cybergate | 7ce728a04d8288a3bbd3d394993168f0f74e1238eaedf0d836a6a118a84329b5 | Triage

Submit
Reports

Overview

overview

Static

static

3

5aa0854f2d...18.exe

windows7-x64

5aa0854f2d...18.exe

windows10-2004-x64

Sharing

General

Target

5aa0854f2d4548b989704cac16645c99_JaffaCakes118
Size

684KB
Sample

240719-f3mc7svbkj
MD5

5aa0854f2d4548b989704cac16645c99
SHA1

d42225920412b1a477817b8b2f132c75ddbc1b73
SHA256

7ce728a04d8288a3bbd3d394993168f0f74e1238eaedf0d836a6a118a84329b5
SHA512

38d1f45d65980f96e4d9fc02527423d52fd4b00a0cf69592baaf8529acaaa1e1150085a6cf83b1eeb9dbee1ecdc5fb53d48c339b014ea424ca19f88bd4b1ac3b
SSDEEP

12288:7DQKbCUVLJunGBpGztVLC9NCE6SUCbOxGSMQXu1tnux:QbGipbbhMQ+Pnux

Score

10^/10

cybergate nod32 persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe

Resource

win7-20240705-en

cybergate nod32 persistence stealer trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe

Resource

win10v2004-20240709-en

cybergate nod32 persistence stealer trojan upx

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

Nod32

C2

nod32system.bounceme.net:1003

Mutex

Nod_32System

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
Win32
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
PP0i8X
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  5aa0854f2d4548b989704cac16645c99_JaffaCakes118
- Size
  
  684KB
- MD5
  
  5aa0854f2d4548b989704cac16645c99
- SHA1
  
  d42225920412b1a477817b8b2f132c75ddbc1b73
- SHA256
  
  7ce728a04d8288a3bbd3d394993168f0f74e1238eaedf0d836a6a118a84329b5
- SHA512
  
  38d1f45d65980f96e4d9fc02527423d52fd4b00a0cf69592baaf8529acaaa1e1150085a6cf83b1eeb9dbee1ecdc5fb53d48c339b014ea424ca19f88bd4b1ac3b
- SSDEEP
  
  12288:7DQKbCUVLJunGBpGztVLC9NCE6SUCbOxGSMQXu1tnux:QbGipbbhMQ+Pnux
Score

10^/10

cybergate nod32 persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatenod32persistencestealertrojanupx

behavioral2

cybergatenod32persistencestealertrojanupx

© 2018-2025

Terms | Privacy