cybergate | d41142a588e186de14e8224b69e39fd46d58fdf1c231da5ea5ec287e890e9784 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...d5.exe

windows7-x64

JaffaCakes...d5.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_1d1fe3e401ea5d2db967fc167a87bdd5
Size

308KB
Sample

250124-cxkqmsvnc1
MD5

1d1fe3e401ea5d2db967fc167a87bdd5
SHA1

5ce321f9833234a6d2586e4dcadac16b7d110413
SHA256

d41142a588e186de14e8224b69e39fd46d58fdf1c231da5ea5ec287e890e9784
SHA512

c8855bfe672dc839b03f7277090424841d151f243a9fe00250e2c4666ace177f7fe4c485966e83bc51362b6b9cd18682aaafbfd8dc19541a2cd0793d65301957
SSDEEP

6144:dLa94GN7fiIEAeLHJx0iIL/7pe+4e2GnxUO8/xKXWCbYjCwj0W/ZVf7+Cy1J6BfO:dW94GN7fiIEAeLHJx0iILTpJ6ljxKXWQ

Score

10^/10

cybergate inft2 bootkit discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_1d1fe3e401ea5d2db967fc167a87bdd5.exe

Resource

win7-20240708-en

cybergate inft2 bootkit discovery persistence stealer trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_1d1fe3e401ea5d2db967fc167a87bdd5.exe

Resource

win10v2004-20241007-en

cybergate inft2 bootkit discovery persistence stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

INFT2

C2

jax13.myvnc.com:53646

127.0.0.1:53646

Mutex

H85Q6TYQ502NDL

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
This.exe
install_file
winserv.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
READON
regkey_hkcu
Host Process For Windows

Targets

- Target
  
  JaffaCakes118_1d1fe3e401ea5d2db967fc167a87bdd5
- Size
  
  308KB
- MD5
  
  1d1fe3e401ea5d2db967fc167a87bdd5
- SHA1
  
  5ce321f9833234a6d2586e4dcadac16b7d110413
- SHA256
  
  d41142a588e186de14e8224b69e39fd46d58fdf1c231da5ea5ec287e890e9784
- SHA512
  
  c8855bfe672dc839b03f7277090424841d151f243a9fe00250e2c4666ace177f7fe4c485966e83bc51362b6b9cd18682aaafbfd8dc19541a2cd0793d65301957
- SSDEEP
  
  6144:dLa94GN7fiIEAeLHJx0iIL/7pe+4e2GnxUO8/xKXWCbYjCwj0W/ZVf7+Cy1J6BfO:dW94GN7fiIEAeLHJx0iILTpJ6ljxKXWQ
Score

10^/10

cybergate inft2 bootkit discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateinft2bootkitdiscoverypersistencestealertrojanupx

behavioral2

cybergateinft2bootkitdiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy