cybergate | 295eba38b95f09083f2673594bdcba73985d5b89e41230b9c4761b584a68051f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 15:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe
Size

1.2MB
MD5

4a5eb47947f04f9c8479be0879491a0f
SHA1

53656fb0bbebd2f1b766cdddfc9289eed443f821
SHA256

295eba38b95f09083f2673594bdcba73985d5b89e41230b9c4761b584a68051f
SHA512

166425cac93ee83b7ef90629e60d74a41e1eadeea06c0fffc993c58088b84c4afa6c467fd2c2014d4f19d5384917949809c7832417940823a8ff8f2f0a9167d0
SSDEEP

24576:HhqMYdprgqE8sleQy2bkqjZcFMV3bLCHYvn/htX3t3Pf2:HhqDpJE3QOnjZy1HsfBG

Score

10^/10

cybergate itzh4cked persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

itzh4cked

itzh4cked.no-ip.biz:6661

Mutex

CY4GD3PW1Q0B43

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
test this bitch.exe
install_dir
Windows
install_file
chrome.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
what459sit512
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/708-11-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/708-12-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/708-15-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindosU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindosU.exe"	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	2872	vbc.exe
Token: SeRestorePrivilege	2872	vbc.exe
Token: SeDebugPrivilege	2872	vbc.exe
Token: SeDebugPrivilege	2872	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 2240 wrote to memory of 708	2240	4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe	86
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87
PID 708 wrote to memory of 3204	708	vbc.exe	87

C:\Users\Admin\AppData\Local\Temp\4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a5eb47947f04f9c8479be0879491a0f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3204
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
ba8b606e502b9e0e79bec6287f52d930

SHA1
1cd485004800d89498506baae10ffd335aeb00ab

SHA256
c2f8f48a1d493442303f6c6a5a9afe52dc7830975ca1452a0acde58d9f024570

SHA512
13a648e1da2b85d66529af837df90c5cbb697f1a809c07443a9689b6f74a29fe8d2ae042a3c3a540fb7ec1f38f6752b5e3270d335eed70a67b77eb1f5ad1d62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
554288c01661864f3d3344242d940acd

SHA1
97292c17e1ae7979c6e08fb69ee06334526b8b64

SHA256
6e1ec217e09374a136a47ccb07e50d6e6018a5be1430290a7ffef958066b6546

SHA512
aea93110cc7be2d0419d561702b9aa553df902161eb24c21a715da5767a9a3b5c75976b02fc6ca5cf40a4b8d45e0131310c953850b77cf102554abd8af7d7567

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e3cdf70b998da74684c52e1912f98e94

SHA1
1ac268c36a50500c25955f5f24cce475f7d6ba13

SHA256
4f492f812434c1e343d1aed0f32643c73cfe52da1c319fdf33ec950ea48f5b99

SHA512
e7df04c4b7712d20e7d659dd21798129f6cdebc75f0c910d536a8e68bbbc534b4a441ab9a4155dbe6fca3ac233f18d9605d40380e5dfca869f9c71ac1f63e8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ecc1c06c83199aa097abeb884cb13789

SHA1
bb8da8f2fecdd49e5aea070bf1335eb1bbfc18c2

SHA256
325a35c9344a404be25be71a4072fefe545ad107cc5cfab32f34f22bd430b416

SHA512
b99abd9d400dfbb5b579f2b95651a79aa73300771d721c83203551a63729ce7950260c9c0a60f80735fcc5a1d4e3e93283a8f378c4611f4ce2c6d0f7177ebeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
56cd5bd9611890549e8de3e2427c194b

SHA1
2c3b5c74ea7cd94083cbd7e43bd77ec15e4b3829

SHA256
de1c7fe0e6df3a1f06db9a1253f670a5961d0a7e965fbdf024d3efa86b35c035

SHA512
e266b9c1ad77a71e02fbae791eabd634d9bf840eb1a24621d7e2da3035834c6a19525351df2b0b4ea006a139ad6ae87bb9c40da61d0348f6b233a7523a06c945

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fdd3dfa92c29a3c71698fe62be28630f

SHA1
090f8798b133c9552b3857758902ce9accc239e6

SHA256
825fbbad77f75a50ca89cbd674893492718f382ae7a0842b309acaaee1caccc0

SHA512
fc87a221a4166e9bc9b5aa525de1e0e18b136ea880ecdec58e07609da64ec0f154d16226722064051cf064573492cac300074a710bc4403637ec510e8307e3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
add89352dc2a46e71b8ffe2bf383ea31

SHA1
20cb8f18afa2cbddc90039413783cb9fb339ffda

SHA256
4bbcfe91a432b1e915ddc910c16828176c3e40adb86c90ae77fbc52a2e9f1067

SHA512
5d5cf523ebd60b9b1d6c671e90ed1034be7500d6444b0133f11927a6caee9222f37d1fafe1292802fb3c9d5c4e84ec4fcb529abff3a5b7e34db017d6db9d307c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
150f8e5bff344fcfac3a084dde4b865a

SHA1
6ca322b3dcef10b49e6ba96306fcaa90307c44fc

SHA256
eee7ba5078a28b50d7eb6bfdccbc9cbb7291403a6cd4b8ca706df265203431c7

SHA512
368a1a7d291ae6329f01a3b2b08a8e638e8aeb4e7bea626b1b15ce4052738e5457e85b8b2edd3e5c0d1b02c24f07fe5ddc8f6caf28146b3eb62dfed7bdc1e957

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c5a9aeb48ef51607eb24d6df36106b81

SHA1
2c40453acf1951cd806b1a854a18e9b7aca168b3

SHA256
a562160c4b888310014a07be8d09e42dc31cb2d2b91a5659d7b4b995ba11806c

SHA512
818397b8c949e25fbc415f4b75073de279b8063e3df57f322836424374a18f557a6f3f7f723182bb54a2fb791024ea119277643e3fc99d12b5ff5275943c02df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4b118c2fdb8369941c8a47f734228ca6

SHA1
e5f94b10ec2ad6ab34dd4193a64359596968a629

SHA256
8d4544757d1c827f31259e67760393e711248da6d5514e49be4f996c6083c7e8

SHA512
76965630e5b5c395fb32413ec9ea74988f92fe81719c61be831a1ad3bce306da73673aee0b1b051ce4642214a56b1c33208304fdbf4d038908a986fe932561d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e53732b5b1512947d40b51b908aa6bea

SHA1
ade7479d5c92250b9b9c8a1efbbeda14fb45c426

SHA256
94f34a7d74a6485bd46969a5cad111c6029a2f3a314c9d308d24ec96b75e5315

SHA512
1d1e04a9a8a9d380e29f27337a30f9dd0c1948aa74fdd3d33cf2eafbc7133fc0e77326d3bdf5a7d8f92e8c4cbfb782ca8e23504f1fd6b1b6d2a34f6962b639bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cecf9a7d32c7449a20a30741df5b9c63

SHA1
8c411d492ebf23d630b60598b53d993a8b5feafc

SHA256
90c6fb439e596d33fe27732c8c1ee20d4f86e3ec2397935aaaa07ad38468b844

SHA512
03a507df2b74111cf2abdabd2cd35aba662ee78e05813d71986e37140b85ca9b04350819e2829fb7db6b2c3872110efdf35a51cb97799c05154c9e78bb35ba75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8b50777714938d15d13a60809d830028

SHA1
27110475847095b1e3111c32303a8ea001ddfa19

SHA256
8f4029b1aa65319c7594bec8798960650ef57a5097625bc3101de6f8c857c7af

SHA512
600447524eade1cbded14c4a27513dc5b420108b69008bf167f153f7aced4265a979b81b1edb56e335852cc1fe4ffc6a16c4ee67db41f771c10eea9e00e35548

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a0cf63d2bb34eee805ad23316bd556ba

SHA1
2491ec231820e4e9d399e81074d466349a56feac

SHA256
0cad61843d61336b21400eddc1c6ee521a8786c16803c00cd06a86ff113d750b

SHA512
3cc15af5ac7990294a8187a1390a430572a40c2a1a03b095e9e53ebd39e461de44f901dd4bdd44ac68c8f6002b6e8c5d5c9f8d349cfa8444d897aab1972cce16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
392a95cb8f663eb3fc127f38e7352f41

SHA1
1b9392436f36a18ee21abae2ad6b4fb255ca6cd9

SHA256
2c37cf736a170c1007d254f6d64ede7cd36efde6cc1b79f01ebbfaa465f4f124

SHA512
bcb04678ad674d2f0f16c4567f4d39216eb6789762cc8a3ee3a1785a26e3e6d28a9cfed0e5caee65d1f0b85de08fdaffdd024dd2a80e7e582bccb4eb7d7d5999

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0e84bf1c4b5043674849b177cb844531

SHA1
cf84559bc217dde20c7fa6e91070d6da939be5df

SHA256
55c571ce3a77bbf36d468487ddbd16a291969799a305582125e466aa42645225

SHA512
a00c33bcf516124a9dd7d566362d957fb0b2018a3f0004640b0cfc7d3843898d32da482ecb80348699cd926447a5d1c1f8dd8c67c39271783d9501158718c94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
14cc6fdedc91e70386e36eebd40d595a

SHA1
b4b45b65f7dbb1e6b3294e8e7fdb3cfd96650974

SHA256
91ed5c85091637f750a7701e2ab7b9f2dcbad388e85bcd4ebae11f85021a8377

SHA512
9d03f54ddfb70ccc64318fb5763bad1ffa9b4971dfa89cee3586352b7ea08ade422c1e6ffb8bc35a743cd38d078e053cf4ed02d20e074193c2c102c230107f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f58fe36d341be85ea3ebad2b68b69cb3

SHA1
4b16be2a29a15bfc113a1d12938c2d2c50fd5fe5

SHA256
59f8a475015263d9c44a3fff66d35929ef87cb1e94a2a4b49fea7b1b06626c03

SHA512
729f77dae8bad8508baf0ef0c13634b81321069f28518cd2c21fb7a5e200956dcf48e1876b18477af76237e27dd721fa6fa9276fd2f008a2717eabf249b5c43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
05e84d7dd598ff433cbf66fed690d326

SHA1
70de9b53e0faf5bf24ce1c1bfea6fd2d4d41e873

SHA256
329290c15cd193c1bc90750e3ae870b4124edc51f02eba8a8a5a5ed3802588a9

SHA512
6c38d16d51d1ca4ec8e34f13f26aaf91c0ab6e22de54eaccd861a3115bc6134be9996552114aaca7e6a52a4c9af5452383f1f6c8079089e5fa3b45ec75ac6d43

Download Submit
memory/708-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/708-15-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/708-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/708-12-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/708-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/708-11-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/708-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/708-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2240-9-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/2240-0-0x0000000074732000-0x0000000074733000-memory.dmp

Filesize
4KB

Download
memory/2240-2-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/2240-1-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/2872-17-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2872-30-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2872-16-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads