Overview

overview

10

Static

static

10

JaffaCakes...63.exe

windows7-x64

10

JaffaCakes...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2025 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3e622c57507816ea7e180c46f4f28c63.exe

  • Size

    282KB

  • MD5

    3e622c57507816ea7e180c46f4f28c63

  • SHA1

    5307460ab96aa7ccda2888d58e580c903e3f0570

  • SHA256

    59f107d786a2e82f46f43dcbd0f180eec17ac7ed99e4f21f9a8bd7db15c17de8

  • SHA512

    4cf5c015b467de7aaf3278c901e5be2ab2177d9e0a391b6acda88bee660f2fda27608009198017ffa00f19de631c642aa3eca1bf9785106e8cbd4fee447b67ae

  • SSDEEP

    6144:oScrL44mp8D6WGc/YSlIipBFScrL44mp8D6WGc/YSlIipBRZS+:Zc3y78QSV6c3y78QSVnE+

Score
10/10
cybergateremotediscoverypersistencestealertrojan

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

C2

78.108.51.79:81

78.108.51.79:90
Mutex

IXSTQCQ37BS0RN

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Macromedia

  • install_file

    ATKOSD.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    ladyinred

  • regkey_hkcu

    ATKOSD

  • regkey_hklm

    ATKOSD

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e622c57507816ea7e180c46f4f28c63.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e622c57507816ea7e180c46f4f28c63.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:824
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 460
      2⤵
      • Program crash
      PID:3384
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 468
      2⤵
      • Program crash
      PID:1968
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 824 -ip 824
    1⤵
      PID:4584
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 824 -ip 824
      1⤵
        PID:2032

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/824-2-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download