cybergate | f5475e9e9e819b69c70b8601c99afbcad0407113e27ac24c0c780c785dae7df5

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3f9ca1150dc478d62312010551709217.exe
Size

619KB
MD5

3f9ca1150dc478d62312010551709217
SHA1

0c9978196c95f553f3bd7216a23561d27eff2a29
SHA256

f5475e9e9e819b69c70b8601c99afbcad0407113e27ac24c0c780c785dae7df5
SHA512

4a6e4e2ee5f6514bb26fa18e46d6a18ff0ed22285103146b68b8411f0c7db286814328bd48e98a67384f54efb37672af2ee0c45cbfabede02287b4321880785e
SSDEEP

12288:T47scANKv1pykYKU7aa2zj+WRsQQJoyPmoew4+:2s9Kv1gkYKU72zj+AsNoETA+

Score

10^/10

cybergate c discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.2.3

Botnet

delikralll.dyndns.org:2000

127.0.0.1:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
windl32
install_file
win32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
bu programýn çalýþtýrýlmasý için MÝCROSOFT .NET Framework 4.0 sürümü gerekiyor
message_box_title
hata
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ccccc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windl32\\win32.exe"	ccccc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ccccc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windl32\\win32.exe"	ccccc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{XD5KVO61-6XUX-MSGS-3G40-DND4602P0V2D}	ccccc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{XD5KVO61-6XUX-MSGS-3G40-DND4602P0V2D}\StubPath = "C:\\Windows\\windl32\\win32.exe Restart"	ccccc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{XD5KVO61-6XUX-MSGS-3G40-DND4602P0V2D}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{XD5KVO61-6XUX-MSGS-3G40-DND4602P0V2D}\StubPath = "C:\\Windows\\windl32\\win32.exe"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
5036	Magiclogger.exe
3488	ccccc.exe
1708	ccccc.exe
4136	ccccc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windl32\\win32.exe"	ccccc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windl32\\win32.exe"	ccccc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 1708	3488	ccccc.exe	86

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1708-30-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1708-32-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1708-33-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1708-36-0x0000000024010000-0x000000002404E000-memory.dmp	upx
behavioral2/memory/1708-40-0x0000000024050000-0x000000002408E000-memory.dmp	upx
behavioral2/memory/1708-85-0x0000000024050000-0x000000002408E000-memory.dmp	upx
behavioral2/memory/64-89-0x0000000024050000-0x000000002408E000-memory.dmp	upx
behavioral2/memory/1708-93-0x0000000024090000-0x00000000240CE000-memory.dmp	upx
behavioral2/memory/1708-96-0x00000000240D0000-0x000000002410E000-memory.dmp	upx
behavioral2/memory/1708-149-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\windl32\win32.exe	ccccc.exe
File opened for modification	C:\Windows\windl32\win32.exe	ccccc.exe
File opened for modification	C:\Windows\windl32\	ccccc.exe
File created	C:\Windows\windl32\win32.exe	ccccc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3f9ca1150dc478d62312010551709217.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccccc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccccc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccccc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1708	ccccc.exe
1708	ccccc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4136	ccccc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	5104	dw20.exe
Token: SeBackupPrivilege	5104	dw20.exe
Token: SeDebugPrivilege	4136	ccccc.exe
Token: SeDebugPrivilege	4136	ccccc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1708	ccccc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3488	ccccc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 5036	4524	JaffaCakes118_3f9ca1150dc478d62312010551709217.exe	82
PID 4524 wrote to memory of 5036	4524	JaffaCakes118_3f9ca1150dc478d62312010551709217.exe	82
PID 5036 wrote to memory of 5104	5036	Magiclogger.exe	83
PID 5036 wrote to memory of 5104	5036	Magiclogger.exe	83
PID 4524 wrote to memory of 3488	4524	JaffaCakes118_3f9ca1150dc478d62312010551709217.exe	85
PID 4524 wrote to memory of 3488	4524	JaffaCakes118_3f9ca1150dc478d62312010551709217.exe	85
PID 4524 wrote to memory of 3488	4524	JaffaCakes118_3f9ca1150dc478d62312010551709217.exe	85
PID 3488 wrote to memory of 1708	3488	ccccc.exe	86
PID 3488 wrote to memory of 1708	3488	ccccc.exe	86
PID 3488 wrote to memory of 1708	3488	ccccc.exe	86
PID 3488 wrote to memory of 1708	3488	ccccc.exe	86
PID 3488 wrote to memory of 1708	3488	ccccc.exe	86
PID 3488 wrote to memory of 1708	3488	ccccc.exe	86
PID 3488 wrote to memory of 1708	3488	ccccc.exe	86
PID 3488 wrote to memory of 1708	3488	ccccc.exe	86
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56
PID 1708 wrote to memory of 3380	1708	ccccc.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3380
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f9ca1150dc478d62312010551709217.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f9ca1150dc478d62312010551709217.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\Magiclogger.exe
    "C:\Users\Admin\AppData\Local\Temp\Magiclogger.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 784
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:5104
- - C:\Users\Admin\AppData\Local\Temp\ccccc.exe
    "C:\Users\Admin\AppData\Local\Temp\ccccc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\ccccc.exe
      "C:\Users\Admin\AppData\Local\Temp\ccccc.exe"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:64
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:208
    - - C:\Users\Admin\AppData\Local\Temp\ccccc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ccccc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Magiclogger.exe

