Overview

overview

10

Static

static

3

JaffaCakes...53.exe

windows7-x64

10

JaffaCakes...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2025 00:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_01036fa60c6ce717acd9746962983353.exe

  • Size

    458KB

  • MD5

    01036fa60c6ce717acd9746962983353

  • SHA1

    bd41017df7c817188f498abc6568f8181f3df12c

  • SHA256

    e566c9eda044fa8824d77dd9d632c33eaac4f188b0f30379113743842ac54cde

  • SHA512

    d75a05a076da8b27509fd0a1300164effa42cd9e30025ec084e98f4d79987b8c9da7d893cb7ed3ddeeb5e381ec0482fcb89be52888e371c960f47febd7ad219d

  • SSDEEP

    6144:THBPd8fAHaBpdSDAYzPFy2j3cLjTuQnJ3m0syAa1XhJZms8MBYQbHqQPQ:RjAYzP82j3QJlsbRxMBYQTE

Score
10/10
cybergateremotediscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

remote

C2

magemaxing.no-ip.org:3458

127.0.0.1:3458
Mutex

WG1CSG04771U34

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    winstart

  • install_file

    winlogon.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    boogaard

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01036fa60c6ce717acd9746962983353.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01036fa60c6ce717acd9746962983353.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2708
        • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
          "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2832
          • C:\Windows\winstart\winlogon.exe
            "C:\Windows\winstart\winlogon.exe"
            4⤵
            • Executes dropped EXE
            PID:2844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      Filesize

      263KB

      MD5

      4e2e7ffb04baf6fc937b18c37d01a014

      SHA1

      05a5520ee4ee900b706e4eddafee51ff21f7db21

      SHA256

      38820d2faf1fc187cb37456c1ad59a2834972a05f9f8b4a71a280516b9415434

      SHA512

      2dd13e1ed3226f819bca4e2124c4358340bf9b46e3e924082ddb77458c1049930a8937fdb0a5fb00018eaffd8cd0d04a0a529141f317097afd98162848d444d0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      222KB

      MD5

      e3b214648f5f78662000682607f97cec

      SHA1

      0fd9a861e26ad27dcfaa61e20323588ccbefab7d

      SHA256

      98536577b1511371202d462b6f4b4c4a02801a94233650255191aa8df470597b

      SHA512

      4e79901a66b4775d1f78d610d725073055fc971ad34bf3fd1b4b51c091e45b25b93a9f99f669f82bfadd99a2ee855ec4085d186047d4e9f203b31d67d698ab9a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      2c6feb7ae1b978dd9cc845f49a2a1be6

      SHA1

      4f165598f3735de8ff06fce7ee47b6200f92bdbb

      SHA256

      a9a8ddd84f7d98933ad8d6c4bb4d19f2d143694589f80ddb7602c2f99572333f

      SHA512

      cb38be1431655913a568d2d5cdd0c7766b9c85af15ff4ca98915977935ac1fa0517ba2ff74c034cb4d455619897ed5aedecd839c3f07a1a5fe96bd1d14c81f63

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      5545115686c868fefa58ada5e18108c2

      SHA1

      8f0cedf7509f8c2ce8c181a20eebf26738978010

      SHA256

      efd2846f0c4184dcc140fab40aac9f08aa48960a3be33ddfbdea85012c903a30

      SHA512

      532bd5029314afba75e4de498695e3794ba053a8c6546a666d4661caf6dadb17416added3de867b554bdc4b90d5d43ffe5495e4f647160221c0cbab16f53d3de

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      16173772a2dfd472bd8b121d5feefe92

      SHA1

      25b804b0314dcd5ae3ec9de8088a1d7f744492ad

      SHA256

      0df5838ee78e7963a134ee67dd7618cf87961f780a3a79516cf8b4bac724265c

      SHA512

      ce5f163db19e277f927b6a7c0715762549158afc170c9d95d7823be4cffbe924b3152f2d7f82390862d8be42422334d807f30039825d5fe03dae086da34f1f94

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cglogs.dat
      Filesize

      15B

      MD5

      bf3dba41023802cf6d3f8c5fd683a0c7

      SHA1

      466530987a347b68ef28faad238d7b50db8656a5

      SHA256

      4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

      SHA512

      fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      Download Submit

    • memory/2320-20-0x0000000010480000-0x00000000104E1000-memory.dmp

      Filesize

      388KB

      Download

    • memory/2320-15-0x0000000010410000-0x0000000010471000-memory.dmp

      Filesize

      388KB

      Download

    • memory/2320-34-0x0000000000220000-0x0000000000273000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2320-10-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2320-343-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2644-11-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2644-2-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2644-0-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2644-1-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2832-21-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2832-345-0x0000000010480000-0x00000000104E1000-memory.dmp

      Filesize

      388KB

      Download

    • memory/2832-368-0x0000000005C80000-0x0000000005CD3000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2832-366-0x0000000005C80000-0x0000000005CD3000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2832-370-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2832-373-0x0000000010480000-0x00000000104E1000-memory.dmp

      Filesize

      388KB

      Download

    • memory/2832-376-0x0000000005C80000-0x0000000005CD3000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2832-377-0x0000000005C80000-0x0000000005CD3000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2832-27-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2832-33-0x0000000000350000-0x0000000000351000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2832-36-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2844-372-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download