Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    205s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 17:32

General

  • Target

    cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe

  • Size

    552KB

  • MD5

    b1c5c7e1e68a9fa96181913679b4bdbc

  • SHA1

    7b7ff433011cb9e00e3dbbacd3de90c5509e53a1

  • SHA256

    cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c

  • SHA512

    ca8116bbf18aff88fc21a789a9dfbf0c00cec955a272c9359c357f393f41a3d864969b14a0000f9eceebcdcb5fa1334b9d71420a00229c59b3284d25bb58820f

  • SSDEEP

    12288:aSNwanCWMXw2tLteRwjkxuSNB6giWmjVv3XJx:aSGanCgSgwYiDFH

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

mike

C2

iamgreatl33t.no-ip.org:1723

Mutex

EUB6MQ52B01S78

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    blade

  • install_file

    csc.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe
    "C:\Users\Admin\AppData\Local\Temp\cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:3816
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
          3⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:4188
          • C:\blade\csc.exe
            "C:\blade\csc.exe"
            4⤵
            • Executes dropped EXE
            PID:5100

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

      Filesize

      224KB

      MD5

      137e95613ebd406a01bda0b8ac115d95

      SHA1

      2dd73595f7ca917a8d4d0f983055e8efc893c683

      SHA256

      60d3235643c895b206c5f342b3e3c308660c84b1ed0caf183d34513b5b1a5df2

      SHA512

      a3af999a4adcdb93f4fd7383050a07cb952f7f60f0148ae7659d2c0368332c247a98e5ab1655936cc80361ca75f5b74ef43908c0d7222ec82852627f0dfdc240

    • C:\blade\csc.exe

      Filesize

      1.1MB

      MD5

      d881de17aa8f2e2c08cbb7b265f928f9

      SHA1

      08936aebc87decf0af6e8eada191062b5e65ac2a

      SHA256

      b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

      SHA512

      5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

    • C:\blade\csc.exe

      Filesize

      1.1MB

      MD5

      d881de17aa8f2e2c08cbb7b265f928f9

      SHA1

      08936aebc87decf0af6e8eada191062b5e65ac2a

      SHA256

      b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

      SHA512

      5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

    • memory/1436-139-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/1436-137-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/1436-136-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/1436-141-0x0000000010410000-0x0000000010475000-memory.dmp

      Filesize

      404KB

    • memory/1436-146-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

    • memory/1436-149-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/1436-134-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/3484-138-0x0000000075190000-0x0000000075741000-memory.dmp

      Filesize

      5.7MB

    • memory/3484-132-0x0000000075190000-0x0000000075741000-memory.dmp

      Filesize

      5.7MB

    • memory/4188-151-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

    • memory/4188-154-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

    • memory/4188-150-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB