Extracted

• • Target

    f88e9f57df0bab20a2a62e5248cc2a89_JaffaCakes118

  • Size

    781KB

  • MD5

    f88e9f57df0bab20a2a62e5248cc2a89

  • SHA1

    2f6ef0ec52af6a13a8773e6d024edf6c03da874e

  • SHA256

    b358e7e67c0af79aa5cf92d8643f10afad41eed47e19d8a547b1fa5a6be4c278

  • SHA512

    49398fd36ad36f44925b25757a5598d827b07eb694c39e20aed1552e0e104f33ef91636d480e545ded0cee6bcf52b680c809a5252c60f5f1cbc919a03092dce6

  • SSDEEP

    24576:yDUimI4VelUv3rZeoagbGcuYT/NDYRFhfdP7nJ2:yDUimyG3rZXGc/VYR9P7J2

  Score

  10^/10

  cybergatecryptosuite_victimdiscoveryevasionpersistencestealertrojanupx

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • Cybergate family

    cybergate

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2