cybergate | 95f29fcaa074f4542eabf71d333d0584017b0e7fef8c54c7df703e57da3f8457

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe
Size

530KB
MD5

e4a57182974c869d65c629087783dfd4
SHA1

18f6a8c5fb5966d8d674710cd1ec92cf7a9983d0
SHA256

95f29fcaa074f4542eabf71d333d0584017b0e7fef8c54c7df703e57da3f8457
SHA512

7f43ada5fabfc717a7803cff8467192fc300762ea9b5263d91e233eb52a6e4f0a1242b6d1346eb75f49bded3a4ea831a40b4fb90248be99a70100f9f20c635c8
SSDEEP

12288:jHjaJDrU+Dv4ODNFXUpqbfv0HW3XY5KUvJRCESGK:7ja3UGgyNFXUpYf5I5KUxRmL

Score

10^/10

cybergate remote stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

vittimareturn11.no-ip.org:81

Mutex

1624AF8NC22YH6

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
firefox
install_file
firefox.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
non sei abbilitato a questa esecuzione
message_box_title
sistem
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

xgh44DD.tmpxgh44DD.tmp

pid process

2164 xgh44DD.tmp
2504 xgh44DD.tmp
Loads dropped DLL 2 IoCs

Processes:

e4a57182974c869d65c629087783dfd4_JaffaCakes118.exexgh44DD.tmp

pid process

2084 e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe
2164 xgh44DD.tmp

pid	process
2164	xgh44DD.tmp
2504	xgh44DD.tmp

pid	process
2084	e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe
2164	xgh44DD.tmp

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e4a57182974c869d65c629087783dfd4_JaffaCakes118.exexgh44DD.tmp

description	pid	process	target process
PID 2084 wrote to memory of 2164	2084	e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe	xgh44DD.tmp
PID 2084 wrote to memory of 2164	2084	e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe	xgh44DD.tmp
PID 2084 wrote to memory of 2164	2084	e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe	xgh44DD.tmp
PID 2084 wrote to memory of 2164	2084	e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe	xgh44DD.tmp
PID 2164 wrote to memory of 2504	2164	xgh44DD.tmp	xgh44DD.tmp
PID 2164 wrote to memory of 2504	2164	xgh44DD.tmp	xgh44DD.tmp
PID 2164 wrote to memory of 2504	2164	xgh44DD.tmp	xgh44DD.tmp
PID 2164 wrote to memory of 2504	2164	xgh44DD.tmp	xgh44DD.tmp

C:\Users\Admin\AppData\Local\Temp\e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\Local\Temp\xgh44DD.tmp
C:\Users\Admin\AppData\Local\Temp\xgh44DD.tmp
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\xgh44DD.tmp
C:\Users\Admin\AppData\Local\Temp\xgh44DD.tmp
3⤵
- Executes dropped EXE
PID:2504

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\xgh44DD.tmp
Filesize
85KB

MD5
05f8aea11bfe4af17976c4474327827a

SHA1
773e17e493e3b7e1882ee2d93f2e45beb81b3d6d

SHA256
be44bfaefe3cadc61dec4cb85f61af82a528fb048da85bbb92a684e4b89d2738

SHA512
0b73ad68f9bfdeaf4dd6e36cc71355e640bff09a9e462e38b33523ac471f536f0f3058f2ea8b4050bde126e2a72a4dfc8b8e7ed55c335fcd3d46ed6156116ad1

Download Submit
memory/2164-4-0x0000000000100000-0x000000000014F000-memory.dmp

Filesize
316KB

Download
memory/2164-5-0x0000000000100000-0x000000000014F000-memory.dmp

Filesize
316KB

Download
memory/2164-6-0x0000000000100000-0x000000000014F000-memory.dmp

Filesize
316KB

Download