Extracted

• • Target

    JaffaCakes118_6d2fc4a7e3fb5ef5bc4c44fed7aefc86

  • Size

    843KB

  • MD5

    6d2fc4a7e3fb5ef5bc4c44fed7aefc86

  • SHA1

    cce24389461d202ed00e43ed8142ef12e21f2200

  • SHA256

    cb43bdf468a52021e32bb8a758935c74a580801146c5ba283698c158ea882cbd

  • SHA512

    74c77fc0de919357b1e70eb82b241c6452adaf296030ba2aa8b3470b538db696db5e7a11ef782b2213239b60366adc4323800e13d2f83abd81841aa27b7bed37

  • SSDEEP

    24576:g/1JPy7sbD7v2FXid+XV7W1qN0geu+MNQ:I1Jj7nd+XV7W1qN0geubNQ

  Score

  10^/10

  cybergate123discoverypersistencestealertrojanupx

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • Cybergate family

    cybergate

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2