cybergate | bad9e59ca96315d8bbf48e7f247c9fd00954f094f6bcacab9af483d98f1ad5c9

General

Target

a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe
Size

1.1MB
MD5

a7503ad56f686432fbdc3ab0d45b0f92
SHA1

f3c47c68b54adb78499544ebc34744808789f7da
SHA256

bad9e59ca96315d8bbf48e7f247c9fd00954f094f6bcacab9af483d98f1ad5c9
SHA512

ba880e2ff032b6c620a1107a2390d440dbb02df68ba2581235859ef583b470276b133ecd4ba115305d08e3f9ef23a0fb5b65f959fe9f250f96155b50d1beb18f
SSDEEP

12288:rQdfp2v7g6ML1HbPifA27Wna1PLAXOgX0JwJtlyUH+llKLb0bCx:rQo7g6ML9e427rs2wTlyUHtLb0W

Score

10^/10

cybergate cyber discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.11.0 - Public Version

Botnet

cyber

C2

vip081247.no-ip.biz:82

Mutex

SRXA81Y15I78PF

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4704	GoogleUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleUpdate.exe"	a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4704 set thread context of 3236	4704	GoogleUpdate.exe	86

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LimeWire\Shared\SteamHack.exe	a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe
File created	C:\Program Files (x86)\LimeWire\Shared\SteamHack.exe	GoogleUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2604	3236	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 4704	2932	a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe	83
PID 2932 wrote to memory of 4704	2932	a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe	83
PID 2932 wrote to memory of 4704	2932	a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe	83
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86
PID 4704 wrote to memory of 3236	4704	GoogleUpdate.exe	86

C:\Users\Admin\AppData\Local\Temp\a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe
  "C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 12
      4⤵
      Program crash
      PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3236 -ip 3236
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe

Filesize
1.1MB

MD5
a7503ad56f686432fbdc3ab0d45b0f92

SHA1
f3c47c68b54adb78499544ebc34744808789f7da

SHA256
bad9e59ca96315d8bbf48e7f247c9fd00954f094f6bcacab9af483d98f1ad5c9

SHA512
ba880e2ff032b6c620a1107a2390d440dbb02df68ba2581235859ef583b470276b133ecd4ba115305d08e3f9ef23a0fb5b65f959fe9f250f96155b50d1beb18f

Download Submit
memory/2932-0-0x0000000074B22000-0x0000000074B23000-memory.dmp

Filesize
4KB

Download
memory/2932-1-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/2932-2-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/2932-18-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/3236-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4704-19-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/4704-20-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/4704-25-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads