          13B

          MD5

          f253efe302d32ab264a76e0ce65be769

          SHA1

          768685ca582abd0af2fbb57ca37752aa98c9372b

          SHA256

          49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

          SHA512

          1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

          Filesize

          224KB

          MD5

          9c0acb2153ed3e449ad4fd18bf927667

          SHA1

          37bc0c2badda44d9fc72404cdc1f4f31ff734cff

          SHA256

          fdc97112acff02b458e82bbe2df068dec21a5e1707f271509a9e1dbeafd5593c

          SHA512

          8a4783067881ea27169526bb2ada11fbaacb5862100e5982730eb3959dfa2ab17a691a5cc534393eca365fac9ca7d22a025b15860bf1dbcef766b4598d64bfa6

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          a4fd972947b8bc84a63d8e996cf0de21

          SHA1

          fb5c1b34cac6db5a5b602ddebfbd07f3860f9130

          SHA256

          76a377ee7af2ca5fcf8dd9d46cb9c076942b13f70bbd8a20bad97935b5289a2b

          SHA512

          7bdea1efdfa5326d88c339d52d6ce3c87670da1727ecdc89ebd2d565ff468a6849f6452b04ff54b7c827af97b5a8bad3e8d9798978724f582f400fef44861477

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          4d11d707610bca8953df41e2188b4c84

          SHA1

          450df516bdb73071227246ae8b00f9d7e7bddec3

          SHA256

          5212a42d1ba85b6bced289404f905e8433c46315967658de39b32c27f6f15db4

          SHA512

          b82765ccc6f8e7b7411244817a7baa06652730ce1dfc4a74f1026395ca167ad5000ade9878f0f5d03a1fe2333382703ea2c5461e4088a1a703850ac66d758b11

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          8c08a8fcb5c1880d232ab095a5ff96aa

          SHA1

          b8a050e636c1fdd3b08e7cb52b7bb6249fefa137

          SHA256

          ec3e4dd8e55dee5fc21985d80adf454109602dc70c8b070594e8d1c1c7a0cd2a

          SHA512

          77778aa08bef6add78532bca594b5152f1fdb96990a539c87da8f1e97033cc3679af415d3802cf9f8281ec687c981d361b440463385e2a31b68bb4264bf7fd7b

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          ea8882d28fe59b2534caf6bf27958089

          SHA1

          c1b44de7e87bd97ac2a3bb85581d87a11817c1fe

          SHA256

          e144f4df1a7e5b3d0b589f64a29730f544426ebeb1541606a2e1e8700382e991

          SHA512

          495e677af037e0ed14f008f6fe0180acdd5364179e1284bcdbfbaaafd2be235efc420a96acba6d4c20c7ddb6c779bfc3b8cf72ba743b73923c70f6d59241efd7

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          daf1801391812d0c321d218e4535e28b

          SHA1

          c9776ccc26fa412014b70ca3cd2698dd94a6b93b

          SHA256

          ba7226e8cab001e919c4e3b746dca8af6660e1dddece27ea2703e83f0b85c1ee

          SHA512

          3f65f25acb27ef2f9ae17fb164a7c7ff2ad151eaa2b761fa76c8ea70adf65cd84c4fdd79212c565ae1f5029cc320432112a46a474ddccc5cba052bc041fc2efc

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          a1b1180d67a622287ad34f593bfd4722

          SHA1

          eebed9fd1a0f1453de4ded8f6e251b166862d8a9

          SHA256

          ff8d16a701692036e2cd590e8524a0effc2200f4fa0ee41380aac35d9b5e59a2

          SHA512

          887d99a324f3336de1d8cb6e626cc91c3aec584c08268402819b54d3619bb63836c34b1b3538435bd53f1ddf42a2811d8cd29a6c7cc7a9239a5fcd1653a7742b

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          b3ce60513144e0bf19389d04e64be2ec

          SHA1

          b06842cbc6d9b77e93308bc051bf7c175485ede6

          SHA256

          ec6bc1ffd4a68e1e149d9e3e5e73919f2fe22f511020173f8780bcf328593237

          SHA512

          bf642eb7999bf985ec4eb260aa626bd2a9f62d44bf71e3c474bca9096527c577c2d275423fdbb919a1566b09dc850e4d21e46bead38b4db40aea6161cbca0b95

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          02f388db46b8681f51f60d7cad712d64

          SHA1

          554934ff606038b1937fb26fd46d06376bde4815

          SHA256

          74eeae13fc4ab3464211f1c340ef6b05b36e904566e0d565d25e9d42d92a242a

          SHA512

          67a16febf4eb87f47bb13c500db8efbaf0049189929291ef4da334258c28d02f0cbc7d71009f7de3209dfefd075527046f732fddeab925d9fd7e40b1cb942d97

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          ff1b47228a25c41f87b65263703d945f

          SHA1

          5f79699929c4bbbd51684e29dc30c559245826ce

          SHA256

          3ad246759822a900c7ede91f5e9cff84019713fea0d9cff62cdfc379ef0018d2

          SHA512

          c9b62633ee17b546cbe5ff237f84eebe0db7acce89b03bde84c60aa73d9386305f8c5547d232765ff086adcb26a09f1cc377fc70fe0e10e2865d1d8cf6397b79

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          546872e261ce628060f528ed2bab31f1

          SHA1

          591f594f564b6659a062f514395ca3a6585b7d4d

          SHA256

          a279fade5581c46b378047125e8f10d455c87ba61b857e382a80f2d932da27bf

          SHA512

          583e2fd70bfe17c6455f818750bba878f4a21efaf47ab4b9f929636dfa7e910e7f0a26baacf43933f7a8e60072bc3fb217c44f41b6fb7102c6f3e15a3bd7a3ec

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          e137d0d657fc794cd6b41053dcc60398

          SHA1

          5e1505f50640198c14065e7ff08c3153a3688a6f

          SHA256

          de9e4933fda3deb7a977ca3a4bcc0d4829c712306d7ee76b9ab567d7d43e546d

          SHA512

          bcf863f524eec2c0567f7a22cdc1ecb98c9c572d97c1ac4420ca526b05e3cdb933ec6a34b478bf19d426d99634baf8d6433fc1b17a372084db7e4f924f6ad35c

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          5b0d9a8feeb0694e0c1454e7ebd2a3df

          SHA1

          e3e5627508a96a23de99f16dea5e9ac07be28c25

          SHA256

          3167596025bcf9f5f7c2529bbc1d537113011164396f7046c938f96a39f21552

          SHA512

          4e84e9ef614f5a672e8a0cbc4d959838a69967185e06b3990f44c829f593a5c57bc9b6ce14770e073c198561786fc5a0c006f679f8f9ef28287d5859b422668f

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          2b29c096df82dc8a5e45befc42a5afdb

          SHA1

          4de0158455d736eaae610793c998eb4f462455df

          SHA256

          6cd857658862470f75ca4948bd750fa0b6124c1b9cfe7a73e2d9baa6c0cbcb1d

          SHA512

          d6355f37304cbe3ad45832ac62d3e2db3365c36b4d91baf80a9aa11de7503cf2fcdce1b86f27b3a71866d06ad03583225c7d54e8e9cd1fbc653986df1c0542aa

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          d98ca861713ec5612c6b7bbe5d565e53

          SHA1

          7fb2b96917b3878aa278497fbe44a65249b958bd

          SHA256

          bb0c93f271385e7f9fb171e535cac67e9f05da66810361d0533ba485d0a5fa1b

          SHA512

          9695755e73ba440b0adf57a88019a45e0a9c772cecc2455140099bf2660a0f9a2cbfc59ebc0c2d627ecd6ab921bc426a5c70f9d92668a73f1703c3d661e038a2

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          9b4a23ca5d356c3391ce4ddd23119de0

          SHA1

          365852c739880380a10fe5c812c8f3691584d9a5

          SHA256

          6f11b999b2990bde80ae5b83b99d6ad626435f835ba31cb5c7f4510c265f88bb

          SHA512

          a1e2e54543c4376e7268af62800ce85e4457139e46171e91b8447902d34de1c7d37c74a54893d5730084f18a5f5dc7d7807cc9517715e733ffd48807e81b4e47

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          b3812988c0b3ff4b75d5f40ac25e9ae1

          SHA1

          01262d9e8b2e99fd47dbbdf9702d2083715c4808

          SHA256

          5f00ae5e42a4c35d1a7aaa0a02297adef88ff9bb2d826e3ec5ca3d083cfa6d5d

          SHA512

          304554b3a809ea385ca3ae3621b8b45644633a22e01f3f2279e31b0ff0f1cf001d43ba61de13e78fdaf24ed955c63bd8f62aea522944255edb66c65636c6c5ee

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          47771ddc7eb2d50853a6bf5c4ab81c69

          SHA1

          9aae4f7058892a35bd9d4d6dae0a009e6e79dd7c

          SHA256

          9a58637d62ebe9025c5b5fe7148d79a067a41183adfd2efbc6659b911ee18b81

          SHA512

          972d068c84ebc190e6249fbbda5b5cd19027a4d0a5aaef93b70a05033fd484cfdc97911efc8e8fe5f24016a8d5e762de1d53fb5bb4428dbc10efa8c1bee4c403

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          34cf9d30c6cf66eda90f985126530386

          SHA1

          4e5774f4a55b2242ed20020f1afeebd12e2e1d43

          SHA256

          daa8933dd743abe5a82ec6e7acf0fbfa451e67b2ab2c028c2756daf1640f38ef

          SHA512

          681fb524068ca666850b637d9290a6f208777d4ee7980080b5b62b6a1600830edabc79c04ab32a88dd08a741da85e540a3662da744b83aa0757ffcacf5f3110e

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          3b764609ebbe504138b2e75e4068605e

          SHA1

          b58107cf55ea41dcbd6f2b709a8097c2afeeae9b

          SHA256

          7ac1de1fbc50de4c6b8a777c4e8cb4acd1f27052fbb22317dca052a415d9c46a

          SHA512

          9b703b1b8b5125cbe144f9044d19bf343601cc2f88ab91e3a32560e1dcfd63af2c65f69ccac9b90864aee2aed3325db0b714201b6d911ac7f67b971dab834c6c

        • C:\Users\Admin\AppData\Local\Temp\tmpUI.exe

          Filesize

          62KB

          MD5

          f83c617b55a53db1fc9bd68c9c732192

          SHA1

          464d5d47ee7e2218a89ffda0c71efcc86b9b6e74

          SHA256

          68f4238b31a205b4c2a5f4df6bba4cde5a4f77fa3c627ac03d5dda82d202457a

          SHA512

          fb777ce76c6793b440ba633a6867d44b19fda5cfde566be53c83e445668badb5c56a72062ba5152dfb602415bb1e39d27db1c4ff5ace6e9e6fda7986cbab04de

        • C:\Users\Admin\AppData\Roaming\Adminlog.dat

          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • C:\Windows\SysWOW64\WinDir\Svchost.exe

          Filesize

          816KB

          MD5

          a1eee904abb3c639915572bec0dc29fe

          SHA1

          1d61e03327d1d2826afa57f1b134bab18095494a

          SHA256

          f5a962180342c44e0aa8bef3a9b608e41f55bb5a8dc9360e9b8d1510705304fd

          SHA512

          b8493a6c8869ed1c7f41d39ada905c4453ea4bdeb63885224450e09d5f97ae77c01b356eb0af1ec2503e6e6b047494676f10be7daff76e6366ef6ee261662f1a

        • memory/3704-5-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

        • memory/3704-17-0x0000000010410000-0x0000000010475000-memory.dmp

          Filesize

          404KB

        • memory/3704-37-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

        • memory/3704-4-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

        • memory/3704-2-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

        • memory/3704-78-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/3704-153-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

        • memory/3704-1-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

        • memory/3712-22-0x00000000006B0000-0x00000000006B1000-memory.dmp

          Filesize

          4KB

        • memory/3712-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

          Filesize

          4KB

        • memory/3712-193-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/4432-13-0x0000000000400000-0x000000000048C000-memory.dmp

          Filesize

          560KB

        • memory/4432-0-0x0000000002210000-0x0000000002211000-memory.dmp

          Filesize

          4KB