Overview

overview

10

Static

static

3

e4a5718297...18.exe

windows7-x64

10

e4a5718297...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe

  • Size

    530KB

  • MD5

    e4a57182974c869d65c629087783dfd4

  • SHA1

    18f6a8c5fb5966d8d674710cd1ec92cf7a9983d0

  • SHA256

    95f29fcaa074f4542eabf71d333d0584017b0e7fef8c54c7df703e57da3f8457

  • SHA512

    7f43ada5fabfc717a7803cff8467192fc300762ea9b5263d91e233eb52a6e4f0a1242b6d1346eb75f49bded3a4ea831a40b4fb90248be99a70100f9f20c635c8

  • SSDEEP

    12288:jHjaJDrU+Dv4ODNFXUpqbfv0HW3XY5KUvJRCESGK:7ja3UGgyNFXUpYf5I5KUxRmL

Score
10/10
cybergateremotestealertrojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

vittimareturn11.no-ip.org:81

Mutex

1624AF8NC22YH6

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    firefox

  • install_file

    firefox.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    non sei abbilitato a questa esecuzione

  • message_box_title

    sistem

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Executes dropped EXE 2 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e4a57182974c869d65c629087783dfd4_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Users\Admin\AppData\Local\Temp\xgh2E05.tmp
      C:\Users\Admin\AppData\Local\Temp\xgh2E05.tmp
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Users\Admin\AppData\Local\Temp\xgh2E05.tmp
        C:\Users\Admin\AppData\Local\Temp\xgh2E05.tmp
        3⤵
        • Executes dropped EXE
        PID:1404
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 588
        3⤵
        • Program crash
        PID:896
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 596
        3⤵
        • Program crash
        PID:4456
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5076 -ip 5076
    1⤵
      PID:3616
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5076 -ip 5076
      1⤵
        PID:3964

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\xgh2E05.tmp
        Filesize

        85KB

        MD5

        05f8aea11bfe4af17976c4474327827a

        SHA1

        773e17e493e3b7e1882ee2d93f2e45beb81b3d6d

        SHA256

        be44bfaefe3cadc61dec4cb85f61af82a528fb048da85bbb92a684e4b89d2738

        SHA512

        0b73ad68f9bfdeaf4dd6e36cc71355e640bff09a9e462e38b33523ac471f536f0f3058f2ea8b4050bde126e2a72a4dfc8b8e7ed55c335fcd3d46ed6156116ad1

        Download Submit
      • memory/5076-2-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/5076-3-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/5076-4-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download