Analysis

  • max time kernel
    94s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 03:38 UTC

General

  • Target

    JaffaCakes118_69cc26a8330862cb0cc196b9385aa686.exe

  • Size

    652KB

  • MD5

    69cc26a8330862cb0cc196b9385aa686

  • SHA1

    f89297386a1b185905cf35dc4c11625026790b76

  • SHA256

    2b5f78ebd2a92f8bc613eb09530bb29cf6efd34bba6e8bcdbfc7fc8921795fc7

  • SHA512

    5bd88b225994c8f68d7bb9b90c0465f0f726afe3928140bc8e52216f7c40e492514476c150d7f78fb21bc83896aa1a50df555d834eecf082439cd66999e6ebe3

  • SSDEEP

    12288:mroLgrnL+O1ynwOpN4stjEjoJdiXi5Bx0bDntCyc5MBNeW:mroLgXNynwOpzjEjadiX2IbMTen

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

3ldiosfenix

C2

¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼‘‘‘ ^77 mea£½½½½½½½½wGKÉ ]#]Éüaa£½½½½½½½½wGGÉÉ ZZ] ƒaa£½½½½½½½½pGG——È]]ZVZƒaa£½½½½½½½½pGG Ϛ”XTVVZXŠaa£½½½½½½½½pGG\ÇÇ¥¢ã86VVVVZ6„aa£½½½½½½½½iBG]88à¯ç?::5[TV&48aa£½½½½½½½½iBB_:;¯¯é>>>/%V%;:aa£½½½½½½½½iBB6>=¯¦â000* /0>aa£½½½½½½½½iBB+0ïé0,,,(*,,,0Ha£½½½½½½½½fBBîòñ¯ïìÝÝØÙÕÕÕÕÙØáHa£½½½½½½½½fBBîðªªóììÜÝÙÕÕÕÕÙØáHa£½½½½½½½½fBB3ÍééÍÁ,ÑÑ2**,ÕØÏHa£½½½½½½½½fBB3ÍäÛÍÁ,))B*)Ka£½½½½½½½½LBB3ÍÛÌÍÁ,))**)Ka£½½½½½½½½LBB-ÍÓÍÍÍ,,)**),Ka£½½½½½½½½LBB@3333-.''!!']MKa£½½½½½½½½LBBBBBBBBBBBBGGGGKSgga£½½½½½½½½MBBBBBBBBBBBBGGGGOlq£½½½½½½½½MBBBBBBBBBBBBGGGG{‡ˆŠ£½½½½½½½½MBBBBBBBBBBBBBBGGnô‰‰…£½½½½½½½½½HBBBBBBBBBBBBBBGGjm‚þ£½½½½½½½½½½HBBBBBBBBBBBBBBBGfhø£½½½½½½½½½½½KBBBBBBBBBBBBBBBBf£½½½½½½½½½½½½eaaaaaffjjjjjjrrwj½½½½½½½½½CCCCD¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼£L¼¼ƒL¼¼ÃL¼¼CL¼½C”¼¼¼œ¼¼¼ü¼¼¼½¼´¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼Š¨­¼Š›²¼ö¶¶¼üœ¼¼ø”¥¼é—©¼ñ¦¼é… ¼÷’¼é——¼÷Ž™¼ï‹”¼æŒ¼äþ“¼ÔôŽ¼™ˆð¼„ˆù¼–…鼍‚㼩¦Á¼›ˆÔ¼‘ü缑ÿÙ¼Žþß¼÷̼÷˼þüï¼Óûú¼øêÁ¼ÚÚÚ¼<¼¼¼Ú¥¼eϼ¼\Ƽ¼9ïî¼-ãâ¼ îî¼3Ýæ¼ãÕ¼$ÛÚ¼ÕÖ¼ ÛÖ¼ÏмÇÒ¼ÚμÄϼÆ̼}ÆɼI3¼¼e;‰¼[)„¼A¼:Õ¼>Á¼ 8ȼh.ò¼\.ü¼Rû¼Kÿ¼C ø¼B è¼;Ô¼l6Þ¼t/Ö¼l Ô¼~1Ǽz/ƼbÖ¼fļ^Ó¼CÚ¼^μVʼC|ȼ¾¸%¼ –<¼´©¼®‹¼­›¼®ˆ¼‘Ž¼¦ì$¼à;¼Œä6¼¡Ñ"¼›Ü0¼å¼§Ì¼›Ô¼ùè=¼òÞ1¼ÀÙ;¼ùË ¼Þ˼©’x¼¤‰t¼ m¼¡þr¼¡ýn¼õe¼™îa¼•Òh¼Ÿñ]¼›ëZ¼ãM¼’ÜX¼ÕY¼„ÈU¼“ØN¼Ñ@¼‘ÎN¼ŠÏA¼òËL¼6Í3¼É;¼Â9¼Ã*¼0¼|Â=¼¼¼¼¼Ó? ¼Ç5¼…9W¼‡?G¼*J¼ø<t¼å?~¼è6n¼å-g¼Õ0w¼Ï0x¼È/t¼Ù3m¼Þ-i¼Í!o¼×e¼Êk¼Ëi¼ö/[¼ï.^¼ÿ6@¼è:A¼ù)D¼á,B¼Ú)A¼çV¼ðA¼îA¼å A¼Õ[¼Í_¼Ö U¼Ê[¼ÕG¼ØH¼ÈE¼ã|C¼Ç{U¼ÞyA¼ÈyI¼ÒoB¼ÅhE¼Æ]C¼ 4%¼0:¼>6¼ .6¼>*¼ =,¼--¼0:¼)9¼+.¼?5 ¼6*¼/$ ¼0¼(¼ (¼$¼-¼¼~8>¼u'?¼g+6¼+)¼l )¼G ¼p;¼d:¼w/¼i$¼s )¼f!¼\6¼Y0¼C#¼W,¼L-¼h¼w¼j ¼j ¼A¼Y¼D ¼A ¼E{6¼W|"¼Kz*¼Cd*¼`x ¼T¼Hw¼Ql¼An¼Uq ¼Fv¼Vo¼Ak ¼CY¼?&z¼)'|¼6u¼4 {¼=o¼? d¼,O¼=tZ¼>mP¼?eN¼&aC¼9YE¼0NB¼^C¼puw¼iii¼Bvu¼Rj~¼@j¼[ao¼Gbo¼B^z¼CI~¼WXa¼BUi¼aZG¼[ZY¼NQU¼AOT¼_WK¼_NG¼A@F¼¼¼¼¼½½½½½½½½½½½½½½½½½½½½½½½½½½½½½½½½½½½½½£££££££££££££££££££££££½½½½½½½½}}}}}}}£½½½½½½½½vOMMMMMMMMMMMMMMMMMMMo£½½½½½½½½vKKKKHHHHaaaaaaaaeeeea£½½½½½½½½vKKKKKHHHHaaaaaaaaeeea£½½½½½½½½vFKKKKKHHHHaaaaaaaaeea£½½½½½½½½wFKQ‘‘‘‘ ^77 mea£½½½½½½½½wGKÉ ]#]Éüaa£½½½½½½½½wGGÉÉ ZZ] ƒaa£½½½½½½½½pGG——È]]ZVZƒaa£½½½½½½½½pGG Ϛ”XTVVZXŠaa£½½½½½½½½pGG\ÇÇ¥¢ã86VVVVZ6„aa£½½½½½½½½iBG]88à¯ç?::5[TV&48aa£½½½½½½½½iBB_:;¯¯é>>>/%V%;:aa£½½½½½½½½iBB6>=¯¦â000* /0>aa£½½½½½½½½iBB+0ïé0,,,(*,,,0Ha£½½½½½½½½fBBîòñ¯ïìÝÝØÙÕÕÕÕÙØáHa£½½½½½½½½fBBîðªªóììÜÝÙÕÕÕÕÙØáHa£½½½½½½½½fBB3ÍééÍÁ,ÑÑ2**,ÕØÏHa£½½½½½½½½fBB3ÍäÛÍÁ,))B*)Ka£½½½½½½½½LBB3ÍÛÌÍÁ,))**)Ka£½½½½½½½½LBB-ÍÓÍÍÍ,,)**),Ka£½½½½½½½½LBB@3333-.''!!']MKa£½½½½½½½½LBBBBBBBBBBBBGGGGKSgga£½½½½½½½½MBBBBBBBBBBBBGGGGOlq£½½½½½½½½MBBBBBBBBBBBBGGGG{‡ˆŠ£½½½½½½½½MBBBBBBBBBBBBBBGGnô‰‰…£½½½½½½½½½HBBBBBBBBBBBBBBGGjm‚þ£½½½½½½½½½½HBBBBBBBBBBBBBBBGfhø£½½½½½½½½½½½KBBBBBBBBBBBBBBBBf£½½½½½½½½½½½½eaaaaaffjjjjjjrrwj½½½½½½½½½CCCCD¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼³L¼¼£L¼¼ƒL¼¼ÃL¼¼CL¼½C0c$ǀ†ÅšÍƒµ³–™«¼¼¼p¼¼¼¼£¼¼¼½Øïèéþ¼¬hþÝÏيˆ¼°÷ëÕÒØÓËϼ¼{ïÅÏÈÙѼ¼=ïÅÏõÒÕȼ¬éèÅÌÙϼ¬Éõù‹ãØÙßÓØÙ¼¼°éÒÕÈøÕÊÙÎÏÓϼ ?èÐôÙÐ̏Ž¼¼ÛéÒÕÈïÙÎÊÙÎéÈÕÐϼ &ýßÐýìõ¼°ýýßßÿÈÎм |ËßÎÅÌȎ¼¬÷ÉéîðôÕÏÈÓÎż¬ÏýßÈÕÊÙä¼°ñÙÏÏÝÛÙϼ¬JÿÎÅÌÈýÌÕ¼¬ÉîýïîÙÝØÙμ¬tõùÌÝÏÏËÓÎØϼ¬uìÏÈÓÎÙßÐÕÞ¼¬ïìïèóîùÿðÕÞãèðþ¼¬›ÉÒÕÈïÈÝÎÈÉ̼¬UéÒÕÈÿÓÑÝÒØÓϼ¼ØÙÐÙÈÙéÒÕȼ¼uéÒÕÈìÝÏÏËÓÎØϼ¼ùØÕÈïÊμ¼%éÒÕÈõÒÏÈÝÐÝßÝÓ¼¼ééÒÕÈïÙÈÈÕÒÛϼ¼îéÒÕÈêÝÎÕÝÊÙÕϼ¼ŠéÒÕÈïÝÒØþÓļ¼ŒéÒÕÈõÒÖÙßÈðÕÞÎÝÎż¼¼¼3ldiosfenix.no-ip.org:3080

