cybergate | ac0fe445073e6c12f168113e179368d27a0e5e8c63e6fde55a1c4ed374a7875d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe
Size

276KB
MD5

beff6858b83f36c20c3ac8f41dd847ca
SHA1

5cc449143512ccda3d5cb9b3c015852d504d4b4f
SHA256

ac0fe445073e6c12f168113e179368d27a0e5e8c63e6fde55a1c4ed374a7875d
SHA512

412ad05dbd88b092156d44fd202807a2d797a03695b0b588d646d7a4094378778e4f3dde2063d3c6f17b43da83e75a37fe38606ad4d54c9cfc721de5bd6d5b04
SSDEEP

6144:DUAJb4uOiL7ZGhs5XMbLkJ3Ocj252S5LJoRz:DUOb4uOq7UhsmO3HyQkJoRz

Score

10^/10

cybergate bot discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

bot

tool500.no-ip.biz:3306

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svhost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
12345
regkey_hkcu
{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A}
regkey_hklm
{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A}

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A}	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A}\StubPath = "C:\\Windows\\install\\svhost.exe Restart"	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE

Executes dropped EXE 3 IoCs

pid	Process
32	svhost.exe
1996	svhost.EXE
3356	svhost.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A} = "C:\\Windows\\install\\svhost.exe"	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{6132XUAT-08BL-75DM-1AP8-P360CQ7X306A} = "C:\\Windows\\install\\svhost.exe"	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 32 set thread context of 1996	32	svhost.exe	85

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1996-34-0x0000000024010000-0x0000000024052000-memory.dmp	upx
behavioral2/memory/1996-85-0x0000000024010000-0x0000000024052000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\install\svhost.exe	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
File opened for modification	C:\Windows\install\svhost.exe	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
File opened for modification	C:\Windows\install\svhost.EXE	svhost.exe
File opened for modification	C:\Windows\install\svhost.exe	svhost.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3356	svhost.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	svhost.EXE
Token: SeDebugPrivilege	3356	svhost.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2124	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe
32	svhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 1548 wrote to memory of 2124	1548	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe	83
PID 2124 wrote to memory of 32	2124	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	84
PID 2124 wrote to memory of 32	2124	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	84
PID 2124 wrote to memory of 32	2124	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	84
PID 2124 wrote to memory of 3424	2124	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	56
PID 2124 wrote to memory of 3424	2124	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	56
PID 2124 wrote to memory of 3424	2124	beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE	56
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 32 wrote to memory of 1996	32	svhost.exe	85
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86
PID 1996 wrote to memory of 3356	1996	svhost.EXE	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
    beff6858b83f36c20c3ac8f41dd847ca_JaffaCakes118.EXE
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\install\svhost.exe
      "C:\Windows\install\svhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:32
    - - C:\Windows\install\svhost.EXE
        
        svhost.EXE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\install\svhost.EXE
        
        "C:\Windows\install\svhost.EXE"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
c468202d7bb909fc5f494070012e52bd

SHA1
6248d85729af47c0867349bab9ab2380fd8d495f

SHA256
a657fbd9aea4d941b6880f7b43224d09e95db97b2e293efe9ad46d448c8027ea

SHA512
2aedb684b24fbb9f8b830c24b22e582ca7ab59e5601d78fad598cebf2d5e66fb9f8fd3069d60a256b451106780c10fb84650983daf8521386a01c88729b627c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
189KB

MD5
bb80fa6f7110622a2933c6b0701defe5

SHA1
cdaf9030aba61b903804a83858f4a663bffc5d09

SHA256
9b3eb78a14b4539a9d1904dcc15a12ca1a1cc7883ca8dd36677873025fc5a25c

SHA512
4d3678eed2f7b2924f602b287955db115016a1f02c430dbe8b7e3477aba8b7745c7ca328ac93656bbd92df765a4898bf62d9f859ac57e210236db983b1a2b44a

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
4362e21af8686f5ebba224768d292a5b

SHA1
504510a4d10e230dcd1605ab3342525b38a10933

SHA256
b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3

SHA512
f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850

Download Submit
C:\Windows\install\svhost.exe

Filesize
276KB

MD5
beff6858b83f36c20c3ac8f41dd847ca

SHA1
5cc449143512ccda3d5cb9b3c015852d504d4b4f

SHA256
ac0fe445073e6c12f168113e179368d27a0e5e8c63e6fde55a1c4ed374a7875d

SHA512
412ad05dbd88b092156d44fd202807a2d797a03695b0b588d646d7a4094378778e4f3dde2063d3c6f17b43da83e75a37fe38606ad4d54c9cfc721de5bd6d5b04

Download Submit
memory/32-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1548-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1548-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1996-92-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-34-0x0000000024010000-0x0000000024052000-memory.dmp

Filesize
264KB

Download
memory/1996-85-0x0000000024010000-0x0000000024052000-memory.dmp

Filesize
264KB

Download
memory/1996-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-22-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-36-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3356-35-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3356-40-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3356-88-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/3424-17-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads