Extracted

• • Target

    JaffaCakes118_0277bb71a2ce2979a9a9934a21b13305

  • Size

    969KB

  • MD5

    0277bb71a2ce2979a9a9934a21b13305

  • SHA1

    8d7b9ecf80ef5e1ac653a21422c7dd5e21665e09

  • SHA256

    dadb5ff95fcaaf2346e5d85f93c89beb5a7d8d4d594933eec72a386f974ed3c1

  • SHA512

    ff36c4054953fcb5540ba4c66226eafe8b18f58b27affd68c5b8cc81d78203581b9ce1fd75a1cafebfa6161ea06a7fa814a3309b1ed2a64185c410da3dc3f3d3

  • SSDEEP

    24576:EceoYCZGYCyXmBkvt3FDhbyT4NvfucVof+M:EBobmykkvpyMMci

  Score

  10^/10

  cybergateremotediscoverypersistencestealertrojanupx

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • Cybergate family

    cybergate

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2