cybergate | 268236538166c505bfd5b1427d264be60d6e36f3f173877169da556001005a60

General

Target

f69be5c61183b3365e02dc0d9b4be6df_JaffaCakes118.exe
Size

7.4MB
MD5

f69be5c61183b3365e02dc0d9b4be6df
SHA1

3894cc615d916d2eebf5dfebbfea1f85dbc3366c
SHA256

268236538166c505bfd5b1427d264be60d6e36f3f173877169da556001005a60
SHA512

6d994f9d0845e6be1af8e8faf848db31f8c1f22f733887464fafe0fb684bead67ae5deb64429a0bca9b08725ec432fe67c987cb5d5ee6e0673266ecac45dc960
SSDEEP

196608:NbUIveWKg01/N65tobpjJ2LqUg766cXcDquAf/I2a:GIveFL9wPW66cXwqtI2a

Score

10^/10

cybergate discovery persistence stealer trojan

Malware Config

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Executes dropped EXE 2 IoCs

pid	Process
2536	winini.exe
2916	custom.exe

Loads dropped DLL 10 IoCs

pid	Process
2528	f69be5c61183b3365e02dc0d9b4be6df_JaffaCakes118.exe
2528	f69be5c61183b3365e02dc0d9b4be6df_JaffaCakes118.exe
2536	winini.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winini.exe"	winini.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 2916	2536	winini.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2808	2916	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f69be5c61183b3365e02dc0d9b4be6df_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2536	winini.exe
2536	winini.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	winini.exe
Token: SeDebugPrivilege	2536	winini.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2536	2528	f69be5c61183b3365e02dc0d9b4be6df_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2536	2528	f69be5c61183b3365e02dc0d9b4be6df_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2536	2528	f69be5c61183b3365e02dc0d9b4be6df_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2536	2528	f69be5c61183b3365e02dc0d9b4be6df_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2916 wrote to memory of 2808	2916	custom.exe	32
PID 2916 wrote to memory of 2808	2916	custom.exe	32
PID 2916 wrote to memory of 2808	2916	custom.exe	32
PID 2916 wrote to memory of 2808	2916	custom.exe	32
PID 2536 wrote to memory of 2916	2536	winini.exe	31
PID 2536 wrote to memory of 2916	2536	winini.exe	31

C:\Users\Admin\AppData\Local\Temp\f69be5c61183b3365e02dc0d9b4be6df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f69be5c61183b3365e02dc0d9b4be6df_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\winini.exe
  "C:\Users\Admin\AppData\Local\Temp\winini.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\custom.exe
    C:\Users\Admin\AppData\Local\Temp\\custom.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 116
      4⤵
      Loads dropped DLL
      Program crash
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\custom.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\Users\Admin\AppData\Local\Temp\winini.exe

Filesize
4.8MB

MD5
3b0ef0fb85ec0e11976f112249fd1d54

SHA1
d3e232938071b3a08f97f170386f6df807a3206a

SHA256
56fcc165746c1629b58b086f7a9a5474a41148bf353c53bec49c23c1f81f0ce6

SHA512
4484179953ca68cf196c64e763826ed4695987f9494340dd6ffedaff33f988656209f21b2b6da8ff2e3e086c0f9ebe096f02f0db10d1d87c97b81dff42dfae77

Download Submit
memory/2528-1-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-2-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-13-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-0-0x0000000074C61000-0x0000000074C62000-memory.dmp

Filesize
4KB

Download
memory/2536-43-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-15-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-14-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-20-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/2916-32-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/2916-29-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/2916-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-25-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/2916-24-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/2916-23-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/2916-21-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/2916-40-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2916-22-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads