cybergate | a5fb89b4bc428c4b950c654391d649ffd30f82c4e5f85af7b644487e070cac6d

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe
Size

760KB
MD5

c2a9c55f7bd0f97166f91601d24a3804
SHA1

f578ea8c8eebd2fe8864786ad3ea8e22c1e72f1b
SHA256

a5fb89b4bc428c4b950c654391d649ffd30f82c4e5f85af7b644487e070cac6d
SHA512

a69517b86b91719b3524ecb1187624002aa2d8b70c71f8e34cacc9eaaf5810a78dfc5347336f50ac6e0362ae0af945b4cd3a0a1f9b5b24ce657596ad75da2c38
SSDEEP

12288:YvFl/iJIMvaT3buu5Kf6WZXQAWT3r/v5R7zIHOPPnSWmMSaOS3hz2Uxt6djrZvmn:YvFw2EkwXgTrOSVIZ02b

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

41.226.37.129:81

127.0.0.1:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
ultras sahliano
message_box_title
warning
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ZvuWE.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe"	ZvuWE.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ZvuWE.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe"	ZvuWE.exe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3208	ZvuWE.exe.exe
1796	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\install\\server.exe"	ZvuWE.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\install\\server.exe"	ZvuWE.exe.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b42-8.dat	upx
behavioral2/memory/3208-12-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3208-17-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3208-38-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3208-79-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4984-84-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3208-150-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1796-170-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4984-174-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\install\server.exe	ZvuWE.exe.exe
File opened for modification	C:\Program Files (x86)\install\server.exe	ZvuWE.exe.exe
File opened for modification	C:\Program Files (x86)\install\server.exe	explorer.exe
File opened for modification	C:\Program Files (x86)\install\	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
376	1796	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZvuWE.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3208	ZvuWE.exe.exe
3208	ZvuWE.exe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3460	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	explorer.exe
Token: SeDebugPrivilege	3460	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3208	ZvuWE.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 3208	552	c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe	82
PID 552 wrote to memory of 3208	552	c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe	82
PID 552 wrote to memory of 3208	552	c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe	82
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56
PID 3208 wrote to memory of 3436	3208	ZvuWE.exe.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ZvuWE.exe.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ZvuWE.exe.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4984
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3460
    - - C:\Program Files (x86)\install\server.exe
        
        "C:\Program Files (x86)\install\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 564
        6⤵
        Program crash
        
        PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1796 -ip 1796
1⤵
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
511578d597d539b93b0e95826909d999

SHA1
b8619f9ecb18d6f1a6877e1f4a092d8009912028

SHA256
bf54ad004be3eefb741e3285d3b37989bba48983aafcae26ecb810bda52e1970

SHA512
3549852d160854867af4e336cf311a3c2339f05d754498e0c4228bdefe227f610deb4ea903a014289e64930dbeecf6e217a1293fc4d8243385335c4dc865dbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a6713ed9557f03640cdb226765b14066

SHA1
e6cb62670400d6611601316d91b31ad00a17e101

SHA256
ffa7bd7a44d1c88c8c73e558e80922a32760db7e118dce4c1e8074d81ac2e8a0

SHA512
c6a24fc17f78e73541d9154d8f8bcedfa99bfb7abd087223ec5f02d4052b947de987441e382290f49c36e9b50cd8b32fc222413cdbfc1b3d2c71d7c16ac5e1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
54f1554b1098424be9f2d343f5af03d1

SHA1
2bd20a424673a6f3c41fae338f3c3bec21de7a2d

SHA256
25ff6983c71adbc8d622386ede2c16cb11f7f9cdf9756733d87610ecf5be05fa

SHA512
733951d469cdb810f47f47f913b392213c64106d773427a95563420c3e9513c65dfb62b330f189ed5270dc5d9cb731e72de6083d91371f5c50246610cea5308b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
930bd1778076e4ce6b8a17565526c7b3

SHA1
bf7681e651de6ec6e576dd77e09ea3d7700cd69e

SHA256
e13916349b17114df55ad757bf0a925f1988e02ea8a20c280a29298e66fe246a

SHA512
8a9d45b94bfafeb374c85f4a360107ee71d9c8878b1e0eb6f8366ae3ad44b70917d5e821c8ff806391c36e9be910faa291f9b5b48a4e10cf62a33afe636945c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ZvuWE.exe.exe

Filesize
276KB

MD5
a588d666202fc2126b0bf2bdb27f717a

SHA1
ea8f81a0d8f097fb7baff9e0578a67715150610c

SHA256
076e895ae1f7de698665111375851b4b1a4d7115865cf3c88ce0b85a1a3efb9b

SHA512
c9cad4218d3203f9bd579a3707ea7c1585f50086458c2219e06ed4bd54ad7adc462791a611629a600b625f23bcd75abaa61fa1aacbc4750147df7f73a437795c

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
memory/552-1-0x00007FFAEEB50000-0x00007FFAEF4F1000-memory.dmp

Filesize
9.6MB

Download
memory/552-2-0x000000001BD80000-0x000000001BE26000-memory.dmp

Filesize
664KB

Download
memory/552-4-0x00007FFAEEB50000-0x00007FFAEF4F1000-memory.dmp

Filesize
9.6MB

Download
memory/552-14-0x00007FFAEEB50000-0x00007FFAEF4F1000-memory.dmp

Filesize
9.6MB

Download
memory/552-0-0x00007FFAEEE05000-0x00007FFAEEE06000-memory.dmp

Filesize
4KB

Download
memory/1796-170-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3208-38-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3208-150-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3208-79-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3208-17-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3208-12-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4984-84-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4984-82-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

Filesize
4KB

Download
memory/4984-22-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/4984-174-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4984-23-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download