Overview

overview

10

Static

static

3

c88785ad18...18.exe

windows7-x64

10

c88785ad18...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2024 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c88785ad18cd97e0a3eebcad4b2b482d_JaffaCakes118.exe

  • Size

    207KB

  • MD5

    c88785ad18cd97e0a3eebcad4b2b482d

  • SHA1

    bb2e9e69e368ad9385d0e0e4d3e0321304469fdc

  • SHA256

    aa0fbca193e4fa2b448fd2e03513ab05111d361db4f41923135d697816d3a1e9

  • SHA512

    09b75d64b3029c5944ea6c28eaf01bf9d40b37124f105c32a66ad48dd609879acdd7b43e29f7662761d678d6c7805541ef9a640a3e4d9ecc2dc1e1930f5464e9

  • SSDEEP

    3072:ulTC7skBUvCaxlrKsJiu9npugDCjJtxxhpYMaKoMUdpwocNQcIuh1igYMWAF9B/I:usZUFE2ueC1DxzaOsVcKcIy1iTApKmE

Score
10/10
cybergaterap rap rap rapdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.2

Botnet

rap rap rap rap

C2

sessizlikiyi.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\c88785ad18cd97e0a3eebcad4b2b482d_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\c88785ad18cd97e0a3eebcad4b2b482d_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Users\Admin\AppData\Local\Temp\c88785ad18cd97e0a3eebcad4b2b482d_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\c88785ad18cd97e0a3eebcad4b2b482d_JaffaCakes118.exe"
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2320
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            PID:2952
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2572
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\UuU.uUu
      Filesize

      8B

      MD5

      3de6c00d156f63fb6fc613d00ccea470

      SHA1

      c634de7ae25ab24eadea7a80da370b868527b4b2

      SHA256

      3f9812e1bf2a9863edfe68222a4cd0619845a86f381ceae0b6f68e538e12056f

      SHA512

      e7682da4b62108a7fe21238e27b5036eabb530ec49db0ec704ddf1d3740a454f6b18b90ecab1c077f20058914e0793017605fa3313d9c4a36c1ad75ebd2aeed3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      143KB

      MD5

      f1caf62bdbfeb34c7f6f3ea098711366

      SHA1

      71d310a6250c3cafee13c1c262ee7f3141934842

      SHA256

      b5d8064c6ff19ab0df29bba48743e28cf37620344bcf953dc6df72af8134c6b3

      SHA512

      5e2eb726d450edca19557839d119953ee7ef6f684caf257d26db969ca8a7b85d15b9e5f4ebbeb469890b19ef43c405f39356fc4b2cb89e85dd45beb075489d56

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\birlestir.JPG
      Filesize

      5KB

      MD5

      32907e5b94c5aa2fad71400403e021cc

      SHA1

      b979285bf2c84ae2937d55e0d225eb89f626fb96

      SHA256

      2012b44a935670ec741f2f4b431ec650d96426b9334f2f8303ba172404fdfc9e

      SHA512

      feb95b478eb2614464b27840eb6c299a3666910df263dfe39a1d9715564b7f7be316e66761f48c55da148eea3f1d11f2d950d6c92fdd9c372de1988316fa1411

      Download Submit

    • C:\Users\Admin\AppData\Roaming\logs.dat
      Filesize

      15B

      MD5

      86f3c87caff4d7973404ff22c664505b

      SHA1

      245bc19c345bc8e73645cd35f5af640bc489da19

      SHA256

      e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

      SHA512

      0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

      Download Submit

    • \??\c:\dir\install\install\server.exe
      Filesize

      207KB

      MD5

      c88785ad18cd97e0a3eebcad4b2b482d

      SHA1

      bb2e9e69e368ad9385d0e0e4d3e0321304469fdc

      SHA256

      aa0fbca193e4fa2b448fd2e03513ab05111d361db4f41923135d697816d3a1e9

      SHA512

      09b75d64b3029c5944ea6c28eaf01bf9d40b37124f105c32a66ad48dd609879acdd7b43e29f7662761d678d6c7805541ef9a640a3e4d9ecc2dc1e1930f5464e9

      Download Submit

    • memory/1196-22-0x0000000002480000-0x0000000002481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2320-15-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2320-7-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2320-18-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2320-17-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2320-16-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2320-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2320-6-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2320-9-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2320-12-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2320-21-0x0000000024010000-0x000000002404C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2320-14-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2320-670-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2320-419-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2460-756-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2460-0-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2572-672-0x0000000024090000-0x00000000240CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2572-707-0x0000000024090000-0x00000000240CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2952-420-0x0000000024050000-0x000000002408C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2952-212-0x0000000000370000-0x0000000000371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-210-0x00000000000A0000-0x00000000000A1000-memory.dmp

      Filesize

      4KB

      Download