cybergate | 275778d4ed6e4798c4e523c35c6bf2bcf403a872a7dfc3e748191faf8e67ea79

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
Size

746KB
MD5

d1ec6694c9806c6a41898c60dd084030
SHA1

b620252f74a58803431f0430f9942d32ed96e7ee
SHA256

275778d4ed6e4798c4e523c35c6bf2bcf403a872a7dfc3e748191faf8e67ea79
SHA512

95de98f1260712136386399e3274e8e01f647d7611b7350e69c38ec5a717a9f98f27e2f4f16c83549f85b1a28e76c9665a9ecff1f36276fd85a6ac9cfcb9a032
SSDEEP

12288:3e5Pcc8f3JNzNwEhQYNk/TUQengaFs//Vgs6+VFjPAR8zJDEu577sAc7Hr1Fhr9F:3eSOM+VkuE7HBrYYZ4

Score

10^/10

cybergate 0 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

damassi.no-ip.biz:82

Mutex

3635M888S8FD70

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Core services
install_file
services.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Album cannot be opened
message_box_title
Album Error
password
qwe19
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Core services\\services.exe"	.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Core services\\services.exe"	.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3M4OXWLT-L2DB-E816-0U8A-1D785YIAB428}	.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3M4OXWLT-L2DB-E816-0U8A-1D785YIAB428}\StubPath = "C:\\Windows\\Core services\\services.exe Restart"	.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3M4OXWLT-L2DB-E816-0U8A-1D785YIAB428}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3M4OXWLT-L2DB-E816-0U8A-1D785YIAB428}\StubPath = "C:\\Windows\\Core services\\services.exe"	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	.exe

Executes dropped EXE 3 IoCs

pid	Process
4924	.exe
1380	services.exe
4060	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Core services\\services.exe"	.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Core services\\services.exe"	.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4628 set thread context of 4924	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	85

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4924-7-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4924-10-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4924-12-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4924-11-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4924-18-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4924-19-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4924-22-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4924-167-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Core services\services.exe	explorer.exe
File opened for modification	C:\Windows\Core services\	explorer.exe
File created	C:\Windows\Core services\services.exe	.exe
File opened for modification	C:\Windows\Core services\services.exe	.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
4924	.exe
4924	.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1948	explorer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
Token: SeBackupPrivilege	1668	explorer.exe
Token: SeRestorePrivilege	1668	explorer.exe
Token: SeBackupPrivilege	1948	explorer.exe
Token: SeRestorePrivilege	1948	explorer.exe
Token: SeDebugPrivilege	1948	explorer.exe
Token: SeDebugPrivilege	1948	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4924	.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4176	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	84
PID 4628 wrote to memory of 4176	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	84
PID 4628 wrote to memory of 4176	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	84
PID 4628 wrote to memory of 4924	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	85
PID 4628 wrote to memory of 4924	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	85
PID 4628 wrote to memory of 4924	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	85
PID 4628 wrote to memory of 4924	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	85
PID 4628 wrote to memory of 4924	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	85
PID 4628 wrote to memory of 4924	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	85
PID 4628 wrote to memory of 4924	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	85
PID 4628 wrote to memory of 4924	4628	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	85
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56
PID 4924 wrote to memory of 3436	4924	.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\winamp\.exe
    C:\Users\Admin\AppData\Local\Temp\\winamp\.exe
    3⤵
    PID:4176
- - C:\Users\Admin\AppData\Local\Temp\winamp\.exe
    C:\Users\Admin\AppData\Local\Temp\\winamp\.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1668
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1948
    - - C:\Windows\Core services\services.exe
        
        "C:\Windows\Core services\services.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4060
  - - C:\Windows\Core services\services.exe
      "C:\Windows\Core services\services.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
574033fb0a37a48e0425b3b9d0894b84

SHA1
2c8d495139921f0eb107aa79700c4f10e8b4b1d8

SHA256
5038d41694c5d88fb4b6d10db7e2d40af18242762ea5e75e5533f7d6efc35091

SHA512
56a378915cd6c33becf7b40e4f0f4e1dfb4960e3cabb5a4358bbccea52f993951d6ed35fd3c4ef86efe13685647d3a6adf44486d6b319bad73552bc7722a7e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3915d54883f66144f9c9340d10256d59

SHA1
da17ac8f68afaa437125855c60a7091fc7b5ed18

SHA256
eda5c5faa23b797e1be6ded19e2deb312e4b4ea86a400a3cd732cc29f052cac2

SHA512
d721730f0befe9eb7e97af8a6a1b7e2acf24acb52820ec5141c298cbf5a2b2098aa5b211cc6c2ed122b86663b59141425fe564556f948816c753350fac73a5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
526b815807fa0bf12e0316993f48e928

SHA1
0f5d4db74704553666e1eaa7aab6d156c54043ed

SHA256
193115e9730a5c654a3164fbf7d992b64152dfcb61c57896bdc0ba09312b25fe

SHA512
0591ee9c7dcbfd0bf1249316ce407e57807e5b675e3a3a1f23d3a90af67ab242c7ea15ae3c6223fea06b84e31dd473513a8908c760b26ab60e721eccf7722a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
440a6539a09ab9005de24d65300e8cac

SHA1
dfcd7eb1e6bdb7f0d50545a0763c1065fd8d0509

SHA256
16a6727d15b3ff093000d72d2bef77d76239e346438c1314e8f06ac38256038d

SHA512
e9579c7f411a404395ad08fd4ef3320ccce733a5a77f9ad19f2fd299c3439de912618c961b4ef8fd4c04ba440e0ee60b9fbf11c401386e72fc8eac50032b7c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dddbfa79de1c92c46ae0a289ec94985a

SHA1
c58c865e556c0a89523affae2919d15bb49e108b

SHA256
0d6f532dd139ae711c238da853a614cded36fe853d802c10f7a23b29efb09b3e

SHA512
c7ce6aa69867590ceda7325cf7690760d973fb859e2e936ce3bd28bc801c461cc1354bf785eb34c7da102dd1d0e3ade5b45e089b815ccff467071168e3c40ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\winamp\.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/1668-23-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1668-24-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1668-172-0x0000000075150000-0x0000000075212000-memory.dmp

Filesize
776KB

Download
memory/1668-39-0x0000000075150000-0x0000000075212000-memory.dmp

Filesize
776KB

Download
memory/1948-177-0x0000000075150000-0x0000000075212000-memory.dmp

Filesize
776KB

Download
memory/1948-92-0x0000000075150000-0x0000000075212000-memory.dmp

Filesize
776KB

Download
memory/4628-14-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4628-0-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download
memory/4628-2-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4628-1-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4924-12-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4924-167-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4924-22-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4924-19-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4924-18-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4924-11-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4924-10-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4924-7-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download