cybergate | 3ebda0ff978eeeb7406fa80939eaf0c926854d98e5d34db3cdfccb8928919ac4

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe
Size

489KB
MD5

de3182d260d05ade166ad8a690e689f3
SHA1

0adad20c48925a34dbe18f056452741572509aec
SHA256

3ebda0ff978eeeb7406fa80939eaf0c926854d98e5d34db3cdfccb8928919ac4
SHA512

58ff3796929d7f511c6fcad4d882ab9002ebe9e9f5c4c2f4bb1d49737400b41080fd6a8e4e99cba8fc5b85b62c884be5f577def5a568c4fc732efc79bb0b008e
SSDEEP

12288:XiEoRH5zRGr0OB/TbLRrqD2ff8CcAIRY78N4EeK5:TmHTda/DRrqS0C78NP95

Score

10^/10

cybergate msn discovery stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.2

Botnet

msn

metahack.no-ip.biz:288

Mutex

Mop

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
system32
install_file
taskmgr.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
I Love You
message_box_title
Love
password
abcd1234
regkey_hkcu
system
regkey_hklm
system

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1032-12-0x0000000024010000-0x000000002404C000-memory.dmp	upx
behavioral2/memory/2284-81-0x0000000024010000-0x000000002404C000-memory.dmp	upx
behavioral2/memory/2284-80-0x0000000024010000-0x000000002404C000-memory.dmp	upx
behavioral2/memory/2284-65-0x0000000024010000-0x000000002404C000-memory.dmp	upx
behavioral2/memory/2284-72-0x0000000024010000-0x000000002404C000-memory.dmp	upx
behavioral2/memory/2284-71-0x0000000024010000-0x000000002404C000-memory.dmp	upx
behavioral2/memory/1032-60-0x0000000024010000-0x000000002404C000-memory.dmp	upx
behavioral2/memory/2284-103-0x0000000024010000-0x000000002404C000-memory.dmp	upx
behavioral2/memory/2284-116-0x0000000024010000-0x000000002404C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe
1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2284	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe
Token: SeDebugPrivilege	2284	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84
PID 1032 wrote to memory of 2284	1032	de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\de3182d260d05ade166ad8a690e689f3_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
75cc4cf8c30179887bd9b7d6daa543f3

SHA1
2cfdfeb462d909cb8f84fd4e98f89f31c67649a3

SHA256
c9faa632894fad3996dd71badf539a0361cc5353c013811af80af9b2b662607d

SHA512
7a7bb01f0d3db327de8420463ac2e86d914385a616a52fd1392663a9ea012d87e0e9d18507def8dfc9a505ec51efedcd17054f095871eda682bb859e74708ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
137KB

MD5
3a2c4dae2c6dc28f9988841b6f8e18c1

SHA1
14b6296d702fb6affb79c8dec7aacf35d9c1b70c

SHA256
dbfbb6ea9303f55bbb01bc7743c623728739c39d63e223f64d319e79b34ca08e

SHA512
437fe74506abffc2c8b552003029f2b869475b1100390cba2f609cd0cdf46f61bd1b78081ac88d0bfefd99f151c07729f5462470167fa2699a153cdda8aeadf7

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
86f3c87caff4d7973404ff22c664505b

SHA1
245bc19c345bc8e73645cd35f5af640bc489da19

SHA256
e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

SHA512
0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

Download Submit
memory/1032-4-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/1032-10-0x0000000076F51000-0x0000000076F52000-memory.dmp

Filesize
4KB

Download
memory/1032-3-0x00000000008E0000-0x00000000008F0000-memory.dmp

Filesize
64KB

Download
memory/1032-8-0x0000000077743000-0x0000000077744000-memory.dmp

Filesize
4KB

Download
memory/1032-7-0x0000000000660000-0x0000000000663000-memory.dmp

Filesize
12KB

Download
memory/1032-6-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/1032-9-0x0000000077753000-0x0000000077754000-memory.dmp

Filesize
4KB

Download
memory/1032-79-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1032-12-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download
memory/1032-5-0x0000000077752000-0x0000000077753000-memory.dmp

Filesize
4KB

Download
memory/1032-60-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download
memory/1032-73-0x0000000000540000-0x0000000000579000-memory.dmp

Filesize
228KB

Download
memory/1032-2-0x0000000000540000-0x0000000000579000-memory.dmp

Filesize
228KB

Download
memory/1032-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1032-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2284-85-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-72-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download
memory/2284-91-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-90-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-89-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-88-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-63-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/2284-84-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-80-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download
memory/2284-52-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-69-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-68-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-67-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-65-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download
memory/2284-64-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-19-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2284-81-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download
memory/2284-71-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download
memory/2284-14-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2284-13-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2284-103-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download
memory/2284-104-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-105-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-106-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-107-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-108-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-109-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-110-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-112-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-111-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download
memory/2284-116-0x0000000024010000-0x000000002404C000-memory.dmp

Filesize
240KB

Download
memory/2284-121-0x0000000076F30000-0x0000000077020000-memory.dmp

Filesize
960KB

Download