cybergate | 60883f506c49b1b29581ef3dd64c59c2ffd9e4e949e31d0cbd48db969eedbdc3

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
Size

236KB
MD5

da3395f792837920c7dbcb81e638d946
SHA1

e66102cb41c1cc2407302dd1f9304ea19d417eef
SHA256

60883f506c49b1b29581ef3dd64c59c2ffd9e4e949e31d0cbd48db969eedbdc3
SHA512

3b14be57ba8c440a5cc097a66bec4fc34a27d8b168b749939c9828dbb74bb97a2bea649afb34b16eb9f48af16f34d9da546c112d493ff4bf626654809b7039b4
SSDEEP

6144:evzb3yNkuHrZcQOOXjNWyFr7ApxjmGYxcBK9:ejY9FUKQgP3my

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.2

Botnet

vítima

leon21.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
calc.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0NPTYWC-YS00-01C6-2K21-66R17W76V0YS}	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0NPTYWC-YS00-01C6-2K21-66R17W76V0YS}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0NPTYWC-YS00-01C6-2K21-66R17W76V0YS}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0NPTYWC-YS00-01C6-2K21-66R17W76V0YS}\StubPath = "c:\\dir\\install\\install\\server.exe"	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\server.exe"	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\server.exe"	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1964-24-0x0000000024010000-0x000000002404C000-memory.dmp	upx
behavioral1/memory/1440-438-0x0000000024050000-0x000000002408C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2616	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
Token: SeDebugPrivilege	2616	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	30
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21
PID 1964 wrote to memory of 1192	1964	da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:1440
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\da3395f792837920c7dbcb81e638d946_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
137KB

MD5
090a850d017840986fa6a6d2f7571cd6

SHA1
bb61c917b086ffdb82cd913065f9cd55a2ad6b0a

SHA256
a6b0ba3f39ea34954a30ab3bc6803b3f1c3cabad12c0e446e9e799b8bc063b19

SHA512
7428da6cffdc14c45afa9a3a5a41ae9aeb08ea24872d2972aed848e89277cd43aff12b191e444b2a5fe8c3e991117dae12c91eecd5b0ab763c8313d54363ba4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eae66bca4b829a32e7b6a8794564933b

SHA1
01dbdc85a9bfdbaccd6e6a6fb884eb41af05880c

SHA256
0ed4da8fda20876408ae1b29ff5baa8daeecc1f1111edea5a370ae22ef923b32

SHA512
a2cd8d132b3462ba6544ca51ac5478a52d9c589d97f35ec0ed22500f43f36605b44297acc4548e179b3eccf1da1f0f74e5f41b3f025f6a7665d2cf6ac0796c3e

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
86f3c87caff4d7973404ff22c664505b

SHA1
245bc19c345bc8e73645cd35f5af640bc489da19

SHA256
e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

SHA512
0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

Download Submit
\??\c:\dir\install\install\server.exe

Filesize
236KB

MD5
da3395f792837920c7dbcb81e638d946

SHA1
e66102cb41c1cc2407302dd1f9304ea19d417eef

SHA256
60883f506c49b1b29581ef3dd64c59c2ffd9e4e949e31d0cbd48db969eedbdc3

SHA512
3b14be57ba8c440a5cc097a66bec4fc34a27d8b168b749939c9828dbb74bb97a2bea649afb34b16eb9f48af16f34d9da546c112d493ff4bf626654809b7039b4

Download Submit
memory/1192-25-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1440-438-0x0000000024050000-0x000000002408C000-memory.dmp

Filesize
240KB

Download
memory/1440-214-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1440-213-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-10-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-20-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-24-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download
memory/1964-18-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-6-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-4-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-288-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-2-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1964-700-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download