cybergate | a94e7cb212908ebfc2e998b3a593512cc4f7a6a6806096a66cca5b9999b3bd22

General

Target

8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
Size

616KB
MD5

8dbf25cca7bd9737f020444a2b6887c5
SHA1

66b0b233585f4fe7848afbb80abdb1ba73ca8b9f
SHA256

a94e7cb212908ebfc2e998b3a593512cc4f7a6a6806096a66cca5b9999b3bd22
SHA512

50e2bd95f03d390df75d413c942e5bcfd82457b5d51d0380cc20d697bd15ae8f0303e5585d24d5f3004836ce0955746d31c68fd2ec3ba2eed2e8681dba03d1ca
SSDEEP

12288:Ngv4FOR3O5MbBHkZCs9KIVp2TGVt646y2hl/padER+teuM:dFiqCcKIWT4g4Yho4

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

127.0.0.1:220

haso.ddns.net:220

Mutex

BH181I005I4848

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
Driver
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
You need net framework to run this application
message_box_title
Net framework error
password
crocro35
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Driver\\svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Driver\\svchost.exe"	vbc.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85FDDC5C-66U0-4E0J-0AUW-33A780GLL2AE}\StubPath = "C:\\Windows\\system32\\Driver\\svchost.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{85FDDC5C-66U0-4E0J-0AUW-33A780GLL2AE}	vbc.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3008-7-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/3008-8-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/3008-11-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/3008-13-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/3008-15-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/3008-14-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/3008-295-0x0000000000400000-0x0000000000478000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\File.exe"	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Driver\\svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Driver\\svchost.exe"	vbc.exe

Drops file in System32 directory 3 IoCs

Processes:

vbc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Driver\svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\Driver\svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\Driver\	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe

description pid process target process

PID 2004 set thread context of 3008 2004 8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe vbc.exe

description	pid	process	target process
PID 2004 set thread context of 3008	2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe

pid	process
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2004 8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

3008 vbc.exe

description	pid	process
Token: SeDebugPrivilege	2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe

pid	process
3008	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 2004 wrote to memory of 3008	2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe	vbc.exe
PID 2004 wrote to memory of 3008	2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe	vbc.exe
PID 2004 wrote to memory of 3008	2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe	vbc.exe
PID 2004 wrote to memory of 3008	2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe	vbc.exe
PID 2004 wrote to memory of 3008	2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe	vbc.exe
PID 2004 wrote to memory of 3008	2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe	vbc.exe
PID 2004 wrote to memory of 3008	2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe	vbc.exe
PID 2004 wrote to memory of 3008	2004	8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe	vbc.exe
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE
PID 3008 wrote to memory of 1264	3008	vbc.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8dbf25cca7bd9737f020444a2b6887c5_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

3

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

3

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/800-275-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/800-271-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1264-19-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/2004-1-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-2-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/2004-3-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2004-0-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-280-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/2004-273-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-269-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/3008-5-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3008-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3008-15-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3008-13-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3008-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3008-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-8-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3008-7-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3008-295-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads