Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 21:15
Static task
static1
Behavioral task
behavioral1
Sample
fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe
-
Size
518KB
-
MD5
fd259cfefa1dd16178ef6623b8c8399b
-
SHA1
65f4e9094b8f1d9b9a843432e1c914dc1d4fe1e2
-
SHA256
250355658006933dcbc4c2ccd87ddcd014b3177d97050dccfecf774b114d00d4
-
SHA512
3260721f7b43b1141e4d778b9cbfa614e3f59265a428b04b00d22f54d8708be91f0f8b61266ba24488a65de7c59f5a337db8c7936dd80371790a8b1035972f4b
-
SSDEEP
12288:sFywNSoOj/RBuCXRINHGoAY984mZmk3Wmqy8uVMvS:QN+RUmRamnY984pkmhy8uqvS
Malware Config
Extracted
cybergate
2.6
vítima
aldhmi.dyndns.biz:82
dxd
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_file
system 32.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run crypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crypted.exe" crypted.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crypted.exe" crypted.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{QUA61M0F-I76R-7104-D25X-D8230W608JHK} crypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{QUA61M0F-I76R-7104-D25X-D8230W608JHK}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crypted.exe Restart" crypted.exe -
Executes dropped EXE 1 IoCs
pid Process 2028 crypted.exe -
Loads dropped DLL 1 IoCs
pid Process 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crypted.exe" crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crypted.exe" crypted.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2076 set thread context of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 -
Program crash 1 IoCs
pid pid_target Process procid_target 1536 2424 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2028 crypted.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe Token: 33 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2028 crypted.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2028 2076 fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe 30 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21 PID 2028 wrote to memory of 1336 2028 crypted.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd259cfefa1dd16178ef6623b8c8399b_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\crypted.exe_v492682F1\TheApp\STUBEXE\@APPDATALOCAL@\Temp\crypted.exeC:\Users\Admin\AppData\Local\Temp\crypted.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 2325⤵
- Program crash
PID:1536
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2344
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\crypted.exe_v492682F1\TheApp\STUBEXE\@APPDATALOCAL@\Temp\crypted.exe
Filesize16KB
MD53d09f19fc258588b0a9406b2baa6cf74
SHA12070d0b98716f2bbd0801e4421b9c916c4924e8e
SHA256470bc7e1ec992322b920b5a71c456920ae13b18ea93983bbea3ba07344648d11
SHA512d31cd795708560319b347e54275becb5d046ce845211098a45a039d10ae7f3eb2d043576be56da7c34b52c966bdbab5dc5ff6e27be400b36d151b5a0d5f498c2