Overview

overview

10

Static

static

3

e37877a296...18.exe

windows7-x64

10

e37877a296...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/12/2024, 22:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e37877a296dbc464074314c5bf62430c_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    e37877a296dbc464074314c5bf62430c

  • SHA1

    6469310c7a4a2c7daaab2b922cc8b5bd5b5ce38a

  • SHA256

    b2e60308339e30bd9197fc74fa313cc9aed9b112df1c1bfde1def3b9abef2bed

  • SHA512

    ec48447ba2a44dff6e3f661f9e97d0de97d5bc72a29e2188618b773db0719801aa48464cc15b07d8f5304a540e51803ce67e75ff2f04889aa19dfcfa6a60dee1

  • SSDEEP

    12288:LJ4w68yOE3iZa/i+Zk/hyWzaileoNhSJINAbifgYi0Lac:XFoqLmbImoZ5

Score
10/10
cybergateanniediscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

annie

C2

elstar.no-ip.info:81

elstar.no-ip.info:82

elstar.no-ip.info:3460

nieuwste.no-ip.info:81

schuurman.no-ip.info:81
Mutex

4H3D0Q2OR55427

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    12345

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\e37877a296dbc464074314c5bf62430c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\e37877a296dbc464074314c5bf62430c_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
          C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:344
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3976
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:4156
            • C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
              "C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe"
              4⤵
              • Checks computer location settings
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:3256
              • C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
                "C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1636

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        225KB

        MD5

        73f5d9763fa3a19e51beb36b6b70a07f

        SHA1

        fd2728a465716c2746655e47babccadb4ef0c767

        SHA256

        3cd251c074f8021ef9f79f752901abed5850f3e394a078f94c401890159e178b

        SHA512

        0d281c1432b0febcc72f855d5bfb04d8fc4bd21b24bdd522961abaf3d64f65a520bc296d3dc2a2c5fe18d29d123e32d488f5381cdb509be629ed68fc66df20fa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        566997ac93bd84e6bd5733c4392ad9ea

        SHA1

        5fa509ab4bbfdbd4f275e8cc4f70c04a0d2c0c11

        SHA256

        84883c8e91f1501f6a0f2086480f2cf9ac5ec1758c9de8aa88e51610cc8e5779

        SHA512

        0c13640ed62f04ec9b5c3f87fbdd722ab04d0478151b005fe96d2d91004cf8b26ec0ce4c94a955088bbc4f1e3fbd54771698aaa7b8f6d159dbb5a1d7b8e7677a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        38c5e4b840fe8ddefef0ba8f5551a9f4

        SHA1

        d3e35b77908ce758782a03415e378d0817386ac0

        SHA256

        b2174b595280eac4290b4960f5530cbedbcd206fdb29e82ef4147fe167f61ffb

        SHA512

        4395eed77a94926004c99fe315cb881cad4ee5e774efe285a02c05501fa0b9b095ec51b831f88a12adc88cb17152fd99adaf1680e47354f94cd6f640dbfdefa7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f1c9f200cfeac858c4e561ecb193a284

        SHA1

        0edad1ab5cf906391ebff0a8ce1f3e6e0d1002a3

        SHA256

        8d34e6daa454b0e51fdf9688ad865d9f556dd295191fa0dc68b57a36c09cf976

        SHA512

        6b1d2144b61d5a1e14ef30f3037d139f0b676120d30476b813de0937dfd0e049d36842813193d1e6892df58f15ef684964db685067d875614a6415045ad8828c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        fc051f7f9cfad1c851779f696d64b85d

        SHA1

        da59e9c9b2ade097c4e45f49246d94f94493f19c

        SHA256

        f6014161bb530541dbac67767879a66eda677b6af12016fc3345bfa072206fe5

        SHA512

        c3f7aca17a26b54c803fe201e0ce5581c9fc24c2b963cc007921aaa68774607d0f2c62bd27652f074d8e79bb5aab5e3586b1c8552d393ce7866f139e7d484a0d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8849a7bc90e3c4f7c07d896e1e8726c3

        SHA1

        4c456342b65143ad4f7732b2b43980bf55db1268

        SHA256

        dc6c58034c7a104dd64619261ae65da0319882e710206b267b16fd8dd169c49d

        SHA512

        ff67e89d88b0d5a996d43e34dc94f9873012cb5c702061a4ce19244b285551ebe2798ea43945ebeb7918f2279ec5a5e2ee9f364f8a849b3069027c0b33ffae6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3341a50f665c227c8c84bf27d75748cb

        SHA1

        95bf90f89c491534911f3e5582019d0d4415eed6

        SHA256

        925023c471e7acd952bfba47b90aeed7273b72762d27992365f94ff48c880ad6

        SHA512

        45089e7db42e35b5e6bfb9fe5c8d9d8152ba786842b4c58959d48df6c8296b3c94236a90cd75060949792f40f052625e01b4a17423bc3a85b7f02f7368dabbbf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        02238fc244f50045f046b2fe5ff2f5d4

        SHA1

        fd3296d46b060d00a4d628d658411d3fd2ef0dcf

        SHA256

        c6185cb2992de7eee5f583094a06ec58395425b132e9e3fc3f2ef1c0df0ecd99

        SHA512

        02997009899851cbdd98426d94e8725953fe6ced26d37e8cbe24482a1f0ac827dc0ced4e4023c8a48fac05699451322368792f695dc6a9999901c1ce4f229667

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c8f2d2eacb1374982d2a5515115008de

