Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

d3ede1a39a...18.exe

windows7-x64

10

d3ede1a39a...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d3ede1a39ab97875135192e09fedb046_JaffaCakes118

  • Size

    284KB

  • Sample

    240908-j7rehaxfmc

  • MD5

    d3ede1a39ab97875135192e09fedb046

  • SHA1

    f74d061f715a26093767e0f57c7a034b3a30386b

  • SHA256

    c1773d7f7e8935b70037796bb3961d2dcb4091eb0a2b6be5c3a53d5a8173a22a

  • SHA512

    699dbb9faa50ece3821f925e35048c0f727241052a734b592b292517f713491a45d91443ccd221257d08b833ab6b07255c7011f4bba64f12af469f2277c0a7ab

  • SSDEEP

    6144:1k4qm6eWicRCQx36T5w3Mr9qgPnhF+LzaEWZi0/CFIn6PvGwEcK7dix:S9jqGx340Mf8iEUfn6PrEcu

Score
10/10
cybergatelatentbotvítimadiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

lolxlolsasasasa.zapto.org:80

Mutex

Error....

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    spynet

  • install_file

    drwatson.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

latentbot

C2

lolxlolsasasasa.zapto.org

Targets

    • Target

      d3ede1a39ab97875135192e09fedb046_JaffaCakes118

    • Size

      284KB

    • MD5

      d3ede1a39ab97875135192e09fedb046

    • SHA1

      f74d061f715a26093767e0f57c7a034b3a30386b

    • SHA256

      c1773d7f7e8935b70037796bb3961d2dcb4091eb0a2b6be5c3a53d5a8173a22a

    • SHA512

      699dbb9faa50ece3821f925e35048c0f727241052a734b592b292517f713491a45d91443ccd221257d08b833ab6b07255c7011f4bba64f12af469f2277c0a7ab

    • SSDEEP

      6144:1k4qm6eWicRCQx36T5w3Mr9qgPnhF+LzaEWZi0/CFIn6PvGwEcK7dix:S9jqGx340Mf8iEUfn6PrEcu

    Score
    10/10
    cybergatelatentbotvítimadiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

      trojanlatentbot

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.