Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 01:04
Behavioral task
behavioral1
Sample
c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe
-
Size
341KB
-
MD5
c529feb6ee32ab7437fdae205e318cfc
-
SHA1
11d0d160c7f6e62554f2d6fd59b5fff301379a8f
-
SHA256
7b7ebcaee4ccdd40dcd63aaba90c337de85d65a19a8db44a6fbef8620327345f
-
SHA512
caec3b0cdbd0ef38b8be502cbcd3bcad53b6f7fa685a537b289cd2baf2bad6bcc45ed80a1d2412e93612e89f1b6be4a081860ba1fc36830126caef5d289161d3
-
SSDEEP
6144:yzbFac5lLo1xvAEO8l1hKZY6o4RDtWEWHuY8AYCpQOkve0NR8t0goS:yzbFaa4xvAEO8l2o4RZjWHu9CbaPgoS
Malware Config
Extracted
cybergate
v1.07.5
Dylan
dylanlumps.no-ip.org:8567
127.0.0.1:8567
mutex
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run atidisp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" atidisp32.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run atidisp32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" atidisp32.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{LVB61BF3-M1AN-171S-46E2-CI0S2KPX0WL4} atidisp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{LVB61BF3-M1AN-171S-46E2-CI0S2KPX0WL4}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" atidisp32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 3972 atidisp32.exe 5068 atidisp32.exe 2260 atidisp32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ATI Display Driver = "C:\\Users\\Admin\\AppData\\Roaming\\atidisp32\\atidisp32.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3972 set thread context of 5068 3972 atidisp32.exe 89 -
resource yara_rule behavioral2/memory/1736-0-0x0000000000400000-0x000000000055D000-memory.dmp upx behavioral2/files/0x0007000000023c72-11.dat upx behavioral2/memory/1736-19-0x0000000000400000-0x000000000055D000-memory.dmp upx behavioral2/memory/5068-22-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/5068-26-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/5068-28-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/5068-27-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/3972-25-0x0000000000400000-0x000000000055D000-memory.dmp upx behavioral2/memory/5068-31-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/5068-35-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/2260-40-0x0000000000400000-0x000000000055D000-memory.dmp upx behavioral2/memory/5068-54-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/5068-102-0x0000000000400000-0x0000000000458000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3572 2260 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atidisp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atidisp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atidisp32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 2260 atidisp32.exe Token: SeRestorePrivilege 2260 atidisp32.exe Token: SeDebugPrivilege 2260 atidisp32.exe Token: SeDebugPrivilege 2260 atidisp32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1736 c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe 3972 atidisp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 1124 1736 c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe 84 PID 1736 wrote to memory of 1124 1736 c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe 84 PID 1736 wrote to memory of 1124 1736 c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe 84 PID 1124 wrote to memory of 2468 1124 cmd.exe 87 PID 1124 wrote to memory of 2468 1124 cmd.exe 87 PID 1124 wrote to memory of 2468 1124 cmd.exe 87 PID 1736 wrote to memory of 3972 1736 c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe 88 PID 1736 wrote to memory of 3972 1736 c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe 88 PID 1736 wrote to memory of 3972 1736 c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe 88 PID 3972 wrote to memory of 5068 3972 atidisp32.exe 89 PID 3972 wrote to memory of 5068 3972 atidisp32.exe 89 PID 3972 wrote to memory of 5068 3972 atidisp32.exe 89 PID 3972 wrote to memory of 5068 3972 atidisp32.exe 89 PID 3972 wrote to memory of 5068 3972 atidisp32.exe 89 PID 3972 wrote to memory of 5068 3972 atidisp32.exe 89 PID 3972 wrote to memory of 5068 3972 atidisp32.exe 89 PID 3972 wrote to memory of 5068 3972 atidisp32.exe 89 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90 PID 5068 wrote to memory of 4692 5068 atidisp32.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSonN.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ATI Display Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2468
-
-
-
C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:4692
-
-
C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1565⤵
- Program crash
PID:3572
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2260 -ip 22601⤵PID:5076
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5d6ea4409086bd4ec01a84a18cda5a535
SHA19606f93c4fcf92136f2d31dbcb167b3e36cc9a8a
SHA256ff6535ed743552794dca4b2df6849e1e3f26e300ec3b4379c3a20334a731570f
SHA5123471692ddf337afa9844e4b5c7462d04f97db7607a4e99a80ccafc9b46835d1e39e40b9ac4159baf7b2ff831046d89fb651627eeed8a5eeb4adf4f8984074bed
-
Filesize
157B
MD515caf9d73a10032703086477c78f8a06
SHA179ff878df3b774ff5ad2bf54ad3a41d990cf7d31
SHA2561ef63f20b9f52b2e1f8c848a9218b7de1b7cdbeea178f3a6646a4014d0b1083e
SHA512b6daae9fad92225e4e539a722f81df60958d9708ce7c275932b59ca27af4f148255513159391cec2902f2a4a16d6e1e6ecbc77e482a1fa1ab6a409b3f0a409a6
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
341KB
MD5c529feb6ee32ab7437fdae205e318cfc
SHA111d0d160c7f6e62554f2d6fd59b5fff301379a8f
SHA2567b7ebcaee4ccdd40dcd63aaba90c337de85d65a19a8db44a6fbef8620327345f
SHA512caec3b0cdbd0ef38b8be502cbcd3bcad53b6f7fa685a537b289cd2baf2bad6bcc45ed80a1d2412e93612e89f1b6be4a081860ba1fc36830126caef5d289161d3