        SHA1

        df6c599dc78ff082d97c1813af76c78dbd745182

        SHA256

        d1780034af707d4776215ce628e23b6c298570cfdd8f0ffd6a61f49fff776691

        SHA512

        e30d138f61c1b9115791c9751bb6a9db4864f6fcc0458dd30492836708ee78bc6e3254861edf9733758b4d49cf4e379764f9a8bac99b6a07b73d97582041072a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c0ce5bf2fd6ff56a033beee804503a68

        SHA1

        a14b0d3572621b796f04f87c8b5919c8c994e57c

        SHA256

        bb5b1f70922809e6f8f6d06f7e0240e58abd35ea5fa6bbfbace9a169119f4c7f

        SHA512

        7dd99273ccd95726e6223a73f464de5f33bec43ad3003d5f7dc07d0a9fbccefaacfccee82273eadc1b037b129bd785dfbcc6ed46b6e27ffad22bb4e73814111e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        78c641d116abba64852ef62e17a0161c

        SHA1

        012d1c5073efc8d34052c11f9c6f02d15aa64c0f

        SHA256

        38d72e46f22c54b93642c0bf13b91f91c16c1394ea90014fd57978b60bf80fee

        SHA512

        35de4dec6f29782656a851192200b2bdc817d30f649f98c9f9ebdd9d01e38a9aedffa299bef803902c9a42a185d568d9c84ac3c1346782691ffe928a807dae8c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        fb1d9328ce12958a4e93a848752761bc

        SHA1

        3270be978fd7ce70ddc53ccde0fd33907d272990

        SHA256

        dc95e93e88cc345e8dde743578ef1770f524f49cbe3246450a60947fa345c109

        SHA512

        84faedd0b578d2fcbcb13ec5ce1b27fe2ba9ff7632f74b1e0be5858b1bc7a12b71adbacd649e1c760e0873974eabe73b81cfa32de89146856e0d4d8e2bdeb9a6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        959840dff307350651e7ff10c3f97f95

        SHA1

        7af28eb3a6feae230b3e4d899085eeb38402dd98

        SHA256

        c4f3115534ae917de0d572d1f9bf5fb79512bdc0e711449028647f08b30111e7

        SHA512

        d3cc067883fa5f86f620527c5cbdb0d8a31890e18492aaa0f87ddbe7360de57e4bdb236d01eb89b20ec9d1ec67cedf53bcba0f4a83582dc1e9d8913d52e0929e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d320ae76432871282fcac055f7986048

        SHA1

        06b8390eedadfe2e326569c408038852fe56c84e

        SHA256

        de9d42af128c18c2dc21785e26f46db7b726b13b8d5632dc65ab38c5e3704fdf

        SHA512

        a750aad928806a004f762c7ad0363be084eb7074a23a2783192c416be6817001f46cf382e665413cbc75089e5cd2b655c9784e1fc689c884023e789fa5053b0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        df42723a6905e92098fb4715b9c8ee4b

        SHA1

        416849662f49945406422fd6280bc79553fc85c9

        SHA256

        254ff0a5332497a1374954574bca362e881a57745e24bdd164df09a1fc7908ed

        SHA512

        16a5b26431aaf2cc0802322553c896bc28e00edf422993b8ffba8ec97103775cd26d94b6a049fc09e7e1052b67b2976c7582ba2943ee22efb291c853eb689cf9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f7af0a793ad218b655b1fde91a9fcfcf

        SHA1

        f98ba8c7f474c8542b0c9049512c60d99596e81d

        SHA256

        212771d0d756906e5b8c4670b25211b62dd09ed1e15f514f35273b6e59ddfaee

        SHA512

        4eb2d1dd005d8513b8f5e6054a0c38a418592a4f85c6b8a90e56dd574edcd34d7130241b6a679a739cdb03dace85fad0fdb40fa5d3a6a5aebd7e6a39ab01b6a3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        69a72aec86b95c447cc030cca02f5ee2

        SHA1

        074be253dc1d0914e6618064cbf935244fce20f5

        SHA256

        0912faa2a480ee64bd8dae0e200777ddda2bf818364a1b01231a5d2351f9e37f

        SHA512

        cbca9c2de6d099550968e854271196fb0680bda06c42f2c47aefd4492c204c80023f7d6ff755520e81234cdb873e5a74e104154e55e2965549b58e0ab8aa6047

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a1763b9f3333d07f7548fbb3e701caeb

        SHA1

        6a0561514faa007c156be427d60e64a24655d629

        SHA256

        4e1d09b4ff82c61398fdc4e03c4eab6ad6647891e2e1e23193034a5966787504

        SHA512

        f51f40d64afafd36198b0abb6a33d5b45cb61974235811c624c1b8d11d044a0eaf063817eb7c2e9d9572cc2829a6a8de6642a722816aef0ca00d3b6b20c74994

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        Download Submit

      • memory/344-11-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/344-154-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/344-19-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/344-15-0x0000000010410000-0x0000000010475000-memory.dmp

        Filesize

        404KB

        Download

      • memory/344-13-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/344-12-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/344-8-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1480-174-0x0000000074830000-0x0000000074DE1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1480-0-0x0000000074832000-0x0000000074833000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1480-43-0x0000000074832000-0x0000000074833000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1480-39-0x0000000074830000-0x0000000074DE1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1480-3-0x0000000074830000-0x0000000074DE1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1480-2-0x0000000074830000-0x0000000074DE1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1480-1-0x0000000074830000-0x0000000074DE1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3256-176-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/3256-155-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/3976-175-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/3976-83-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/3976-21-0x0000000001420000-0x0000000001421000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3976-20-0x0000000000F20000-0x0000000000F21000-memory.dmp

        Filesize

        4KB

        Download