cybergate | ac0fe445073e6c12f168113e179368d27a0e5e8c63e6fde55a1c4ed374a7875d

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe
Size

276KB
MD5

beff6858b83f36c20c3ac8f41dd847ca
SHA1

5cc449143512ccda3d5cb9b3c015852d504d4b4f
SHA256

ac0fe445073e6c12f168113e179368d27a0e5e8c63e6fde55a1c4ed374a7875d
SHA512

412ad05dbd88b092156d44fd202807a2d797a03695b0b588d646d7a4094378778e4f3dde2063d3c6f17b43da83e75a37fe38606ad4d54c9cfc721de5bd6d5b04
SSDEEP

6144:DUAJb4uOiL7ZGhs5XMbLkJ3Ocj252S5LJoRz:DUOb4uOq7UhsmO3HyQkJoRz

Score

10^/10

cybergate bot discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

bot

tool500.no-ip.biz:3306

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svhost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
12345
regkey_hkcu
{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A}
regkey_hklm
{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A}

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A}	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A}\StubPath = "C:\\Windows\\install\\svhost.exe Restart"	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE

Executes dropped EXE 3 IoCs

pid	Process
2812	svhost.exe
2784	svhost.EXE
2916	svhost.EXE

Loads dropped DLL 3 IoCs

pid	Process
2656	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
2656	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
2812	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A} = "C:\\Windows\\install\\svhost.exe"	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A} = "C:\\Windows\\install\\svhost.exe"	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2640 set thread context of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2812 set thread context of 2784	2812	svhost.exe	32

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\install\svhost.exe	svhost.EXE
File created	C:\Windows\install\svhost.exe	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
File opened for modification	C:\Windows\install\svhost.exe	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
File opened for modification	C:\Windows\install\svhost.EXE	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2916	svhost.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	svhost.EXE
Token: SeDebugPrivilege	2916	svhost.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2656	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe
2812	svhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2812	2656	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	31
PID 2656 wrote to memory of 2812	2656	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	31
PID 2656 wrote to memory of 2812	2656	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	31
PID 2656 wrote to memory of 2812	2656	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	31
PID 2656 wrote to memory of 1196	2656	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	21
PID 2656 wrote to memory of 1196	2656	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	21
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2812 wrote to memory of 2784	2812	svhost.exe	32
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33
PID 2784 wrote to memory of 2916	2784	svhost.EXE	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
    beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\install\svhost.exe
      "C:\Windows\install\svhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\install\svhost.EXE
        
        svhost.EXE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\install\svhost.EXE
        
        "C:\Windows\install\svhost.EXE"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
189KB

MD5
bb80fa6f7110622a2933c6b0701defe5

SHA1
cdaf9030aba61b903804a83858f4a663bffc5d09

SHA256
9b3eb78a14b4539a9d1904dcc15a12ca1a1cc7883ca8dd36677873025fc5a25c

SHA512
4d3678eed2f7b2924f602b287955db115016a1f02c430dbe8b7e3477aba8b7745c7ca328ac93656bbd92df765a4898bf62d9f859ac57e210236db983b1a2b44a

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
4362e21af8686f5ebba224768d292a5b

SHA1
504510a4d10e230dcd1605ab3342525b38a10933

SHA256
b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3

SHA512
f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850

Download Submit
C:\Windows\install\svhost.exe

Filesize
276KB

MD5
beff6858b83f36c20c3ac8f41dd847ca

SHA1
5cc449143512ccda3d5cb9b3c015852d504d4b4f

SHA256
ac0fe445073e6c12f168113e179368d27a0e5e8c63e6fde55a1c4ed374a7875d

SHA512
412ad05dbd88b092156d44fd202807a2d797a03695b0b588d646d7a4094378778e4f3dde2063d3c6f17b43da83e75a37fe38606ad4d54c9cfc721de5bd6d5b04

Download Submit
memory/1196-36-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/2640-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2640-3-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/2640-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2656-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-10-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-30-0x0000000002320000-0x0000000002334000-memory.dmp

Filesize
80KB

Download
memory/2656-44-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2784-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2784-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2784-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2812-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2812-62-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/2916-87-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2916-81-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2916-88-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads