Extracted

• • Target

    eaac1f4cb0ab59a3ad81378aff34f08d_JaffaCakes118

  • Size

    1.1MB

  • MD5

    eaac1f4cb0ab59a3ad81378aff34f08d

  • SHA1

    3648887657dda6446c08dae532bc57524bf161a2

  • SHA256

    04d97e050f09e5eecde741646a83c8c03058460ea2b8893ab7ba9c3b413cf82c

  • SHA512

    3bc48a85a525d6014b3edcb4bc113489883691f1b65f2bf788cb5de2d0a340dcfa0bbf86411c8ba923f9bad4d76da7a6c0b9b8149176fcecf264762df544fe51

  • SSDEEP

    24576:GHVzWBsxrmBcXNfOi3m/Y9RL2/ZsXdgNCQeZhkeGcg:GHCAmDZWP2cg

  Score

  10^/10

  cybergatevictim2discoveryevasionpersistencestealerthemidatrojanupx

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2