Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2025, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe
Resource
win7-20240708-en
General
-
Target
JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe
-
Size
635KB
-
MD5
144630564b1b49b1bbac481d3fec8ddd
-
SHA1
f762129f4522ba65cb2924e4deeca50b7b28d659
-
SHA256
4bf79b852bb5a1a9287e3ed1022b3ca37c43cc27d2b30febeed95984698c9e51
-
SHA512
9874c997adbedad8d88171761446ecbc450ed6403a3862d652220896d3e10c41b920c721373a37877f7b5d8110649e3804cc6f6c29cfa9c0a13198f303046890
-
SSDEEP
12288:V26BsTmj5sc1RpkQsBX0d0DoSTBd47GLRMTb:VPi8scGkdUood474mf
Malware Config
Extracted
cybergate
v1.07.5
remote
127.0.0.1:81
63S74MFQX54366
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123
Signatures
-
Cybergate family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe -
NTFS ADS 3 IoCs
description ioc Process File created C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFPB9TX10JG63M0NT4TP9KBNBJLVFSPF7VBCVPJGV JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe File created C:\ProgramData\DYA_SGWFMDDSHRDMHBJJT\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPB9TX10JG63M0NT4TP9KBNBJLVFSPF7VBCVPJGV JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe File created C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFPB9TX10JG63M0NT4TP9KBNBJLVFSPF7VBCVPJGV JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2996 JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe 2996 JaffaCakes118_144630564b1b49b1bbac481d3fec8ddd.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
971B
MD5d59a2afed856aa5e3d5534a838e116e3
SHA19238514f6e8b29a43c677b66c17c303c24ff110c
SHA256068a6cc8b2b2bca52e386d19f36ed513b434e370b06c79393694232e526db3be
SHA512ebffc0ca79630e2b264c460aeb8721c9e96773c69c1b833acde353d67881b94aad0def71a2fce46fabd299598626996f322a2d86b9d55b89bcaf448c11228ead
-
Filesize
971B
MD53c90f440167ca3747c0709cda26a32fe
SHA1619a38ba6a615f01551272a09d1f65ffe8e3c3d3
SHA256efc34fc515f6e05efb9c80250a445eddb2d60d243f7f916dec907c89c30214fa
SHA51272bb773e02391b79c95fafe16fe71adf69e1ee84e9f670b74c7e0125c9b5eb526c2d5260c9623752b8c373b2def3439159e8436e302596e169b9e6e3ccbcdb18
-
Filesize
971B
MD529db2203ffdee83ce25ba105776d5008
SHA10b89dc71383875aacc4a8f0b0f6ae05e7f38b38c
SHA256fface4b2ba8b0c850eb40a712e88cbc80e8ea57cbbb7486324ddeb59388d79d2
SHA51265762baca3fc48541b4c92661b2cb55c1733fbf3199b1dcd3d8794ca8ee1312a60889b3517863a820064eddb8d810df030a7043d10a99d603603311a8559a486