cybergate | 0afef579ec8e61d67ea8489d851ddc7dd0f9be44891be08461546eb56125e670

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe
Size

176KB
MD5

6fab9ab190478ddb46b7d544d89f9cb5
SHA1

1ee06c50e33e5c43c897d7f3926bbd1d1bc87365
SHA256

0afef579ec8e61d67ea8489d851ddc7dd0f9be44891be08461546eb56125e670
SHA512

69951adbcbe8a3592c3305d7d81bec151d3750e84f7f80ea98d7177acaa5759c82c236db9ea58339bfbe7f64bc1d05215bddd85f1002f9e37f67b36971b2dde3
SSDEEP

3072:Ultv6HSggJHyz5OY84WhHnxfq9VOymULFRoLRE9JMBimHDn:Urojgtyz5Od4aR6WOb2RHT

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.2

Botnet

vítima

altiger.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4796-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4796-4-0x0000000024010000-0x000000002404C000-memory.dmp	upx
behavioral2/memory/4796-7-0x0000000024050000-0x000000002408C000-memory.dmp	upx
behavioral2/memory/4796-3-0x0000000024010000-0x000000002404C000-memory.dmp	upx
behavioral2/memory/2648-56-0x0000000024050000-0x000000002408C000-memory.dmp	upx
behavioral2/memory/4796-59-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/2648-58-0x0000000024050000-0x000000002408C000-memory.dmp	upx
behavioral2/memory/4796-52-0x0000000024050000-0x000000002408C000-memory.dmp	upx
behavioral2/files/0x0007000000023464-63.dat	upx
behavioral2/memory/2648-72-0x0000000024050000-0x000000002408C000-memory.dmp	upx
behavioral2/memory/2648-71-0x0000000024050000-0x000000002408C000-memory.dmp	upx
behavioral2/memory/2648-64-0x0000000024050000-0x000000002408C000-memory.dmp	upx
behavioral2/memory/2648-62-0x0000000024050000-0x000000002408C000-memory.dmp	upx
behavioral2/memory/2648-61-0x0000000024050000-0x000000002408C000-memory.dmp	upx
behavioral2/memory/2648-97-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/2648-107-0x0000000024050000-0x000000002408C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe
4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe
Token: SeDebugPrivilege	2648	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84
PID 4796 wrote to memory of 3820	4796	6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3820
- C:\Users\Admin\AppData\Local\Temp\6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6fab9ab190478ddb46b7d544d89f9cb5_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
731f6cd1bd5f8eab10aaa4188c327ad4

SHA1
215c663db786bcff94415cd4a84ec27cfecd64fe

SHA256
7a3925f23f99902d1e18cd3a6fe10f3654cf8b1c0952d88ac944fb7c71eb42e0

SHA512
06d7718268ada3af3c44f26c9942d65da51eb67afa606e42c5d66183ac3e3a46b4a893025326c6a0f8a47b060d55f6e75a307eddbb6cd719a18b22465074cb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
137KB

MD5
f151fd287990b7e49e8111c8cb66507d

SHA1
100b6c52484c44c84d04204f60127287fac15d2f

SHA256
ef464250b8578fdb15d3ba01169f4522aab9d3ef1d31d694f46b8add8d0f6a8b

SHA512
5f48eca8ea75b84c374253923a7f2ad9ea8ef0ce03d0b122f6e99172f6056856e68ca7dd29b7a6c0d095a02e6e63d7e728c6e57fe1e9c063aac0166a6603c8f3

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
86f3c87caff4d7973404ff22c664505b

SHA1
245bc19c345bc8e73645cd35f5af640bc489da19

SHA256
e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

SHA512
0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

Download Submit
\??\c:\dir\install\install\server.exe

Filesize
176KB

MD5
6fab9ab190478ddb46b7d544d89f9cb5

SHA1
1ee06c50e33e5c43c897d7f3926bbd1d1bc87365

SHA256
0afef579ec8e61d67ea8489d851ddc7dd0f9be44891be08461546eb56125e670

SHA512
69951adbcbe8a3592c3305d7d81bec151d3750e84f7f80ea98d7177acaa5759c82c236db9ea58339bfbe7f64bc1d05215bddd85f1002f9e37f67b36971b2dde3

Download Submit
memory/2648-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-62-0x0000000024050000-0x000000002408C000-memory.dmp

Filesize
240KB

Download
memory/2648-55-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/2648-56-0x0000000024050000-0x000000002408C000-memory.dmp

Filesize
240KB

Download
memory/2648-107-0x0000000024050000-0x000000002408C000-memory.dmp

Filesize
240KB

Download
memory/2648-58-0x0000000024050000-0x000000002408C000-memory.dmp

Filesize
240KB

Download
memory/2648-61-0x0000000024050000-0x000000002408C000-memory.dmp

Filesize
240KB

Download
memory/2648-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2648-72-0x0000000024050000-0x000000002408C000-memory.dmp

Filesize
240KB

Download
memory/2648-71-0x0000000024050000-0x000000002408C000-memory.dmp

Filesize
240KB

Download
memory/2648-9-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2648-64-0x0000000024050000-0x000000002408C000-memory.dmp

Filesize
240KB

Download
memory/4796-3-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download
memory/4796-52-0x0000000024050000-0x000000002408C000-memory.dmp

Filesize
240KB

Download
memory/4796-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-7-0x0000000024050000-0x000000002408C000-memory.dmp

Filesize
240KB

Download
memory/4796-4-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download