Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2023 06:24
Behavioral task
behavioral1
Sample
CyberGate v3.4.2.2 Cracked/CyberGate v3.4.2.2 Cracked by The Old Warrior/CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe
Resource
win10v2004-20230621-en
General
-
Target
CyberGate v3.4.2.2 Cracked/CyberGate v3.4.2.2 Cracked by The Old Warrior/server.exe
-
Size
428KB
-
MD5
193642d723ede4bbfc6243fdee330a46
-
SHA1
7f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7
-
SHA256
022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85
-
SHA512
faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed
-
SSDEEP
12288:RuMwnBi8vvrHxVPKyv2m77sZB07FxObO321:RHwU8vrx52t07FQao
Malware Config
Extracted
cybergate
v3.4.2.2
remote
127.0.0.1:999
CyberGate1
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" server.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" server.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation server.exe -
Executes dropped EXE 1 IoCs
pid Process 4560 server.exe -
resource yara_rule behavioral2/memory/2540-136-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral2/memory/2540-140-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral2/memory/2540-200-0x00000000104F0000-0x0000000010560000-memory.dmp upx behavioral2/memory/2216-278-0x00000000104F0000-0x0000000010560000-memory.dmp upx behavioral2/memory/2216-1411-0x00000000104F0000-0x0000000010560000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2540 server.exe 2540 server.exe 4560 server.exe 4560 server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2216 explorer.exe Token: SeDebugPrivilege 2216 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2540 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83 PID 2540 wrote to memory of 4896 2540 server.exe 83
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe"C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4896
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4560
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5f8ea6b460cd968e4b12a3d7a57dda28f
SHA1abc2943337cfb876fe72dcc3684bbb12bb1ec638
SHA2565ce0400db7fea62d32f20e8a72c2e116c316a58e2b5575340a5097f4ffe46386
SHA512020aba30ef6fe4505db41c5e501b71f284c9a9f76ff8cfcd92604bc4c4383b17b912fc69e7248560e39df676e689ac70b117198415ff955f97bd440abf00d22b
-
Filesize
8B
MD501aefe7b5a7c1627737371735d2714f1
SHA16454d23e6ef2ae97f205ef357f2d8a1907a639cf
SHA256211d0ac0b1ddd8dbfe3b0fd4e4483c19576ac6e36969d705e11451fc57b1ee1b
SHA5123d62bf48fbd1203066f4e599977b9719538af5e9cd84df4a3a67c59ff1b532a96212d2ae8462b013b50fcc4f692c37c39ab61c1ad4bcd2476fe06dc4fd0311a5
-
Filesize
8B
MD57b69b6d44607fb2a2cbfd647a8f592a0
SHA1b0369006edcd8653036d48ad03d77c5aa0b67843
SHA256df873d76452582dafbd3f6608b860796451b797d3ec4cf3dadb935fa543b0769
SHA512c9ed8fdc2dd983f7d489cb2c9b8aa1898075adb7fc1e4316431b727afe1ac2efc4811dcd8af4f289116111c09c20f9d89feb0d35b04dce848238745e5055ba33
-
Filesize
8B
MD57b9d07b6d767fa2487594c83db76b164
SHA112aa06b39ef87804b22f3cf32d79161386ef1d79
SHA256a4d2692bc6abe15f636c237443af0158f56f62b9539b8f104d6342e1890d5f1c
SHA512c33c9ae0907a2c0b21c6069451779b3410c1ba3eba917a353a5fbce162d8f5caf72e65ef3027c70e13c0f2910b710e8edaf4148447c861161c1ecbd58bd9caf1
-
Filesize
8B
MD5f7534c9e71f8d48ab4b11eadd0b1c808
SHA11e5e837724e7a799c82e36eb74c75bced16e6062
SHA256ae1e3c2702433eb81d6688ee87350cdf2be6c2ff444993095f191d5ca40c26f2
SHA5123a0b2dee44a83b204dfac834ddb4868395abf1ea09b44127cff17789e508d69fe1295d08d1bf73e2b5f304a9f662c479c3f4698fcd87ebd229ba36d4f76dee8f
-
Filesize
8B
MD5408be7f1457433c36e817076281c04c1
SHA123792832611a278d434e0e985490cf57a9903f8e
SHA256c4021ef34cf2454cf95a36a5e04502781e1c149ff75882a44df9c39c224cb4f0
SHA512e1ebb1ccb4dc4278678096f7826b61fe42daa5cd54ac250ec479d32240126b9d84f93826c7a59370220cbec1a88f9138282e0ea548f9e442967d8236f0e6d885
-
Filesize
8B
MD5229668c2fcaa626b8b1e83dc5532f8d2
SHA1ce106476db7d97a15f8fe4eea2b65c4db6872a61
SHA2564f8a724876400db5213979a34b33abd983744a87e6ab67a82168d0142ce060b8
SHA512d41b17642c942afcfa5f5ae7c21659538da18b20520b70f484ae54e5e5d37384d6e8b4df2545005df0f850dd614063d2b3e19ed3d51d2ceae2610c1f4df20a6b
-
Filesize
8B
MD513eab812c78c8973c4835624e6c0d3cf
SHA1e4adad263ad256162af9b8398da3cd5aef4b3092
SHA256b7be0d6f25b38613d997963809168224e5aa7549df18fcdc3b71d693fd71d801
SHA512b64d750209a228dfd33feab7f29fb17eed5108073cc9f3d7658482f8cb55862e51a610246f56f7720829d3872ea9627df320b9c3603238320e0e59cd3d2c1bea
-
Filesize
428KB
MD5193642d723ede4bbfc6243fdee330a46
SHA17f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7
SHA256022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85
SHA512faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed
-
Filesize
428KB
MD5193642d723ede4bbfc6243fdee330a46
SHA17f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7
SHA256022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85
SHA512faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed
-
Filesize
428KB
MD5193642d723ede4bbfc6243fdee330a46
SHA17f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7
SHA256022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85
SHA512faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed