Extracted

• • Target

    JaffaCakes118_ebc99825b3ab7e53dfae0c89907656a2

  • Size

    456KB

  • MD5

    ebc99825b3ab7e53dfae0c89907656a2

  • SHA1

    4e5f182a2c555f37d66c464442542da7044109e8

  • SHA256

    4f3874308034dd2cd43c0b98ed3e8d7a3ee6c4ff67fd2d699a04bc043a8d574c

  • SHA512

    ccff4305231da12e001e4e0bf324d1507c1168e50dae425773e602ce752cfa9e54aef8c868070cdfbc8c833937687abb4ac08582a3ef9a7851b1f23a6c8a626b

  • SSDEEP

    12288:zA51X5jqTD06/++DDIWjxTIgv8yLrLbFpt/iseb:zsiQ6/++ll5l/iseb

  Score

  10^/10

  cybergatevítimabootkitdefense_evasiondiscoverypersistencestealertrojanupx

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • Cybergate family

    cybergate

  • Modifies firewall policy service

    defense_evasion

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2