cybergate | 7df8e50eedd280499aa3ac256252a3cb799b1f82dc38d4df618bb2195305fc71

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe
Size

548KB
MD5

f4811ad4fe287118e101c94bb1684ca2
SHA1

ab0e1ea9c4cee2af67765d8d091077915a1d1227
SHA256

7df8e50eedd280499aa3ac256252a3cb799b1f82dc38d4df618bb2195305fc71
SHA512

10de22573d3bc95b31c195858ff51ed08343e4b43659f6bc26a0915f769f80c2bb1971a29b25d518174029f223b4b0229ac1bfff504d46651a61ff78d46cc620
SSDEEP

12288:AFBRszVMMbJgeS4dIhSDpuwnhXWQA81BycP8HJyk9ZxNQT6:0szVSej7BnNWQP1cnHJykfxNQ

Score

10^/10

cybergate remote defense_evasion discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

chonchon.no-ip.org:22

Mutex

HLXGSDG76WQ388

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Sys
install_file
ping.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
svchost
regkey_hklm
svchost

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	COmRPDC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsc32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\COmRPDC.exe"	COmRPDC.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
1924	COmRPDC.exe
1756	avgg.exe
4004	iexplorer.exe
5028	iexplorer.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 4004	1756	avgg.exe	90

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4004-39-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4004-41-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4004-35-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4004-44-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4004-48-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4004-59-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4004-54-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\COmRPDC.exe:ZONE.identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COmRPDC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\COmRPDC.exe:ZONE.identifier	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 5012	2544	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	83
PID 2544 wrote to memory of 5012	2544	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	83
PID 2544 wrote to memory of 5012	2544	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	83
PID 5012 wrote to memory of 2576	5012	vbc.exe	85
PID 5012 wrote to memory of 2576	5012	vbc.exe	85
PID 5012 wrote to memory of 2576	5012	vbc.exe	85
PID 2544 wrote to memory of 4196	2544	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	86
PID 2544 wrote to memory of 4196	2544	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	86
PID 2544 wrote to memory of 4196	2544	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	86
PID 2544 wrote to memory of 1924	2544	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	88
PID 2544 wrote to memory of 1924	2544	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	88
PID 2544 wrote to memory of 1924	2544	f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe	88
PID 1924 wrote to memory of 1756	1924	COmRPDC.exe	89
PID 1924 wrote to memory of 1756	1924	COmRPDC.exe	89
PID 1924 wrote to memory of 1756	1924	COmRPDC.exe	89
PID 1756 wrote to memory of 4004	1756	avgg.exe	90
PID 1756 wrote to memory of 4004	1756	avgg.exe	90
PID 1756 wrote to memory of 4004	1756	avgg.exe	90
PID 1756 wrote to memory of 4004	1756	avgg.exe	90
PID 1756 wrote to memory of 4004	1756	avgg.exe	90
PID 1756 wrote to memory of 4004	1756	avgg.exe	90
PID 1756 wrote to memory of 4004	1756	avgg.exe	90
PID 1756 wrote to memory of 4004	1756	avgg.exe	90
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92
PID 4004 wrote to memory of 3112	4004	iexplorer.exe	92

C:\Users\Admin\AppData\Local\Temp\f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4811ad4fe287118e101c94bb1684ca2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\go1syt-v.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9981.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE7CA8AFA36E4F689537FB7631A6AFF0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\COmRPDC.exe
  "C:\Users\Admin\AppData\Local\Temp\COmRPDC.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\avgg.exe
    C:\Users\Admin\AppData\Local\Temp\avgg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\iexplorer.exe
      C:\Users\Admin\AppData\Local\Temp\iexplorer.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3112
    - - C:\Users\Admin\AppData\Local\Temp\iexplorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iexplorer.exe"
        5⤵
        Executes dropped EXE
        
        PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COmRPDC.exe

Filesize
7KB

MD5
b8efcd8fdfb3412fa2badcad187920d4

SHA1
31b071c33e2ffd6d3a82b3cb661d2cff262db307

SHA256
f717187ed6ba09284c259cb5856e4b3eb5f34675fe9e1d7666f24a8914e5c9c4

SHA512
cc779570d4f5d5fd0741360a025d5898dee90fe321a3698f683cdc782c0c1449ad6b415d9fac9d68de27fe559602bafd65938c1122008b6a3c198e26493c2c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\COmRPDC.exe:ZONE.identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9981.tmp

Filesize
1KB

MD5
461b014f0fe76d5b3da2f1a8a2363503

SHA1
60289a16911ee5546144fb86c6e1149a1b0fbcd4

SHA256
81456d40ede06fc0420b93daf26bba5907b9a03519cb797300f3c33fd4b71fc8

SHA512
89e3dc3dda3c03ff4d1769e9294202d85e3a5fe7243ebbd24acc58cab87b2406dec03225900c3722a92a1393f7bb3bd67ee2d64ad0a0b59c7391329f1eb85286

Download Submit
C:\Users\Admin\AppData\Local\Temp\avgg.exe

Filesize
548KB

MD5
f4811ad4fe287118e101c94bb1684ca2

SHA1
ab0e1ea9c4cee2af67765d8d091077915a1d1227

SHA256
7df8e50eedd280499aa3ac256252a3cb799b1f82dc38d4df618bb2195305fc71

SHA512
10de22573d3bc95b31c195858ff51ed08343e4b43659f6bc26a0915f769f80c2bb1971a29b25d518174029f223b4b0229ac1bfff504d46651a61ff78d46cc620

Download Submit
C:\Users\Admin\AppData\Local\Temp\go1syt-v.0.vb

Filesize
812B

MD5
813e702a8818dae45a86d9d049a4e135

SHA1
b1f5617a6a4c071e5c91315188ef8b8947002a08

SHA256
bc0a84184cf54c07342d7193a4dcc1b8187d09bb20fa0c03159b6a7ce94873bc

SHA512
2288e6a7040339cf7266dd166d861263b5feaa65cc22bf1c1bad9a1549f876744d093f6d1fbc9b0b0c50652194a01a99dcd90c8c3bf547b8d12d8bc814934c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\go1syt-v.cmdline

Filesize
278B

MD5
5cf989112938cd8c23998549b3e90072

SHA1
4e729bed5022323a21206ea4ae36af89a55dbae1

SHA256
d07c189d4596f5e48909ea7570f7f6d89ac505150f3dd8aa1025b3cfda7b0bc1

SHA512
0888e84790d75a585f41057c64a4e993a1773eeb6cd69b9838a0c67c59e32a3ffb243c5cea5bdc3ec8d0ad6d8f86b552be5040e23ce6a1057c1810cb77b8bd1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplorer.exe

Filesize
75KB

MD5
3d7d2e825c63ff501e896cf008c70d75

SHA1
24e1e56df2c1e85b224b4360235513e79f03d3fc

SHA256
037fc52b8fc6089338eb456f2b45638ed36c42a4dca7ace391d166b2329838a1

SHA512
57d06b2226221162e0b54eeea3de13af6386bd632d16f6ec0666da81e8e177157a778caf0e3df0fe6368ea0b0fd93dae92cbe3cbb8c484f9e1107ba371301f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCE7CA8AFA36E4F689537FB7631A6AFF0.TMP

Filesize
644B

MD5
e0de94449b60b35015fd090e6f38fe44

SHA1
9da772592a6015ddae4058ab4f843d020cec23ce

SHA256
9d1392d41c825abbc713989909e2238b063540a2ac28baf60a44f6653329943b

SHA512
2586056ee6512afb2253f1968e42de5bb0ac5d8a039a25d3210367e07a94691cc33126a211b8f165e2e361f252fc587d83c64350e85786057e7a5f41ae131594

Download Submit
memory/1924-27-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1924-42-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1924-28-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2544-26-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2544-2-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2544-1-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2544-0-0x0000000074882000-0x0000000074883000-memory.dmp

Filesize
4KB

Download
memory/4004-35-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4004-39-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4004-41-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4004-44-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4004-48-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4004-59-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4004-54-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/5012-10-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/5012-19-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/5028-49-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5028-50-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads