Overview

overview

10

Static

static

10

JaffaCakes...83.exe

windows7-x64

10

JaffaCakes...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-01-2025 15:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ada507f4f1a73c25f4425b649b6a4483.exe

  • Size

    198KB

  • MD5

    ada507f4f1a73c25f4425b649b6a4483

  • SHA1

    95e0c83f1aae90f95d77a905f1b7d0eb8d077eee

  • SHA256

    9dab7b4fd164f3ec579ccfc14743c5bc82fa734bf4b518d046321875512712d4

  • SHA512

    f9a6c57a6bf40c46914558510c064a0ebebe05c3d10d45a04b677d8b431fe72e4bd13af98e2d0df77df44e5a76111debeedfb9ace2acd35d9c9ad7f76f09abf9

  • SSDEEP

    3072:ZiG9l4CUKsJNWqxObeItPPjtq0svSa51sH4fdJ+KQSJNSY/ne7w:DAKsJNxAbeICYa51T3VnUw

Score
10/10
cybergatediscoverypersistencestealertrojanupx

Malware Config

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ada507f4f1a73c25f4425b649b6a4483.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ada507f4f1a73c25f4425b649b6a4483.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:2616
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ada507f4f1a73c25f4425b649b6a4483.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ada507f4f1a73c25f4425b649b6a4483.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2664

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      137KB

      MD5

      dbc2c6deedc5023447458859f499bffe

      SHA1

      e1bbdb957f23afa4f048771fd392d0eeffee7474

      SHA256

      6c18e4e53cb59b9fa8070490d150547fbfe391d931aea55672222b9e68327062

      SHA512

      1b7aba815011e56c2e3c22987d3e213a46c7551a1766646540fc9ab3014b60c298ca3be16a9fa216aeaed69929512da7f4509d3299a4d9493bf798902f90182e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\logs.dat
      Filesize

      15B

      MD5

      86f3c87caff4d7973404ff22c664505b

      SHA1

      245bc19c345bc8e73645cd35f5af640bc489da19

      SHA256

      e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

      SHA512

      0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

      Download Submit

    • memory/2664-16-0x0000000000350000-0x0000000000351000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2664-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2664-7-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2664-239-0x0000000024050000-0x000000002408C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2664-266-0x0000000024050000-0x000000002408C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3040-6-0x0000000024050000-0x000000002408C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3040-2-0x0000000024010000-0x000000002404C000-memory.dmp

      Filesize

      240KB

      Download