Filesize
424KB

MD5
7057407f4d51d8eb6320a507338c65a5

SHA1
51573fcb3005e1ed04e745e08f724c1da5e5db9d

SHA256
eae0bbe09667f3285668083557c2f608ae199fe4db8631b61abf280f382d26d7

SHA512
c6fd2544e56e1d33b99c92a7bcfd5697fc3f8f8fe83c7d2656de08e6e88b2c10e0ef61a6758f166e67706504fe5ea20c4f4ebdfc6747eee062f71b1bbdb57dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
42fc4cf85aff7e3b447a39053a952bb2

SHA1
77204ba74bfe490cfb06b3ca30dc3a5f8f6abb53

SHA256
61700e5d0e5b2e21ebc45aa154a20b6c0d885d1c88b5a3c2b5c90414e7f33757

SHA512
7acac0635fdae249c54c777d207198e816a7ad54a0aa3b6d37fc1e218f47cc648118b4c1a760b4a4e14d7d524361bc229f096f89008b3b3139307a2595598948

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
141KB

MD5
99324b4718a634c97c92d6009f601c97

SHA1
374bb94e553f42ee814761173d68fe2d4c3373c2

SHA256
68be3f9f00a165ed4142af3cf7afa4307d8b1319d8ef4defda0ba14d4cbc5642

SHA512
42a43d03fd1ce2b4ad3c5b549cb4e3a23fb442cc8ec9b4212e96a95c1c783f5653d5f43cab09a7956fd41fd3181436da92683860271f114be37d109bae7a1316

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccccc.exe

Filesize
232KB

MD5
c3ae8a49226199c23b552285d3ddb9a4

SHA1
fb35e3abd99e4321e46b37ec46e8c4954d7f45d6

SHA256
9ebf322bab6dd439116385b9d6055f402dcad4289f6bdcfa3db75b725c2296b8

SHA512
7682631bb5c037cc7b466b560b6be3813e4fdbb3433a436bfcf0e197601b91984ed78b87231cd7372e5d9d296cbc2b97192ccd7ebe00917db2c8d96cb9abab69

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
86f3c87caff4d7973404ff22c664505b

SHA1
245bc19c345bc8e73645cd35f5af640bc489da19

SHA256
e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

SHA512
0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

Download Submit
memory/64-89-0x0000000024050000-0x000000002408E000-memory.dmp

Filesize
248KB

Download
memory/64-88-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/64-41-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/64-42-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1708-36-0x0000000024010000-0x000000002404E000-memory.dmp

Filesize
248KB

Download
memory/1708-93-0x0000000024090000-0x00000000240CE000-memory.dmp

Filesize
248KB

Download
memory/1708-33-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1708-30-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1708-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1708-149-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1708-40-0x0000000024050000-0x000000002408E000-memory.dmp

Filesize
248KB

Download
memory/1708-85-0x0000000024050000-0x000000002408E000-memory.dmp

Filesize
248KB

Download
memory/1708-96-0x00000000240D0000-0x000000002410E000-memory.dmp

Filesize
248KB

Download
memory/5036-19-0x00007FFEC1B80000-0x00007FFEC2521000-memory.dmp

Filesize
9.6MB

Download
memory/5036-9-0x00007FFEC1B80000-0x00007FFEC2521000-memory.dmp

Filesize
9.6MB

Download
memory/5036-10-0x000000001BE30000-0x000000001BECC000-memory.dmp

Filesize
624KB

Download
memory/5036-11-0x00007FFEC1B80000-0x00007FFEC2521000-memory.dmp

Filesize
9.6MB

Download
memory/5036-12-0x00000000019A0000-0x00000000019A8000-memory.dmp

Filesize
32KB

Download
memory/5036-8-0x000000001C3F0000-0x000000001C8BE000-memory.dmp

Filesize
4.8MB

Download
memory/5036-7-0x00007FFEC1E35000-0x00007FFEC1E36000-memory.dmp

Filesize
4KB

Download