Extracted

• • Target

    5b1b6ef596a3012cb9798dfa798f4ce1_JaffaCakes118

  • Size

    676KB

  • MD5

    5b1b6ef596a3012cb9798dfa798f4ce1

  • SHA1

    73b68a23b34bc5ce5655a5d191b6ee5765917b01

  • SHA256

    77ea9c2b747a80fbc1a977ae72ac1e254c7e2a7f1126ac74e515c390995a5d5a

  • SHA512

    db5712d2b498f490d5a1f77b533da03fb84f81ef7cc0d44941e2e43a4a7a47540dbc37630403beb6f02477e77daf9025cedab3d6ebb8e1683b50d43842a09ad1

  • SSDEEP

    12288:dPNcewxc7zzyYW+GchecVtA3YdjgkowmhCckt76jPf30qE:dV1+MzzyYWelVt/LchQ7wPfkqE

  Score

  10^/10

  cybergatecyberpersistencestealertrojanupx

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2