Overview

overview

10

Static

static

3

ADOBEC~1.exe

windows7-x64

3

ADOBEC~1.exe

windows10-2004-x64

3

CYBERG~1.exe

windows7-x64

10

CYBERG~1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CYBERG~1.exe

  • Size

    324KB

  • MD5

    66a881c43f39821a1b0549b5f14a8d66

  • SHA1

    c8928788664acab21d64872ffa6e36374f406adf

  • SHA256

    8cdf60f38753481c688f6a12e26e6edeae19e2a781313bd01d802e53c66a6c31

  • SHA512

    8ffe3e90ff53b978ab840dd043014ddf75f014fa2e0b6aa57b36c01ad39a6306934d09a86aad7209adfd2c033833c30d4cf0819fea3f43cb1ba3ccc0796cc4b2

  • SSDEEP

    6144:XGWhtZitMYUH/abBAMMU6NStDQdRa1+IBfkeSDh+UsJA3XQyja/GqkrJOoXY:V9tzH/MKlXN5u1Zkeg+Usq3AyjaGqklz

Score
10/10
cybergatejonahdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Jonah

C2

jonahjameson.no-ip.biz:100

Mutex

L7Y726M8KC7VN5

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3536
      • C:\Users\Admin\AppData\Local\Temp\CYBERG~1.exe
        "C:\Users\Admin\AppData\Local\Temp\CYBERG~1.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Users\Admin\AppData\Local\Temp\CYBERG~1.exe
          CYBERG~1.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3672
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:512
            • C:\Windows\SysWOW64\install\server.exe
              "C:\Windows\system32\install\server.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1424
              • C:\Windows\SysWOW64\install\server.exe
                server.exe
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4896
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 588
                  7⤵
                  • Program crash
                  PID:712
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4896 -ip 4896
      1⤵
        PID:4192

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        81fc4abeaf078a1ae0cc553a755819b8

        SHA1

        66cb0ddf7bcd1f41aea6e938f64d186db2d1493f

        SHA256

        e0c94bc9c07bf96267a9cb968b5d5e101234cff157ab7b8a5f289531ca5273a5

        SHA512

        34b4475225452b20bc2be03692ccea03a3570e7f3275aabb011ad449e16df6f0fe949dbbb77d5c17ef77645c593da612742d902bad8f8585afef848614cdad6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5d02bc2128fd3afa49a49c77c09b7d04

        SHA1

        2c53510b72fb68ab2fdec0ae656969e846c699ff

        SHA256

        06e045fb11d0c3ad8e4890f5b8a371a93d38cb279954db82409689a36e1abea0

        SHA512

        34cf365ddc4faa6f82047bf23ca8901ad5b21f9b9f7a8c634b88d8584b2b82a5a50346c3ea9aea599f431091fa173a10fcdc88f119a2bdb7cfd6f5becc8476b9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4ab4d6e7924e7afc0d3cc58dbe8a2dab

        SHA1

        ba2bc60b2a49482d5df750cb3bc005e210796174

        SHA256

        1e7ec29ab47e9585ae0c7bcc132f0249075538811f04021ce71e7ac7287d9031

        SHA512

        c51b4ca92513052528899dcde31d6abaa5a3fb4cdce027fc27faa1e884ff2e86be3fbb08f7c2d843c13ba78f801bd71fb24619331ea7b4abf489f0dbbfac30f4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        03ceb99a85c6f62eb7ed71b0a9790799

        SHA1

        799c20ea0aa5013afb07a0b0e29846cb235ab4ba

        SHA256

        40fc514d0fbf34b05eb95b2e9869a47c2a9ce778322caa62015b2524459b7a5d

        SHA512

        a0036ee79b4cbe818aeec4e917c0ebe6e9783e81b1426613c6ba9b5ef11623d1b901e2022f5a17e924925506232e1315be16462f9d0da76b126560dd727f759f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        913fa4c4ee0ec264badbe795576af2ac

        SHA1

        6237a29586a90dd0845bc45c309a81dfae4144b4

        SHA256

        a962527285e846441bf352570b34efa1b311fc5333c3330358780d538b7f44e1

        SHA512

        4687a54b3808f04a42257e42a20a3d98d0f2d51656f1bc17ea91842059dd28fea0c281922be461fca204b73862593db6238d50da708885f87be00eb6695bb824

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a0327b4626f9bcd9a23e6e6311d0e4f2

        SHA1

        d026312837391f349e8f01204fa204da20037fda

        SHA256

        fa7d87d12e7c67fe5f0cd3c12927befe5a5e95a305f75139eea88cc13df7469a

        SHA512

        00fa9bb8fb7300a3a299524d6d945ec061c47c6b52cabbbb9f87e6d317f9ebafd3a165859bb1414e73b6474e98272b1f1e30f2ffe00793b2c19f642185ed2456

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        Download Submit

      • C:\Windows\SysWOW64\install\server.exe
        Filesize

        324KB

        MD5

        66a881c43f39821a1b0549b5f14a8d66

        SHA1

        c8928788664acab21d64872ffa6e36374f406adf

        SHA256

        8cdf60f38753481c688f6a12e26e6edeae19e2a781313bd01d802e53c66a6c31

        SHA512

        8ffe3e90ff53b978ab840dd043014ddf75f014fa2e0b6aa57b36c01ad39a6306934d09a86aad7209adfd2c033833c30d4cf0819fea3f43cb1ba3ccc0796cc4b2

        Download Submit

      • memory/512-173-0x0000000075040000-0x0000000075648000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/512-160-0x0000000075040000-0x0000000075648000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/512-159-0x0000000075040000-0x0000000075648000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/512-144-0x0000000075040000-0x0000000075648000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/1400-7-0x00000000750A0000-0x0000000075651000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1400-0-0x00000000750A2000-0x00000000750A3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1400-1-0x00000000750A0000-0x0000000075651000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1400-2-0x00000000750A0000-0x0000000075651000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2384-3-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/2384-14-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/2384-4-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/2384-6-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/2384-10-0x0000000010410000-0x0000000010475000-memory.dmp

        Filesize

        404KB

        Download

      • memory/3672-81-0x0000000075040000-0x0000000075648000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/3672-16-0x0000000000B60000-0x0000000000B61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3672-15-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3672-78-0x0000000075040000-0x0000000075648000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/3672-76-0x0000000075040000-0x0000000075648000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/3672-77-0x0000000075040000-0x0000000075648000-memory.dmp

        Filesize

        6.0MB

        Download