Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2024, 01:04

General

  • Target

    c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe

  • Size

    341KB

  • MD5

    c529feb6ee32ab7437fdae205e318cfc

  • SHA1

    11d0d160c7f6e62554f2d6fd59b5fff301379a8f

  • SHA256

    7b7ebcaee4ccdd40dcd63aaba90c337de85d65a19a8db44a6fbef8620327345f

  • SHA512

    caec3b0cdbd0ef38b8be502cbcd3bcad53b6f7fa685a537b289cd2baf2bad6bcc45ed80a1d2412e93612e89f1b6be4a081860ba1fc36830126caef5d289161d3

  • SSDEEP

    6144:yzbFac5lLo1xvAEO8l1hKZY6o4RDtWEWHuY8AYCpQOkve0NR8t0goS:yzbFaa4xvAEO8l2o4RZjWHu9CbaPgoS

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Dylan

C2

dylanlumps.no-ip.org:8567

127.0.0.1:8567

Mutex

mutex

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSonN.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ATI Display Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2468
    • C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe
      "C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe
        "C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"
        3⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
            PID:4692
          • C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe
            "C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2260
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 156
              5⤵
              • Program crash
              PID:3572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2260 -ip 2260
      1⤵
        PID:5076

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

        Filesize

        224KB

        MD5

        d6ea4409086bd4ec01a84a18cda5a535

        SHA1

        9606f93c4fcf92136f2d31dbcb167b3e36cc9a8a

        SHA256

        ff6535ed743552794dca4b2df6849e1e3f26e300ec3b4379c3a20334a731570f

        SHA512

        3471692ddf337afa9844e4b5c7462d04f97db7607a4e99a80ccafc9b46835d1e39e40b9ac4159baf7b2ff831046d89fb651627eeed8a5eeb4adf4f8984074bed

      • C:\Users\Admin\AppData\Local\Temp\DSonN.bat

        Filesize

        157B

        MD5

        15caf9d73a10032703086477c78f8a06

        SHA1

        79ff878df3b774ff5ad2bf54ad3a41d990cf7d31

        SHA256

        1ef63f20b9f52b2e1f8c848a9218b7de1b7cdbeea178f3a6646a4014d0b1083e

        SHA512

        b6daae9fad92225e4e539a722f81df60958d9708ce7c275932b59ca27af4f148255513159391cec2902f2a4a16d6e1e6ecbc77e482a1fa1ab6a409b3f0a409a6

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat

        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe

        Filesize

        341KB

        MD5

        c529feb6ee32ab7437fdae205e318cfc

        SHA1

        11d0d160c7f6e62554f2d6fd59b5fff301379a8f

        SHA256

        7b7ebcaee4ccdd40dcd63aaba90c337de85d65a19a8db44a6fbef8620327345f

        SHA512

        caec3b0cdbd0ef38b8be502cbcd3bcad53b6f7fa685a537b289cd2baf2bad6bcc45ed80a1d2412e93612e89f1b6be4a081860ba1fc36830126caef5d289161d3

      • memory/1736-19-0x0000000000400000-0x000000000055D000-memory.dmp

        Filesize

        1.4MB

      • memory/1736-0-0x0000000000400000-0x000000000055D000-memory.dmp

        Filesize

        1.4MB

      • memory/2260-37-0x00000000006C0000-0x00000000006C1000-memory.dmp

        Filesize

        4KB

      • memory/2260-40-0x0000000000400000-0x000000000055D000-memory.dmp

        Filesize

        1.4MB

      • memory/2260-36-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

      • memory/3972-25-0x0000000000400000-0x000000000055D000-memory.dmp

        Filesize

        1.4MB

      • memory/5068-31-0x0000000010410000-0x0000000010475000-memory.dmp

        Filesize

        404KB

      • memory/5068-35-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/5068-27-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/5068-28-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/5068-54-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/5068-102-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/5068-26-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/5068-22-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB