Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05/12/2024, 01:04
General
-
Target
c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe
-
Size
341KB
-
MD5
c529feb6ee32ab7437fdae205e318cfc
-
SHA1
11d0d160c7f6e62554f2d6fd59b5fff301379a8f
-
SHA256
7b7ebcaee4ccdd40dcd63aaba90c337de85d65a19a8db44a6fbef8620327345f
-
SHA512
caec3b0cdbd0ef38b8be502cbcd3bcad53b6f7fa685a537b289cd2baf2bad6bcc45ed80a1d2412e93612e89f1b6be4a081860ba1fc36830126caef5d289161d3
-
SSDEEP
6144:yzbFac5lLo1xvAEO8l1hKZY6o4RDtWEWHuY8AYCpQOkve0NR8t0goS:yzbFaa4xvAEO8l2o4RZjWHu9CbaPgoS
Malware Config
Extracted
cybergate
v1.07.5
Dylan
dylanlumps.no-ip.org:8567
127.0.0.1:8567
mutex
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c529feb6ee32ab7437fdae205e318cfc_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kLwjG.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ATI Display Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"C:\Users\Admin\AppData\Roaming\atidisp32\atidisp32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5d6ea4409086bd4ec01a84a18cda5a535
SHA19606f93c4fcf92136f2d31dbcb167b3e36cc9a8a
SHA256ff6535ed743552794dca4b2df6849e1e3f26e300ec3b4379c3a20334a731570f
SHA5123471692ddf337afa9844e4b5c7462d04f97db7607a4e99a80ccafc9b46835d1e39e40b9ac4159baf7b2ff831046d89fb651627eeed8a5eeb4adf4f8984074bed
-
Filesize
8B
MD5f18a7d129c018d9bfca05e28068af053
SHA10b7bd1d45577281c4ff0608ba03066423d62ed3f
SHA2561dd9a1ce47c1e6499a474afe9abcfa8e60461f4138fc4cf6ecd57b5cdc094013
SHA512d7bbe18f61af4c76af453e4bd39822d11527bda68fa0fd488aafdd65d92c427bc651092b85c44eb02c10f5ea759297f6f9e98dc0634d323745041a829975430c
-
Filesize
8B
MD5c2ee01251bcbb7634148c02ddca40516
SHA14b721a570a3f671e1ae98d36767a5ad7fcc50135
SHA256deb222c90736afa2295618517f7e47dbf9d2899190b34a2d795b86b38be85ce6
SHA5123943921a94b253913909aac3e04befd373c6698ff0949a5a7792004444f8466525af10cf9cb009c4f6f32067b07dc6b7c8d9e6d160fa6d368616ad382ea99c45
-
Filesize
8B
MD5055953e860a2dcb9dd264adab997aafd
SHA1c378e4ca76834ca845b12b7cfd2057532803d918
SHA256b409e35b91d31369933a0785d86f5ec4104ad21dce5a239523d746c661254fe5
SHA5120b34cc498c4b8186134946e1f4a3b35e9b73797da26ba802636be0da422a8e21ef61540b902982ff9119528df1701342b1ef95a0f58aa8875cf932b55bbde178
-
Filesize
8B
MD58f5a8c72fda8fdc129d48de6cc078e0a
SHA19868291739d91798758b9fef2c4d86a9a90ca034
SHA25651370dddc0f38ff2c7f066d27d6740b119c8b690f0e5bfb0ec0e72fe30fc3ce6
SHA512f4590d5a1ea53883e8d9555cd60ead91245a69c555496b80aaf7f0aaa3899ca1f45e5481cbfebda2da966989eb34fefbd71c8fabe9dc6e0446352790785c206b
-
Filesize
8B
MD5fb869f74a335e02972ccc0134866ddba
SHA157556b959e957f5adb6acfa25f948005270d34eb
SHA2560e5f56b1b9c7edce1489a4d072ff50b698f41d7137a071a933edf9751915e0e5
