Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
4s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
23/03/2025, 14:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe
Resource
win7-20240729-en
Errors
General
-
Target
JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe
-
Size
308KB
-
MD5
87419cb6f1e5f701cdcb756106371e2c
-
SHA1
02b16c73e50afb72267fa3dcaee386cb4f0f50f3
-
SHA256
1b5245e601685a58e4d2a3c3707deac6b79168c4a7ce82e4708f4060fdcc1b77
-
SHA512
7a2e7d5afa01569a599d4363a9128344b7056ca138cefb1b34638f5aa994c79f147af25832ae7e815339aa4997adacdd7451767e80074cb3cfc2e2c6517b418c
-
SSDEEP
6144:t1VQ6WIEn19wCeQMBbnTLUVp4NU/IQ8N//F7oat0nXleSq4lgwfLOZyCK/V:tjQ6Wfn1p4ZTLUXOGId/6g6XESq4awak
Malware Config
Extracted
cybergate
v1.07.5
Cyber
cyberserver.no-ip.biz:3080
156FV6SGEVUD87
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
WinRT32.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run winhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\WinRT32.exe" winhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\WinRT32.exe" winhost.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1IL283TW-IAKK-AOO8-LTE7-M84LT22S46P2} winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1IL283TW-IAKK-AOO8-LTE7-M84LT22S46P2}\StubPath = "C:\\Windows\\system32\\install\\WinRT32.exe Restart" winhost.exe -
Executes dropped EXE 1 IoCs
pid Process 1952 winhost.exe -
Loads dropped DLL 1 IoCs
pid Process 1348 winhost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe" JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\WinRT32.exe" winhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\WinRT32.exe" winhost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\install\WinRT32.exe winhost.exe File opened for modification C:\Windows\SysWOW64\install\WinRT32.exe winhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 932 set thread context of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 -
resource yara_rule behavioral2/memory/1952-16-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/1952-19-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1952-24-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1952-28-0x00000000104F0000-0x0000000010555000-memory.dmp upx behavioral2/memory/1952-31-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/1348-94-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2144 1784 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 1952 winhost.exe 1952 winhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe Token: SeDebugPrivilege 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1952 winhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 932 wrote to memory of 1952 932 JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe 89 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56 PID 1952 wrote to memory of 3440 1952 winhost.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87419cb6f1e5f701cdcb756106371e2c.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\winhost.exeC:\Users\Admin\AppData\Local\Temp\winhost.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1445⤵
- Program crash
PID:2144
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:4636
-
-
C:\Users\Admin\AppData\Local\Temp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\winhost.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1348
-
-
C:\Windows\SysWOW64\install\WinRT32.exe"C:\Windows\system32\install\WinRT32.exe"4⤵PID:4356
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1784 -ip 17841⤵PID:4192
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5c726e64d6fa2c26ba0586d5d9e2f756b
SHA183e18a5e19a23a8597dc4ab7ce4fca5fe688c0b5
SHA256436171fbccc7069fec70168a4eeb79b0a1c093eca9f43c67aa01bd5ee3b5ca8e
SHA5120a6df6304288f07a02979e3241a86027a3ec00d4fa9116d857189fa9bf08b1d76ae4b1510c9d4d84d7aeca84287b37ad26fc7ee10805cde0b948710999d661d5
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0