cybergate | e4d1e8c9d7f6ef0b331cb34273e517386c8a9006d4ce547f751f4a36de20d532

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe
Size

705KB
MD5

cf388a414b9919b6156d9bc30d85053f
SHA1

ab484855f545cf8b8dc54dfaa4504c3904a02a48
SHA256

e4d1e8c9d7f6ef0b331cb34273e517386c8a9006d4ce547f751f4a36de20d532
SHA512

b51c91786ea0bcf9bf578e96d4d0704f22e8b8ef5cd1f741d6c1c46a61cd79a5c88feb9170f8193d4beebf822cb57b941aa2ade95d75c19737ca1219190daf49
SSDEEP

12288:KC4ol1xcGCZplbm2DBBosRAyt1n7TAQgt58Hror1p76qc4U8kfQlrBHB7UG4EwIp:N4o1xC/DRAyt1n7ToH8Hsyqc4U5fgrF/

Score

10^/10

cybergate vítima discovery stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.0.1

Botnet

vítima

zorra.no-ip.biz:81

prj.3utilities.com:3535

prj.no-ip.info:4545

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_interval
30
install_file
ieplorer.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2500-18-0x0000000024010000-0x0000000024036000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1812	844	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
844	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe
Token: SeDebugPrivilege	844	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31
PID 2500 wrote to memory of 844	2500	cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cf388a414b9919b6156d9bc30d85053f_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 468
    3⤵
    - Program crash
    PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
42KB

MD5
a7a09a646d9d72d5307993228a5a9934

SHA1
efedbcc37b16b6d64eddfe557f2d7dc9e22a131e

SHA256
cca4443018849c0e97844e4f52bcd21e2c8abe4d6dc83015ec61b64698cdf046

SHA512
a02699bdb36debf9a633c9de3f4293d52247f60defb8e6c9a033d21fbf7ad6817932a698858b86f16f48cb28d554cc417ce5d778d0eb6c532ffb97e3341a37dc

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
7ba6003a8895aba16039ad4a2d9f3465

SHA1
d1a24f8b756d768a304e82fa934dfb6ac3194244

SHA256
8ac6ea31dd72be422681a7fbdf67a0c2657a957974e2cddad0384d50fadfbd30

SHA512
325df2dd25ed5ecf498ea84605544ad2f1741f72be1c18ef41ad7c2b2a3bbd7edeb380b2b1d5507765d9123d3611eccb0be2faf88ff489f1c35193767c223630

Download Submit
memory/844-33-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/844-19-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/844-47-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/844-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2500-6-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2500-45-0x00000000037C0000-0x00000000038A0000-memory.dmp

Filesize
896KB

Download
memory/2500-11-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2500-7-0x0000000000330000-0x00000000003DB000-memory.dmp

Filesize
684KB

Download
memory/2500-1-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2500-5-0x0000000002030000-0x00000000021C7000-memory.dmp

Filesize
1.6MB

Download
memory/2500-204-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2500-46-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2500-205-0x0000000000330000-0x00000000003DB000-memory.dmp

Filesize
684KB

Download
memory/2500-8-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2500-44-0x0000000000411000-0x0000000000422000-memory.dmp

Filesize
68KB

Download
memory/2500-3-0x0000000001E00000-0x0000000002021000-memory.dmp

Filesize
2.1MB

Download
memory/2500-18-0x0000000024010000-0x0000000024036000-memory.dmp

Filesize
152KB

Download
memory/2500-10-0x0000000000330000-0x00000000003DB000-memory.dmp

Filesize
684KB

Download
memory/2500-9-0x0000000000330000-0x00000000003DB000-memory.dmp

Filesize
684KB

Download
memory/2500-4-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2500-2-0x0000000000330000-0x00000000003DB000-memory.dmp

Filesize
684KB

Download