SHA512a676181e3813e095fa98918c25d0e43e4543bdc0085ea9f446ab42c734200e2b36e88994cff7c1553255e95ad0b77648434672205921d2b6bd10dc95be00a450
-
Filesize
8B
MD5a615dfeac5bebc12ef2a6fad470a53ee
SHA156bbf65f7dcad96aa7bc3611ee4f543bf59f6dd1
SHA2565f354d616e2ba04fad81513046606e23d19a2b5bef810a537a118e5d9f081f85
SHA5126796084d2d81ac60efe1021db29a25e25975762652b73c0c1f8590358caec55a3569b693a6396e5d4a3d31d4a9d81623e5c9861d83ee5a080f878f8d48dbafc5
-
Filesize
8B
MD5beb893c03e0092fb73ebd13cf7a24cff
SHA14b5b9a1601ed90161c047a2a1574a6063c4603bd
SHA256e44bbc7f400cdb8178c42c03e94c7781c37803fed84c5af40cb31e614e287e09
SHA5128871c3dedfa955298d411963acf9cb773773f66b96cb7191a0569f67d8aafedf32d61080d1856569f30c51234f56490cc7b103dad5499236b98ba812988de90b
-
Filesize
8B
MD5d3d40b21c1b0475abb6f206c286aed0f
SHA16e87b733754ad2d2f0753b02bdebc377dcd0630b
SHA25600e1f84f9a6517e4d54263e1fc0f64627681d97b5d42fb46d2b07a91128795f7
SHA51258adf6900b28fde2e5807e750750381ef8164d742803658be7b1f8cb305fa87a343ce970825bb8aa5a54a40c1b604cf8e5cc0d2f585e5eafd345893617a66f67
-
Filesize
8B
MD5dc6a754f17b3dc5b82d0cb146a0e7d54
SHA1700e4a32692390995a37a435e17c1e219723e06a
SHA2561b2ccb37604a3959658f4f1625435e3d227b4decbd8423c6d2f98018a24a80f0
SHA512f81c559d94aa8c166f4ac4e04343ebb1734aa6aa1604d4432cd2615dec373d0b8961ae952d16ea39243539856a0de879a904f6556fad69b3ad37ea961dfded77
-
Filesize
8B
MD5cbd7c9cf2867915e3923f175ff70dd31
SHA121deb25853dfc9025349881b73757a087f2fbe4f
SHA256e47dd50512acb41f7bafc4f0053edf0d4f6e4c5a946445e389cc513d600b0b7b
SHA51231705589b2bec81418e43a2ad5b78b65931182d708ac948b5cc6867e0af763e766ed4de51b34838d169d3077c3bc4a95a426927a8721ccd5ff2830a99eeb0c50
-
Filesize
8B
MD5567137f5bbd7724ef2bb0ea27cc1cb1e
SHA19134890c771dd679b1513a98b9e973eb4c6a9f72
SHA25657fe8f944b7b4efcb3cb677178321904832bf79337e69207b247326b1e013ca7
SHA51251dca8bc1f4f2e65a12fd488219d693e4f06a6119f364532a103d4d61ab2abb3285ec77b7965259a76d3d6c758683e1d4d8bdee40539a883dc8638e15dbb258e
-
Filesize
8B
MD54161004b605e41f30c095d37303e5595
SHA1e421c69c1d4c0312a8debb3ba29888c6d5b49235
SHA25624b0f378d9c284f175d2b39ff2ee510af21d3ce6f7b9009eab49d2b5d0a357e9
SHA512163a93c1ebcf3818bf2b96e4947f61d03d69e9881f59eb9c8d3d40f0b5eb245be1a44fb6f83aac866ebaaa098b4313a0962268b210ce361da903f950c707042e
-
Filesize
8B
MD5012c446180b49856d3fe75ba6adc3854
SHA155a575fba5a9fbf6e16a6e90720d1e8a3b015d7e
SHA25606c4bbab306065ae9f4a4574585badc078fb16fa6ecb70be327e2ac0cc54ca71
SHA512292af773a98d73e5a3f22e9fed9481a1f48609c76e18add94f0056b877dca33813cc1b2c96ddcee6113ff34c21d7384db333c1364ba614c9d97cdb5511bca313
-
Filesize
8B
MD5259bee2370c650b30ec38de033758a6f
SHA1391ba98505b761dabfec0b95733e59242251573c
SHA2566925c34d0c41ed3ae5138ff0b26aa2b2abda60282dddb54a97b22acf60d17c14
SHA512bef835daf39ea5f363a0310d398bc6cc0aba22e866f1f8be9959bbe19f5f714a1b84ad966ac6865b9067db6b488bf4cec124df13dd8ee9c2fbe048bbd6c9e87a
-
Filesize
8B
MD5a8e5a56c51c51699ea81da6a18661df2
SHA1e5aca7d6ffa733ccd40b2b4ba72385a4419adfbc
SHA2569a5fcb5f2b6a2d8b55cb92b18be824939e46bc8bf31e2c4d573671e2e4fada09
SHA512586d04fe40c037e429fadbd7055407f211239af2fe385fe5ffa515f183eee15d903c10232bc4396b3ca0780c2674dd9f5610c848c6e797f6bbd3e68537cb0133
-
Filesize
8B
MD5d8bdf0162678003d27986a8d44742739
SHA1a17d675d318e28edce4c1c0343702b781d5c5b66
SHA2569b15d46dfc40e883f2847b4e19f203b1ab617c3480ed85bb2e6253f89b897cc2
SHA5124d6e938594989c73b32ac02077f700480daba7693d7b2e736ccfa7b7e8f68301c840fc4fba9238e29d9d381365ca2ce5066201808aacaabbdeae7d2802e819cb
-
Filesize
8B
MD5d99dcdce1d0b095f81ef996bb8b42e78
SHA1f7320b922ebaa1b6d2d3c3b02707e289f7536c34
SHA256225fde540f5636ec0876357c967c5ab43d34855c62e0b00382139d17d411916e
SHA5120507f9f484067773aad78de7268e07af57ab8c33e78af8564ee9b4d6ead01e50104cf611c16afb34af756510593aea3c774851a6d5cd288f575fb7ad2a56e25d
-
Filesize
8B
MD5a6e0932c9e1dc93513ec34b8021fe3c8
SHA17ef3a28b177ac0b124f166d874788fde6ff58449
SHA256158735e81dbbc59d847a6be6ea6188ec268e7abe8123c1e5acd8f740e77e8f73
SHA512dcc44013a3719342b3a08e94dcbce80214509ab58119880046b87415a3ab7a0c74eb664d11ba75fda5a120d086cbfdcf57a9a92e7d377fbd0b27feb8bd7ed206
-
Filesize
8B
MD58046d4dc161bdcdec625e5685b221710
SHA1e1288a9bf33e9fbe7a947606e3cb57d322d72e80
SHA256f9c4ea4845597fa0df3ad4b07b04a8cd8961bc08871dc501ee408ccc6ebe3709
SHA512730be9698ebeab26affe7ca4756d657d01e93fe47d40cbd7771296b349adcbf3bbb4c11ad9b37ff6dffe8e625254a8cbef99a99cb14079681523925967b101cb
-
Filesize
8B
MD58eccade08211475edf0222db995f81a1
SHA155efb025afaf4bbe4c05966d98fe6bc9bf5bdf8c
SHA25672baafecbb9065a34fc1e94d475a0384fb09535ead3b751ec74c19a35990a32d
SHA51223ed19f9b85a69a6ad178593ce964df842d557e0f9a2c2ccea7f2c537b62f548519a617ac97f3a4697ad73a2b4970c43cd65cb4990a21c0adefacab0e851441f
-
Filesize
157B
MD515caf9d73a10032703086477c78f8a06
SHA179ff878df3b774ff5ad2bf54ad3a41d990cf7d31
SHA2561ef63f20b9f52b2e1f8c848a9218b7de1b7cdbeea178f3a6646a4014d0b1083e
SHA512b6daae9fad92225e4e539a722f81df60958d9708ce7c275932b59ca27af4f148255513159391cec2902f2a4a16d6e1e6ecbc77e482a1fa1ab6a409b3f0a409a6
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
341KB
MD5c529feb6ee32ab7437fdae205e318cfc
SHA111d0d160c7f6e62554f2d6fd59b5fff301379a8f
SHA2567b7ebcaee4ccdd40dcd63aaba90c337de85d65a19a8db44a6fbef8620327345f
SHA512caec3b0cdbd0ef38b8be502cbcd3bcad53b6f7fa685a537b289cd2baf2bad6bcc45ed80a1d2412e93612e89f1b6be4a081860ba1fc36830126caef5d289161d3
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
404KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
404KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.4MB
-
Filesize
1.4MB