Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
a7503ad56f686432fbdc3ab0d45b0f92
-
SHA1
f3c47c68b54adb78499544ebc34744808789f7da
-
SHA256
bad9e59ca96315d8bbf48e7f247c9fd00954f094f6bcacab9af483d98f1ad5c9
-
SHA512
ba880e2ff032b6c620a1107a2390d440dbb02df68ba2581235859ef583b470276b133ecd4ba115305d08e3f9ef23a0fb5b65f959fe9f250f96155b50d1beb18f
-
SSDEEP
12288:rQdfp2v7g6ML1HbPifA27Wna1PLAXOgX0JwJtlyUH+llKLb0bCx:rQo7g6ML9e427rs2wTlyUHtLb0W
Malware Config
Extracted
cybergate
v1.11.0 - Public Version
cyber
vip081247.no-ip.biz:82
SRXA81Y15I78PF
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Cybergate family
-
Executes dropped EXE 1 IoCs
pid Process 1796 GoogleUpdate.exe -
Loads dropped DLL 1 IoCs
pid Process 2080 a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleUpdate.exe" a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1796 set thread context of 2712 1796 GoogleUpdate.exe 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\LimeWire\Shared\SteamHack.exe a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe File created C:\Program Files (x86)\LimeWire\Shared\SteamHack.exe GoogleUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2080 wrote to memory of 1796 2080 a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe 31 PID 2080 wrote to memory of 1796 2080 a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe 31 PID 2080 wrote to memory of 1796 2080 a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe 31 PID 2080 wrote to memory of 1796 2080 a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe 31 PID 2080 wrote to memory of 1796 2080 a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe 31 PID 2080 wrote to memory of 1796 2080 a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe 31 PID 2080 wrote to memory of 1796 2080 a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe 31 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32 PID 1796 wrote to memory of 2712 1796 GoogleUpdate.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe" 02⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2712
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5a7503ad56f686432fbdc3ab0d45b0f92
SHA1f3c47c68b54adb78499544ebc34744808789f7da
SHA256bad9e59ca96315d8bbf48e7f247c9fd00954f094f6bcacab9af483d98f1ad5c9
SHA512ba880e2ff032b6c620a1107a2390d440dbb02df68ba2581235859ef583b470276b133ecd4ba115305d08e3f9ef23a0fb5b65f959fe9f250f96155b50d1beb18f