cybergate | e5a5ddfd3726e56e9dd8671cffeb415f29e3c81b5dda36a8483d81659fd44d39

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe
Size

502KB
MD5

307376c3bc70be7e27a4da7c51ee1121
SHA1

cae0674af06a6b623d1cc66d3fdd4e8aafd8e258
SHA256

e5a5ddfd3726e56e9dd8671cffeb415f29e3c81b5dda36a8483d81659fd44d39
SHA512

d6f7afecacb88b1d82d1c323bf6f97b8c71382aaf7d80c4c7f7a1142dcdf24a6f836c38b6f4b166c28558ff4c80f55ac0d0a93b1f35d590ae68457686321481c
SSDEEP

12288:Pt4Rx/JDRFLswlO3J5R2PpIPavXF6CH6dm8xNr5GYto:Pt4j9R5JQXRWIPCHje9GYq

Score

10^/10

cybergate 0 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

spynet20.no-ip.info:83

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
1231077r
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	14874.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\14874.exe"	14874.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	14874.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\14874.exe"	14874.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0}	14874.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0}\StubPath = "C:\\Windows\\system32\\14874.exe Restart"	14874.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0}\StubPath = "C:\\Windows\\system32\\14874.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3508	14874.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023289-13.dat	upx
behavioral2/memory/3508-17-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral2/memory/3508-1368-0x0000000000400000-0x00000000004AD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\14874.exe"	14874.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\14874.exe"	14874.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\14874.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\	explorer.exe
File created	C:\Windows\system32\14874.exe	307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\14874.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\	explorer.exe
File created	C:\Windows\SysWOW64\14874.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3508	14874.exe
3508	14874.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3180	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	explorer.exe
Token: SeDebugPrivilege	3180	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3508	14874.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3508	3068	307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe	85
PID 3068 wrote to memory of 3508	3068	307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe	85
PID 3068 wrote to memory of 3508	3068	307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe	85
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56
PID 3508 wrote to memory of 3440	3508	14874.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\14874.exe
    "C:\Windows\system32\14874.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Drops file in System32 directory
      PID:2040
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
e54f4c6a7306cb5fecb2ab00b8ff4845

SHA1
8e48cea7dd292ccce28e80bdae53de994717b01c

SHA256
74f537652f21dccaef32d880208107e9d2e0579c8fb9e28314af364079184608

SHA512
55745017322403147bd99a59c45f017543fd7ead638fddd16be431e11ef05c8945cf43c807e171b88d6652747f7e062f6c99d53a2efa5ab47de462c55003d3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c515d956b160a9bdb1aa78f04cb78b59

SHA1
c16a4eca7726e80e55e8f41d77adb1d7f675fd47

SHA256
1e021175ca33aaa7b35fa47edec6f37ca8bee9831245ebe675273900c399082b

SHA512
78bd863b905ad3b7efc837a898322219aae70af1de208bc3089b85842e241312ddb885db61f62256d6340d161f7555543a1885672b3925d96502e061c563127b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b24bff817567995292ab5aa614fa22bd

SHA1
ace8c5fe32a9d9012df628c369471fa800117680

SHA256
417004625662482407325d4d954984a3b23972200e270cf8e58e2e025c9d8487

SHA512
e71399e91af80824c1b274cdb2a47f2b5227d68c2e4ddc4901c98dfe9ba97042eda6fc5ab30f10a3bdb9d5e1590b8454a8b13a7368b0daae8f2eb2ba07dfe0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3aa2d712d7b5f90870acde3c47f0ea08

SHA1
34a3fbbeeaa5300cb4508f60f9895463e6d53a6c

SHA256
3c71bd173b8314086a589f7d26277f2ef92a348dad82e0124d2f81d3648343df

SHA512
5419fcce0a8b4ec86499062f0f336230698dd3df729c98d636030cc0084b39f0f3a0b995f6a5b9d6977a13992daac4a0d150bd82b173ee74e23e6473482b7361

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f874dea4be94ac6a4d323b97ed63bd05

SHA1
27102c585662457e01403cdc9379c18952e1d0a6

SHA256
69094071473ab71968446c162096a484a28b0929f313314d94af3d0bde343a9b

SHA512
e3b4d03960aefae0d46b4ddf8f24f4d439c3defa77b7e663e619a30baf30ae103de993d5c1934c21e403e23fbc2329ed0f3044a9b75be9c230b55ae3f6978e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a68906155e3f2a3364de10b4cdbce781

SHA1
3c40db2d8206e1a1325e4be68b808ab6f84df6ce

SHA256
109bbad3268f15bded1532e3180febffdb2a7057e470ec58849949f3498de48d

SHA512
10963e3927bcfe0e8313c1740081118ee9ef7503bab93b5e5d5357c4ad97a7c89fab6b7a9ce57c041a9287fc673e3fee4672919c116ed9f5a324912702e96c9c

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\System32\14874.exe

Filesize
472KB

MD5
fa810017376abe6ed9b0840f90e38fa7

SHA1
9f5d6696fd8d00b62afef9f3015ac0e41a11cb1d

SHA256
78c223eced9fb8fafb8c8f1267681096756c559b4a1f4bf051dc347dd50e4665

SHA512
9010003eaeb385db49b052c03b1321493f5ecf39f4407fab5b7dc2ebc6f28838b6a9925d02c857b4468890532a64558cd6dd9a934c9843f5f458a0571dfbec72

Download Submit
memory/2040-1734-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/2040-29-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/2040-696-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/2040-28-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/3068-6-0x000000001B9D0000-0x000000001B9D8000-memory.dmp

Filesize
32KB

Download
memory/3068-0-0x00007FFAD1045000-0x00007FFAD1046000-memory.dmp

Filesize
4KB

Download
memory/3068-18-0x00007FFAD0D90000-0x00007FFAD1731000-memory.dmp

Filesize
9.6MB

Download
memory/3068-8-0x00007FFAD0D90000-0x00007FFAD1731000-memory.dmp

Filesize
9.6MB

Download
memory/3068-7-0x000000001C650000-0x000000001C69C000-memory.dmp

Filesize
304KB

Download
memory/3068-5-0x000000001C4F0000-0x000000001C58C000-memory.dmp

Filesize
624KB

Download
memory/3068-4-0x00007FFAD0D90000-0x00007FFAD1731000-memory.dmp

Filesize
9.6MB

Download
memory/3068-3-0x000000001BF50000-0x000000001C41E000-memory.dmp

Filesize
4.8MB

Download
memory/3068-2-0x00007FFAD0D90000-0x00007FFAD1731000-memory.dmp

Filesize
9.6MB

Download
memory/3068-1-0x000000001B920000-0x000000001B9C6000-memory.dmp

Filesize
664KB

Download
memory/3508-21-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/3508-1368-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3508-27-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/3508-17-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download