Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 10:40
Static task
static1
Behavioral task
behavioral1
Sample
0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
0806b29c44e2328b884d8f3d1733ab98
-
SHA1
3720afe7fcddb259001fc0546f0a51b31c888e34
-
SHA256
978120e164b27555838cc38b3ea91aa0c286cb61228b5c0f0dba30ac1c807e8e
-
SHA512
37e3497336a303bc0fbd31162696b86cfe8fe11fc187edcc1e3095a181bc0e59468293e151c031ae4885f48fd138f37489af78da927b9afea9e295a7c2a7bfe7
-
SSDEEP
24576:/l3puR/jIzc/y6dW2fVH+/FI2c65wgPlEo/CAv4kswYdbCx2j86DPOd:/38/jIqJfA/Fk6p9EuCAvmdG27Od
Malware Config
Extracted
cybergate
v1.07.5
Cyber
ownedagain.no-ip.biz:2333
127.0.0.1:2333
D512UPORS20W4Y
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
Svchost.exe
-
install_dir
Svchosts
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exedescription pid process target process PID 1640 set thread context of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exedescription pid process target process PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe PID 1640 wrote to memory of 2976 1640 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1640-0-0x00000000741A1000-0x00000000741A2000-memory.dmpFilesize
4KB
-
memory/1640-2-0x00000000741A0000-0x000000007474B000-memory.dmpFilesize
5.7MB
-
memory/1640-1-0x00000000741A0000-0x000000007474B000-memory.dmpFilesize
5.7MB
-
memory/1640-18-0x00000000741A0000-0x000000007474B000-memory.dmpFilesize
5.7MB
-
memory/2976-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2976-17-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/2976-7-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/2976-13-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/2976-11-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/2976-9-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/2976-6-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/2976-5-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/2976-3-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB