cybergate | 4bf79b852bb5a1a9287e3ed1022b3ca37c43cc27d2b30febeed95984698c9e51

Analysis

max time kernel
92s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2025, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe
Size

635KB
MD5

144630564b1b49b1bbac481d3fec8ddd
SHA1

f762129f4522ba65cb2924e4deeca50b7b28d659
SHA256

4bf79b852bb5a1a9287e3ed1022b3ca37c43cc27d2b30febeed95984698c9e51
SHA512

9874c997adbedad8d88171761446ecbc450ed6403a3862d652220896d3e10c41b920c721373a37877f7b5d8110649e3804cc6f6c29cfa9c0a13198f303046890
SSDEEP

12288:V26BsTmj5sc1RpkQsBX0d0DoSTBd47GLRMTb:VPi8scGkdUood474mf

Score

10^/10

cybergate remote discovery stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

127.0.0.1:81

Mutex

63S74MFQX54366

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFPB9TX10JG63M0NT4TP9KBNBJLVFSPF7VBCVPJGV	JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe
File created	C:\ProgramData\DYA_SGWFMDDSHRDMHBJJT\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPB9TX10JG63M0NT4TP9KBNBJLVFSPF7VBCVPJGV	JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFPB9TX10JG63M0NT4TP9KBNBJLVFSPF7VBCVPJGV	JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2996	JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe
2996	JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe"
1⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DYA_SGWFMDDSHRDMHBJJT\1.0.0\Data\app.dat

Filesize
971B

MD5
d59a2afed856aa5e3d5534a838e116e3

SHA1
9238514f6e8b29a43c677b66c17c303c24ff110c

SHA256
068a6cc8b2b2bca52e386d19f36ed513b434e370b06c79393694232e526db3be

SHA512
ebffc0ca79630e2b264c460aeb8721c9e96773c69c1b833acde353d67881b94aad0def71a2fce46fabd299598626996f322a2d86b9d55b89bcaf448c11228ead

Download Submit
C:\ProgramData\DYA_SGWFMDDSHRDMHBJJT\1.0.0\Data\updates.dat

Filesize
971B

MD5
3c90f440167ca3747c0709cda26a32fe

SHA1
619a38ba6a615f01551272a09d1f65ffe8e3c3d3

SHA256
efc34fc515f6e05efb9c80250a445eddb2d60d243f7f916dec907c89c30214fa

SHA512
72bb773e02391b79c95fafe16fe71adf69e1ee84e9f670b74c7e0125c9b5eb526c2d5260c9623752b8c373b2def3439159e8436e302596e169b9e6e3ccbcdb18

Download Submit
C:\Users\Admin\AppData\Roaming\DYA_SGWFMDDSHRDMHBJJT\1.0.0\Data\dya.dat

Filesize
971B

MD5
29db2203ffdee83ce25ba105776d5008

SHA1
0b89dc71383875aacc4a8f0b0f6ae05e7f38b38c

SHA256
fface4b2ba8b0c850eb40a712e88cbc80e8ea57cbbb7486324ddeb59388d79d2

SHA512
65762baca3fc48541b4c92661b2cb55c1733fbf3199b1dcd3d8794ca8ee1312a60889b3517863a820064eddb8d810df030a7043d10a99d603603311a8559a486

Download Submit
memory/2996-0-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2996-1-0x0000000000416000-0x00000000004B3000-memory.dmp

Filesize
628KB

Download
memory/2996-44-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2996-43-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2996-45-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2996-47-0x0000000000416000-0x00000000004B3000-memory.dmp

Filesize
628KB

Download
memory/2996-48-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download