Extracted

• • Target

    JaffaCakes118_6f0e77b111762fc0f9174cec2aa4f510

  • Size

    629KB

  • MD5

    6f0e77b111762fc0f9174cec2aa4f510

  • SHA1

    75289563430e7dbceeb00749117c7ab18eeb143f

  • SHA256

    3dc51d60168af931daffcdb4a6df57cf7ac35096aa990954260141dea8337336

  • SHA512

    d3623135f43319dee1b4b7f785bbacf53889510f3b84b269ff677803ab842e5812aaa511b86f98d4bb072fdaf2be24407c8578ae6631962bef7579dccb840ae0

  • SSDEEP

    12288:Q1dlZo5yGf/I8GhLg51Kw2IGfetUYyC/v6N4wk0/oCjKZZaa:Q1dlZo5bA8GOTKfsxv6E0/oaKZd

  Score

  10^/10

  cybergatenubediscoverypersistencestealertrojanupx

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • Cybergate family

    cybergate

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2