Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 07:23

General

  • Target

    abd62866cbee40bdaf8d3d41b41f6f480527a408edf7eb8fa2f121d32eb698b4.exe

  • Size

    281KB

  • MD5

    68eb7c7ae5f1b6d1dbfca954d42cefdf

  • SHA1

    ffee3029a64d93f7bcf56c6417bfc07902a13d82

  • SHA256

    abd62866cbee40bdaf8d3d41b41f6f480527a408edf7eb8fa2f121d32eb698b4

  • SHA512

    80bf7bd333f6050ca9f436adff69747524ea05f7d135e1f8afcf8517ca46e3f5a6a6f28d63d62245cf381b1cf32350958e52dbb78cc005dde9e7e76e75319bfe

  • SSDEEP

    6144:Oy+phOTwlTIBoFUQ23QIKPhzD61+XEQY48U:L+pw0lIBoMAfN214lf

Malware Config

Extracted

Family

cybergate

Version

v1.11.0

Botnet

MTO

C2

jjleo.no-ip.biz:3333

Mutex

0J4TF557YB86G7

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_file

    svchost

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    jntdkb

  • regkey_hkcu

    HKCU\Windows® NetMeeting

  • regkey_hklm

    HKLM\Windows® NetMeeting

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1444
      • C:\Users\Admin\AppData\Local\Temp\abd62866cbee40bdaf8d3d41b41f6f480527a408edf7eb8fa2f121d32eb698b4.exe
        "C:\Users\Admin\AppData\Local\Temp\abd62866cbee40bdaf8d3d41b41f6f480527a408edf7eb8fa2f121d32eb698b4.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          • Suspicious use of AdjustPrivilegeToken
          PID:1136
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Drops startup file
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:776

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

      Filesize

      239KB

      MD5

      f1d834f45410020ad38440af9e05d71c

      SHA1

      5968f4ca5bdd2683a0800bc0af0d1cb3b502fd17

      SHA256

      250b917a36a5f61e0be3bb2b5aa4c7aaf220f637ca027165425eb8efbfc8d238

      SHA512

      5e181e7a7fb588a61334eca77e11a51acb959624f6e2498fd9a98159aa8f3031a7ef68cd445c38e230f614a8e9999e5947140d74f055760ca4e118fa542688cc

    • C:\Windows\svchost

      Filesize

      281KB

      MD5

      68eb7c7ae5f1b6d1dbfca954d42cefdf

      SHA1

      ffee3029a64d93f7bcf56c6417bfc07902a13d82

      SHA256

      abd62866cbee40bdaf8d3d41b41f6f480527a408edf7eb8fa2f121d32eb698b4

      SHA512

      80bf7bd333f6050ca9f436adff69747524ea05f7d135e1f8afcf8517ca46e3f5a6a6f28d63d62245cf381b1cf32350958e52dbb78cc005dde9e7e76e75319bfe

    • memory/776-84-0x0000000010510000-0x0000000010582000-memory.dmp

      Filesize

      456KB

    • memory/776-83-0x0000000010510000-0x0000000010582000-memory.dmp

      Filesize

      456KB

    • memory/776-82-0x0000000010510000-0x0000000010582000-memory.dmp

      Filesize

      456KB

    • memory/1136-69-0x0000000010490000-0x0000000010502000-memory.dmp

      Filesize

      456KB

    • memory/1136-72-0x0000000010490000-0x0000000010502000-memory.dmp

      Filesize

      456KB

    • memory/1136-63-0x0000000074CC1000-0x0000000074CC3000-memory.dmp

      Filesize

      8KB

    • memory/1136-62-0x0000000075351000-0x0000000075353000-memory.dmp

      Filesize

      8KB

    • memory/1248-55-0x0000000010410000-0x0000000010482000-memory.dmp

      Filesize

      456KB

    • memory/1248-64-0x0000000010490000-0x0000000010502000-memory.dmp

      Filesize

      456KB

    • memory/1248-77-0x0000000010510000-0x0000000010582000-memory.dmp

      Filesize

      456KB

    • memory/1444-58-0x0000000010410000-0x0000000010482000-memory.dmp

      Filesize

      456KB