Mutex

2F1MVDCT882ION

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • ftp_password

    jfc/sbn9674517

  • ftp_port

    21

  • ftp_server

    ftp.webcindario.com

  • ftp_username

    by3ldiosfenix

  • injected_process

    explorer.exe

  • install_dir

    system32

  • install_file

    win32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69cc26a8330862cb0cc196b9385aa686.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69cc26a8330862cb0cc196b9385aa686.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69cc26a8330862cb0cc196b9385aa686.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69cc26a8330862cb0cc196b9385aa686.exe
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:1324
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 532
        3⤵
        • Program crash
        PID:4388
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 540
        3⤵
        • Program crash
        PID:1384
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1324 -ip 1324
    1⤵
      PID:4500
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1324 -ip 1324
      1⤵
        PID:428

      Network

      • flag-us
        DNS
        133.211.185.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.211.185.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        83.210.23.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        83.210.23.2.in-addr.arpa
        IN PTR
        Response
        83.210.23.2.in-addr.arpa
        IN PTR
        a2-23-210-83deploystaticakamaitechnologiescom
      • flag-us
        DNS
        138.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        138.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        7.98.22.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        7.98.22.2.in-addr.arpa
        IN PTR
        Response
        7.98.22.2.in-addr.arpa
        IN PTR
        a2-22-98-7deploystaticakamaitechnologiescom
      • flag-us
        DNS
        7.98.22.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        7.98.22.2.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        7.98.22.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        7.98.22.2.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        241.150.49.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.150.49.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.150.49.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.150.49.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        241.150.49.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.150.49.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        217.106.137.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.106.137.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.42.69.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.42.69.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        182.129.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        182.129.81.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        182.129.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        182.129.81.91.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        14.227.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        14.227.111.52.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        133.211.185.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        133.211.185.52.in-addr.arpa

      • 8.8.8.8:53
        83.210.23.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        83.210.23.2.in-addr.arpa

      • 8.8.8.8:53
        138.32.126.40.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        138.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        7.98.22.2.in-addr.arpa
        dns
        204 B
        129 B
        3
        1

        DNS Request

        7.98.22.2.in-addr.arpa

        DNS Request

        7.98.22.2.in-addr.arpa

        DNS Request

        7.98.22.2.in-addr.arpa

      • 8.8.8.8:53
        241.150.49.20.in-addr.arpa
        dns
        216 B
        158 B
        3
        1

        DNS Request

        241.150.49.20.in-addr.arpa

        DNS Request

        241.150.49.20.in-addr.arpa

        DNS Request

        241.150.49.20.in-addr.arpa

      • 8.8.8.8:53
        217.106.137.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        217.106.137.52.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
        156 B
        1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        241.42.69.40.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        241.42.69.40.in-addr.arpa

      • 8.8.8.8:53
        182.129.81.91.in-addr.arpa
        dns
        144 B
        147 B
        2
        1

        DNS Request

        182.129.81.91.in-addr.arpa

        DNS Request

        182.129.81.91.in-addr.arpa

      • 8.8.8.8:53
        14.227.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        14.227.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1324-7-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

      • memory/1324-5-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

      • memory/1324-4-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

      • memory/1324-3-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

      • memory/1324-11-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

      • memory/2420-0-0x0000000000400000-0x000000000045A000-memory.dmp

        Filesize

        360KB

      • memory/2420-6-0x0000000000400000-0x000000000045A000-memory.dmp

        Filesize

        360KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.