Overview

overview

10

Static

static

3

e37877a296...18.exe

windows7-x64

10

e37877a296...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e37877a296dbc464074314c5bf62430c_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    e37877a296dbc464074314c5bf62430c

  • SHA1

    6469310c7a4a2c7daaab2b922cc8b5bd5b5ce38a

  • SHA256

    b2e60308339e30bd9197fc74fa313cc9aed9b112df1c1bfde1def3b9abef2bed

  • SHA512

    ec48447ba2a44dff6e3f661f9e97d0de97d5bc72a29e2188618b773db0719801aa48464cc15b07d8f5304a540e51803ce67e75ff2f04889aa19dfcfa6a60dee1

  • SSDEEP

    12288:LJ4w68yOE3iZa/i+Zk/hyWzaileoNhSJINAbifgYi0Lac:XFoqLmbImoZ5

Score
10/10
cybergateanniediscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

annie

C2

elstar.no-ip.info:81

elstar.no-ip.info:82

elstar.no-ip.info:3460

nieuwste.no-ip.info:81

schuurman.no-ip.info:81
Mutex

4H3D0Q2OR55427

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    12345

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1100
      • C:\Users\Admin\AppData\Local\Temp\e37877a296dbc464074314c5bf62430c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\e37877a296dbc464074314c5bf62430c_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
          C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1884
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1840
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2940
            • C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
              "C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2572
              • C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
                "C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:3060

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        225KB

        MD5

        73f5d9763fa3a19e51beb36b6b70a07f

        SHA1

        fd2728a465716c2746655e47babccadb4ef0c767

        SHA256

        3cd251c074f8021ef9f79f752901abed5850f3e394a078f94c401890159e178b

        SHA512

        0d281c1432b0febcc72f855d5bfb04d8fc4bd21b24bdd522961abaf3d64f65a520bc296d3dc2a2c5fe18d29d123e32d488f5381cdb509be629ed68fc66df20fa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5a91d9c0ce6a5110e7d71aaecefe41ca

        SHA1

        fd0a56db13c8d8a5091bda8247421c10ae5663da

        SHA256

        f321b1fe19bf00a573492ea68ea8581afcdbf6989136ff6785f0ffe4691b4519

        SHA512

        b5440f5150fcd221d47fee1da4f98e4ad126227e67ab59fd9813ba4c269117649dc4921e0b6bb6ec89dad38d0887e14a739119ac7da3528549e2eb1797931dc6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        73f71d080b6b2fcab72300f00b4b9d74

        SHA1

        3d785e7d4f327163a5ee5fdff3611233937b506e

        SHA256

        1e78b8f551e0900a1a5c5c16f73871e4bc4be20e5497114a4309460435b948ab

        SHA512

        3e2a717a4779800f92b95cf8a9b602d9f37f8212660635b2e7c1d2348ba16c2cb7573b49145851523134611a1e3173b702490407e8298fd4a7d5c4eaaf628fe6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        601e1c4d3da80194e0ae617813ee9bda

        SHA1

        0bbfc915775a863ac4e7a5ca4db21d17ded5e84c

        SHA256

        f5db3dfe6e7caf81788e67db10609e2333e24435c3b94f572f7a32956eb7d3bf

        SHA512

        47ee58d1dd76a0b3d33bff75d1535bd8930a150de2058cfbbfc3dc086dae73184554015f763a5fa9036e787ddf3213a111908a59703e07aa63a24d9592bb46cb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e3189f0ac3a1e56c683005b722a6de4b

        SHA1

        926f901bc03a239b0ed2af74c0d56665ed5139e5

        SHA256

        43368b70a416336b92e7fbb294d5b1754c7d3d754947cd13dc158374837a014e

        SHA512

        c421dae7849291196c97dda46f925e2a3fc909a4fb710ccaf29d512c700fba6e8183894972c81ccf448f956463d6488c0a62ef17d8e1ffab76abaca78c5aafa5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        1815e7f1f79d05e77a788cf20487ba44

        SHA1

        3beb0c752cc6272004a97a6bd3f5dffd4c3197ed

        SHA256

        01eb65eb8472f1ad8150e0cd959a29e804658e344ddf0c0b413b33c39b792b4b

        SHA512

        f9734ecb6a705e63cf9ec6e990d8d30a60a347abb9de5ec251fcebf0e475f58de4f7dfdc6e990feb7d750a675825ab8b878b7f4772b8e062f58bb8a2142d18e9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e0e1cca21a33021612f0a98543738af5

        SHA1

        59abe3f88bff76d4000675ff575c62a8904afc23

        SHA256

        2552a9e3d68d7787b1608f29faa55f535257978065372a94b665a8b17df1900d

        SHA512

        bd1e83a02fe3c257a1dc64f69135604b84cc849d4c84bc4a9f09519eaec9dfb8814b44e3320f883620dba1844b82b481f19fe7cfc00c2fceab04d53f5775071d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        e47706b23871c9ab5c69382849b0e1f3

        SHA1

        bd03cc8c1bdcd98587403f80315cfda178cf42b7

        SHA256

        a4d8d617b1830101894e60937ca68108ecffe4d638c4c85ac141d7214947eefd

        SHA512

        8b2811e9e021079e2eff33ebb808112bd5dd960030018c386c155e78dc89f7a7799b14e2a3415784b803b18778b6a0054252fe8f49eda327806b5a0687f9a92b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        566997ac93bd84e6bd5733c4392ad9ea

        SHA1

        5fa509ab4bbfdbd4f275e8cc4f70c04a0d2c0c11

        SHA256

        84883c8e91f1501f6a0f2086480f2cf9ac5ec1758c9de8aa88e51610cc8e5779

        SHA512

        0c13640ed62f04ec9b5c3f87fbdd722ab04d0478151b005fe96d2d91004cf8b26ec0ce4c94a955088bbc4f1e3fbd54771698aaa7b8f6d159dbb5a1d7b8e7677a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        38c5e4b840fe8ddefef0ba8f5551a9f4

        SHA1

        d3e35b77908ce758782a03415e378d0817386ac0

        SHA256

        b2174b595280eac4290b4960f5530cbedbcd206fdb29e82ef4147fe167f61ffb

        SHA512

        4395eed77a94926004c99fe315cb881cad4ee5e774efe285a02c05501fa0b9b095ec51b831f88a12adc88cb17152fd99adaf1680e47354f94cd6f640dbfdefa7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8849a7bc90e3c4f7c07d896e1e8726c3

        SHA1

        4c456342b65143ad4f7732b2b43980bf55db1268

        SHA256

        dc6c58034c7a104dd64619261ae65da0319882e710206b267b16fd8dd169c49d

        SHA512

        ff67e89d88b0d5a996d43e34dc94f9873012cb5c702061a4ce19244b285551ebe2798ea43945ebeb7918f2279ec5a5e2ee9f364f8a849b3069027c0b33ffae6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3341a50f665c227c8c84bf27d75748cb

        SHA1

        95bf90f89c491534911f3e5582019d0d4415eed6

        SHA256

        925023c471e7acd952bfba47b90aeed7273b72762d27992365f94ff48c880ad6

        SHA512

        45089e7db42e35b5e6bfb9fe5c8d9d8152ba786842b4c58959d48df6c8296b3c94236a90cd75060949792f40f052625e01b4a17423bc3a85b7f02f7368dabbbf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        02238fc244f50045f046b2fe5ff2f5d4

        SHA1

        fd3296d46b060d00a4d628d658411d3fd2ef0dcf

        SHA256

        c6185cb2992de7eee5f583094a06ec58395425b132e9e3fc3f2ef1c0df0ecd99

        SHA512

        02997009899851cbdd98426d94e8725953fe6ced26d37e8cbe24482a1f0ac827dc0ced4e4023c8a48fac05699451322368792f695dc6a9999901c1ce4f229667

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c8f2d2eacb1374982d2a5515115008de

        SHA1

        df6c599dc78ff082d97c1813af76c78dbd745182

        SHA256

        d1780034af707d4776215ce628e23b6c298570cfdd8f0ffd6a61f49fff776691

        SHA512

        e30d138f61c1b9115791c9751bb6a9db4864f6fcc0458dd30492836708ee78bc6e3254861edf9733758b4d49cf4e379764f9a8bac99b6a07b73d97582041072a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c0ce5bf2fd6ff56a033beee804503a68

        SHA1

        a14b0d3572621b796f04f87c8b5919c8c994e57c

        SHA256

        bb5b1f70922809e6f8f6d06f7e0240e58abd35ea5fa6bbfbace9a169119f4c7f

        SHA512

        7dd99273ccd95726e6223a73f464de5f33bec43ad3003d5f7dc07d0a9fbccefaacfccee82273eadc1b037b129bd785dfbcc6ed46b6e27ffad22bb4e73814111e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        78c641d116abba64852ef62e17a0161c

        SHA1

        012d1c5073efc8d34052c11f9c6f02d15aa64c0f

        SHA256

        38d72e46f22c54b93642c0bf13b91f91c16c1394ea90014fd57978b60bf80fee

        SHA512

        35de4dec6f29782656a851192200b2bdc817d30f649f98c9f9ebdd9d01e38a9aedffa299bef803902c9a42a185d568d9c84ac3c1346782691ffe928a807dae8c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        fb1d9328ce12958a4e93a848752761bc

        SHA1

        3270be978fd7ce70ddc53ccde0fd33907d272990

        SHA256

        dc95e93e88cc345e8dde743578ef1770f524f49cbe3246450a60947fa345c109

        SHA512

        84faedd0b578d2fcbcb13ec5ce1b27fe2ba9ff7632f74b1e0be5858b1bc7a12b71adbacd649e1c760e0873974eabe73b81cfa32de89146856e0d4d8e2bdeb9a6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        959840dff307350651e7ff10c3f97f95

        SHA1

        7af28eb3a6feae230b3e4d899085eeb38402dd98

        SHA256

        c4f3115534ae917de0d572d1f9bf5fb79512bdc0e711449028647f08b30111e7

        SHA512

        d3cc067883fa5f86f620527c5cbdb0d8a31890e18492aaa0f87ddbe7360de57e4bdb236d01eb89b20ec9d1ec67cedf53bcba0f4a83582dc1e9d8913d52e0929e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        fc051f7f9cfad1c851779f696d64b85d

        SHA1

        da59e9c9b2ade097c4e45f49246d94f94493f19c

        SHA256

        f6014161bb530541dbac67767879a66eda677b6af12016fc3345bfa072206fe5

        SHA512

        c3f7aca17a26b54c803fe201e0ce5581c9fc24c2b963cc007921aaa68774607d0f2c62bd27652f074d8e79bb5aab5e3586b1c8552d393ce7866f139e7d484a0d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d320ae76432871282fcac055f7986048

        SHA1

        06b8390eedadfe2e326569c408038852fe56c84e

        SHA256

        de9d42af128c18c2dc21785e26f46db7b726b13b8d5632dc65ab38c5e3704fdf

        SHA512

        a750aad928806a004f762c7ad0363be084eb7074a23a2783192c416be6817001f46cf382e665413cbc75089e5cd2b655c9784e1fc689c884023e789fa5053b0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        df42723a6905e92098fb4715b9c8ee4b

        SHA1

        416849662f49945406422fd6280bc79553fc85c9

        SHA256

        254ff0a5332497a1374954574bca362e881a57745e24bdd164df09a1fc7908ed

        SHA512

        16a5b26431aaf2cc0802322553c896bc28e00edf422993b8ffba8ec97103775cd26d94b6a049fc09e7e1052b67b2976c7582ba2943ee22efb291c853eb689cf9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        Download Submit

      • \Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • memory/1100-26-0x0000000002B40000-0x0000000002B41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1840-524-0x00000000002B0000-0x0000000000531000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/1884-15-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1884-21-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1884-10-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1884-25-0x0000000010410000-0x0000000010475000-memory.dmp

        Filesize

        404KB

        Download

      • memory/1884-23-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1884-22-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1884-12-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1884-13-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1884-14-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1884-11-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1884-16-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1884-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-19-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1884-886-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1988-0-0x0000000074531000-0x0000000074532000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1988-552-0x0000000074530000-0x0000000074ADB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1988-3-0x0000000074530000-0x0000000074ADB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1988-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1988-1-0x0000000074530000-0x0000000074ADB000-memory.dmp

        Filesize

        5.7MB

        Download