cybergate | 2798e0f44a3bfa2cd01d18470d9e8c0b8d18fbf7feb705aa2681f766383f33ec | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...85.exe

windows7-x64

JaffaCakes...85.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_69cd3b7279972b8b37c5528b08ea7685
Size

358KB
Sample

250103-denj9azkan
MD5

69cd3b7279972b8b37c5528b08ea7685
SHA1

d44b99b53fa5b1b078cbc4024894263129333a1f
SHA256

2798e0f44a3bfa2cd01d18470d9e8c0b8d18fbf7feb705aa2681f766383f33ec
SHA512

029e4cb1cdcc07b4cdc17e6e6041dd6d4f2e1bf0c8992288ae21f011dbf39d55332497528a49dac022e531d3d8b78ae21ac6ce9e43d5eebbe16cb6deffdccd83
SSDEEP

6144:339oDFlMIlwCcgHFqQUNjtiMbtJMf7MkNKDwIu4svS6pDGHPsZkh/:339GFiI6FQAx1JM4c0SvS6ZG6G/

Score

10^/10

cybergate lammer discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_69cd3b7279972b8b37c5528b08ea7685.exe

Resource

win7-20241010-en

cybergate lammer discovery persistence stealer trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_69cd3b7279972b8b37c5528b08ea7685.exe

Resource

win10v2004-20241007-en

cybergate lammer discovery persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

LaMMeR

C2

127.0.0.1:81

mcenes78.no-ip.info:100

Mutex

L7M44KR48PG6

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_file
jushed.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
EDIT YLN TEST
message_box_title
CryptoSuite.Org
password
1111
regkey_hkcu
jushed
regkey_hklm
jushed

Targets

- Target
  
  JaffaCakes118_69cd3b7279972b8b37c5528b08ea7685
- Size
  
  358KB
- MD5
  
  69cd3b7279972b8b37c5528b08ea7685
- SHA1
  
  d44b99b53fa5b1b078cbc4024894263129333a1f
- SHA256
  
  2798e0f44a3bfa2cd01d18470d9e8c0b8d18fbf7feb705aa2681f766383f33ec
- SHA512
  
  029e4cb1cdcc07b4cdc17e6e6041dd6d4f2e1bf0c8992288ae21f011dbf39d55332497528a49dac022e531d3d8b78ae21ac6ce9e43d5eebbe16cb6deffdccd83
- SSDEEP
  
  6144:339oDFlMIlwCcgHFqQUNjtiMbtJMf7MkNKDwIu4svS6pDGHPsZkh/:339GFiI6FQAx1JM4c0SvS6ZG6G/
Score

10^/10

cybergate lammer discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatelammerdiscoverypersistencestealertrojanupx

behavioral2

cybergatelammerdiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy