cybergate | 7df8e50eedd280499aa3ac256252a3cb799b1f82dc38d4df618bb2195305fc71

Analysis

max time kernel
73s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe
Size

548KB
MD5

f4811ad4fe287118e101c94bb1684ca2
SHA1

ab0e1ea9c4cee2af67765d8d091077915a1d1227
SHA256

7df8e50eedd280499aa3ac256252a3cb799b1f82dc38d4df618bb2195305fc71
SHA512

10de22573d3bc95b31c195858ff51ed08343e4b43659f6bc26a0915f769f80c2bb1971a29b25d518174029f223b4b0229ac1bfff504d46651a61ff78d46cc620
SSDEEP

12288:AFBRszVMMbJgeS4dIhSDpuwnhXWQA81BycP8HJyk9ZxNQT6:0szVSej7BnNWQP1cnHJykfxNQ

Score

10^/10

cybergate remote defense_evasion discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

chonchon.no-ip.org:22

Mutex

HLXGSDG76WQ388

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Sys
install_file
ping.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
svchost
regkey_hklm
svchost

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uCQt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsc32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uCQt.exe"	uCQt.exe

Executes dropped EXE 4 IoCs

pid	Process
3012	uCQt.exe
3040	avgg.exe
2512	iexplorer.exe
3004	iexplorer.exe

Loads dropped DLL 6 IoCs

pid	Process
2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe
2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe
3012	uCQt.exe
3012	uCQt.exe
3040	avgg.exe
2512	iexplorer.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2512	3040	avgg.exe	37

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2512-44-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2512-42-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2512-39-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2512-37-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2512-45-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2512-46-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2512-49-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/2512-206-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\uCQt.exe:ZONE.identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uCQt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\uCQt.exe:ZONE.identifier	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1236	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1236	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1236	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1236	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	30
PID 1236 wrote to memory of 2916	1236	vbc.exe	32
PID 1236 wrote to memory of 2916	1236	vbc.exe	32
PID 1236 wrote to memory of 2916	1236	vbc.exe	32
PID 1236 wrote to memory of 2916	1236	vbc.exe	32
PID 2116 wrote to memory of 2036	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2036	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2036	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2036	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	33
PID 2116 wrote to memory of 3012	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	35
PID 2116 wrote to memory of 3012	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	35
PID 2116 wrote to memory of 3012	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	35
PID 2116 wrote to memory of 3012	2116	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	35
PID 3012 wrote to memory of 3040	3012	uCQt.exe	36
PID 3012 wrote to memory of 3040	3012	uCQt.exe	36
PID 3012 wrote to memory of 3040	3012	uCQt.exe	36
PID 3012 wrote to memory of 3040	3012	uCQt.exe	36
PID 3040 wrote to memory of 2512	3040	avgg.exe	37
PID 3040 wrote to memory of 2512	3040	avgg.exe	37
PID 3040 wrote to memory of 2512	3040	avgg.exe	37
PID 3040 wrote to memory of 2512	3040	avgg.exe	37
PID 3040 wrote to memory of 2512	3040	avgg.exe	37
PID 3040 wrote to memory of 2512	3040	avgg.exe	37
PID 3040 wrote to memory of 2512	3040	avgg.exe	37
PID 3040 wrote to memory of 2512	3040	avgg.exe	37
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38
PID 2512 wrote to memory of 1552	2512	iexplorer.exe	38

C:\Users\Admin\AppData\Local\Temp\f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ci-rd6uv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA4C7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\uCQt.exe
  "C:\Users\Admin\AppData\Local\Temp\uCQt.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\avgg.exe
    C:\Users\Admin\AppData\Local\Temp\avgg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\iexplorer.exe
      C:\Users\Admin\AppData\Local\Temp\iexplorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\iexplorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iexplorer.exe"
        5⤵
        Executes dropped EXE
        
        PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA4D8.tmp

Filesize
1KB

MD5
4eb3c29082b4c1965761ce54b8f22f13

SHA1
9e2a437824e53363278495ac5fee6d6835c78617

SHA256
32f12086ef7f732b18f1d3ba98df127d43a3e0e9097bb5c3d9b506f0b7f5f15e

SHA512
fa2c555a2ff5b321bcbe095fff26f9a3e107d43b4c969ec53225ea480a722f6fd212c6bc5fc74e7d6d30402d0bba6f1dbd4d6cfd4da5844ef880a4cadae97e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\avgg.exe

Filesize
548KB

MD5
f4811ad4fe287118e101c94bb1684ca2

SHA1
ab0e1ea9c4cee2af67765d8d091077915a1d1227

SHA256
7df8e50eedd280499aa3ac256252a3cb799b1f82dc38d4df618bb2195305fc71

SHA512
10de22573d3bc95b31c195858ff51ed08343e4b43659f6bc26a0915f769f80c2bb1971a29b25d518174029f223b4b0229ac1bfff504d46651a61ff78d46cc620

Download Submit
C:\Users\Admin\AppData\Local\Temp\ci-rd6uv.0.vb

Filesize
812B

MD5
813e702a8818dae45a86d9d049a4e135

SHA1
b1f5617a6a4c071e5c91315188ef8b8947002a08

SHA256
bc0a84184cf54c07342d7193a4dcc1b8187d09bb20fa0c03159b6a7ce94873bc

SHA512
2288e6a7040339cf7266dd166d861263b5feaa65cc22bf1c1bad9a1549f876744d093f6d1fbc9b0b0c50652194a01a99dcd90c8c3bf547b8d12d8bc814934c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ci-rd6uv.cmdline

Filesize
275B

MD5
df03e909026efb9e9d5ce706372a180f

SHA1
962637abfe0515a7aab83be315cfb488e643c233

SHA256
10b673ec1b4d1732a6684e9ca7ab1af854334a7083f2fedfcaf1188bb7763658

SHA512
6a9e187336f8afa2b5679609f32a6710c54d9e0c6061a9ade8ebc47af3269a5637459f98e8ab0aac44df1dcb1122813df20cc66eb43a68a27052f971c8de3b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uCQt.exe

Filesize
7KB

MD5
eccace505defce8441bf2c11614ac48e

SHA1
f2718d7bef2934ab871cd3ab5b4ac75436875bf8

SHA256
c79159c90a30b488dd744887804f6562cf19d907ed7578fe1a72cb2062d4e0ee

SHA512
ef0ee19a743822fd71f785b9b6041b90584b553f3c9067b3529ee36eb2db601762c7f3d59591860cf1dfaa885b39d84baee3ad0df569b44c8666e01dc6e5ad20

Download Submit
C:\Users\Admin\AppData\Local\Temp\uCQt.exe:ZONE.identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA4C7.tmp

Filesize
636B

MD5
a39071a7e12b59be5668eee31944e2d5

SHA1
e6316813cd6d6ed5e480027379b24aa986b2dd15

SHA256
47280f3899aae86fb8a58b733d12638424d880f7a2dce63eb0da3197983b01d9

SHA512
ddca2c71ecf833a76620f1f35329ee0007e62faaf4f0b6bf93c659db1b39316e6da677dd47f8eb27e4f2a07530616cac10322dc9552cb0beb01cb808689c44f4

Download Submit
\Users\Admin\AppData\Local\Temp\iexplorer.exe

Filesize
75KB

MD5
3d7d2e825c63ff501e896cf008c70d75

SHA1
24e1e56df2c1e85b224b4360235513e79f03d3fc

SHA256
037fc52b8fc6089338eb456f2b45638ed36c42a4dca7ace391d166b2329838a1

SHA512
57d06b2226221162e0b54eeea3de13af6386bd632d16f6ec0666da81e8e177157a778caf0e3df0fe6368ea0b0fd93dae92cbe3cbb8c484f9e1107ba371301f21

Download Submit
memory/1236-17-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/1236-8-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2116-0-0x0000000074F01000-0x0000000074F02000-memory.dmp

Filesize
4KB

Download
memory/2116-2-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2116-25-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2116-1-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2512-44-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2512-42-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2512-35-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2512-39-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2512-37-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2512-45-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2512-46-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2512-49-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2512-206-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3004-61-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3004-55-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3004-71-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads