Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2024, 16:26

General

  • Target

    c88785ad18cd97e0a3eebcad4b2b482d_JaffaCakes118.exe

  • Size

    207KB

  • MD5

    c88785ad18cd97e0a3eebcad4b2b482d

  • SHA1

    bb2e9e69e368ad9385d0e0e4d3e0321304469fdc

  • SHA256

    aa0fbca193e4fa2b448fd2e03513ab05111d361db4f41923135d697816d3a1e9

  • SHA512

    09b75d64b3029c5944ea6c28eaf01bf9d40b37124f105c32a66ad48dd609879acdd7b43e29f7662761d678d6c7805541ef9a640a3e4d9ecc2dc1e1930f5464e9

  • SSDEEP

    3072:ulTC7skBUvCaxlrKsJiu9npugDCjJtxxhpYMaKoMUdpwocNQcIuh1igYMWAF9B/I:usZUFE2ueC1DxzaOsVcKcIy1iTApKmE

Malware Config

Extracted

Family

cybergate

Version

2.2

Botnet

rap rap rap rap

C2

sessizlikiyi.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3528
      • C:\Users\Admin\AppData\Local\Temp\c88785ad18cd97e0a3eebcad4b2b482d_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\c88785ad18cd97e0a3eebcad4b2b482d_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3464
        • C:\Users\Admin\AppData\Local\Temp\c88785ad18cd97e0a3eebcad4b2b482d_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\c88785ad18cd97e0a3eebcad4b2b482d_JaffaCakes118.exe"
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1096
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            PID:4972
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\UuU.uUu

      Filesize

      8B

      MD5

      3fd891495efbf28c5cc216e7018f4d16

      SHA1

      d93a8da81a1b2d30eb5f2492381228b78fa512d0

      SHA256

      542ff106ed002263a8fec23151d1527fa929753cd12dda067c0e476aec6ebadf

      SHA512

      5fa6289aed0aac8eba0c56a9413228eaa66f7999753328238a8d11ae9e0b41c9c9805ba1aee3ced0fdb4d37ac942eb75515de06a7af00ef631694fe991c7eb08

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

      Filesize

      143KB

      MD5

      f1caf62bdbfeb34c7f6f3ea098711366

      SHA1

      71d310a6250c3cafee13c1c262ee7f3141934842

      SHA256

      b5d8064c6ff19ab0df29bba48743e28cf37620344bcf953dc6df72af8134c6b3

      SHA512

      5e2eb726d450edca19557839d119953ee7ef6f684caf257d26db969ca8a7b85d15b9e5f4ebbeb469890b19ef43c405f39356fc4b2cb89e85dd45beb075489d56

    • C:\Users\Admin\AppData\Roaming\logs.dat

      Filesize

      15B

      MD5

      86f3c87caff4d7973404ff22c664505b

      SHA1

      245bc19c345bc8e73645cd35f5af640bc489da19

      SHA256

      e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

      SHA512

      0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

    • \??\c:\dir\install\install\server.exe

      Filesize

      207KB

      MD5

      c88785ad18cd97e0a3eebcad4b2b482d

      SHA1

      bb2e9e69e368ad9385d0e0e4d3e0321304469fdc

      SHA256

      aa0fbca193e4fa2b448fd2e03513ab05111d361db4f41923135d697816d3a1e9

      SHA512

      09b75d64b3029c5944ea6c28eaf01bf9d40b37124f105c32a66ad48dd609879acdd7b43e29f7662761d678d6c7805541ef9a640a3e4d9ecc2dc1e1930f5464e9

    • memory/1096-70-0x0000000024090000-0x00000000240CC000-memory.dmp

      Filesize

      240KB

    • memory/1096-123-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1096-7-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1096-8-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1096-17-0x0000000024050000-0x000000002408C000-memory.dmp

      Filesize

      240KB

    • memory/1096-13-0x0000000024010000-0x000000002404C000-memory.dmp

      Filesize

      240KB

    • memory/1096-9-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1096-10-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1096-63-0x0000000024050000-0x000000002408C000-memory.dmp

      Filesize

      240KB

    • memory/3464-0-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/3464-231-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/3476-88-0x0000000000200000-0x0000000000633000-memory.dmp

      Filesize

      4.2MB

    • memory/4972-67-0x0000000024050000-0x000000002408C000-memory.dmp

      Filesize

      240KB

    • memory/4972-66-0x0000000003470000-0x0000000003471000-memory.dmp

      Filesize

      4KB

    • memory/4972-53-0x0000000000200000-0x0000000000633000-memory.dmp

      Filesize

      4.2MB

    • memory/4972-19-0x0000000000D60000-0x0000000000D61000-memory.dmp

      Filesize

      4KB

    • memory/4972-18-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

      Filesize

      4KB