cybergate | eeabe02e0fa4565fb1f457ce4ac18c2277952c22611b60ee12b247420c835ba0

General

Target

f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
Size

959KB
MD5

f31fecbcb0acbf89cd6ecc7faf75a74f
SHA1

24407986373944da4db3e760fc1b8d85f31e8b7d
SHA256

eeabe02e0fa4565fb1f457ce4ac18c2277952c22611b60ee12b247420c835ba0
SHA512

5f3a6a0aa95920089288ee29fd9c7b08fe67bbf9bd82fc4ff6d6815efb1cd55ff736ceceda8f400210c930d6dab89b7926e7a705ebc6ba0bbcaf06a84e6b6c12
SSDEEP

12288:xAflYGwPhjV8oZeJlf+NKI9//b/BasNWL/wi80ZSnC8ok/3lj85Hl0OtSc:Of6RGfATBea00nC8F18RlUc

Score

10^/10

cybergate remote stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.11.0 - Public Version

Botnet

remote

C2

darkcum.no-ip.org:200

Mutex

2EE6DY5JK6021X

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
betty1

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Drops startup file 2 IoCs

Processes:

f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exef31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

pid process

1756 f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
2576 f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

pid	process
1756	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
2576	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

Loads dropped DLL 5 IoCs

Processes:

f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

pid	process
3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\install\server.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

description	pid	process	target process
PID 3028 set thread context of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exef31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Roaming\f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
C:\Users\Admin\AppData\Roaming\f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Roaming\f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe"
3⤵
- Executes dropped EXE
PID:2576

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\setup.dll
Filesize
13KB

MD5
2caa9a96e2b3d1a1f4293f8e9141b05b

SHA1
39aeb06f87c6d2a6d8b073651b613aa9513c74a5

SHA256
5db938dca7d1aef88eec9f84f410ce05a95f8bf6a3ec53d28b8d1546cbac2055

SHA512
ac84b2b939467de7e0e757c04da85c2accb5f4afa899fcf9f845c305cbc550e0bd00030b8120a8093c8b69f13aeb96bbbe6e58189243155f54dd50943fdb6cc9

Download Submit
\Users\Admin\AppData\Roaming\f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
Filesize
16KB

MD5
bf96ec1265858f2fd625fde9676df9cb

SHA1
87f9cef55f659e40c05511467fc88dc197a781c5

SHA256
9c5d1379dba042d6d8b2b845fbeec7cfb1d72f28e1cc7f9705729329c86066bb

SHA512
75caa907c6558aaf04a496c9ca4c8375a1c9434ac181ce9b425b4483eafb28046984f98b1b02d5369122c14c27742c88a5e796982e15e432ff50bb4089714b9d

Download Submit
memory/1756-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-25-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-50-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-19-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-21-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-32-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-31-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1756-28-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-30-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2576-37-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2576-43-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/3028-0-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/3028-2-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/3028-51-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/3028-53-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download

description	pid	process	target process
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 3028 wrote to memory of 1756	3028	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 1756 wrote to memory of 2576	1756	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 1756 wrote to memory of 2576	1756	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 1756 wrote to memory of 2576	1756	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 1756 wrote to memory of 2576	1756	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 1756 wrote to memory of 2576	1756	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 1756 wrote to memory of 2576	1756	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 1756 wrote to memory of 2576	1756	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 1756 wrote to memory of 2576	1756	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe
PID 1756 wrote to memory of 2576	1756	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe	f31fecbcb0acbf89cd6ecc7faf75a74f_JaffaCakes118.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads