cybergate | 13cd74ad708fd6de4c020f5917493206efa2e8f3908a558d0c6792078930f865 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...ce.exe

windows7-x64

3

JaffaCakes...ce.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_1196827547a13d6ed0516f9596e2d0ce
Size

394KB
Sample

250221-k2a11azny2
MD5

1196827547a13d6ed0516f9596e2d0ce
SHA1

c2cea3e3a5093e8b2c38d936d57d78549cf746b7
SHA256

13cd74ad708fd6de4c020f5917493206efa2e8f3908a558d0c6792078930f865
SHA512

c1f0f2ce5f3e6433d555824c2cc27e15dd0f746fe304161095dabb2b442f3a82747623c8f50e06df4d12d4559ea11c57033a700b855aa672c903ef65ed894bcf
SSDEEP

12288:7fx/0O11fcKxHwQ/55PIY9g5ohylRzKzJelRF:7WObE2HwQn93hylQJefF

Score

10^/10

cybergate users discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_1196827547a13d6ed0516f9596e2d0ce.exe

Resource

win7-20240903-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_1196827547a13d6ed0516f9596e2d0ce.exe

Resource

win10v2004-20250217-en

cybergate users discovery persistence stealer trojan upx

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

Users

C2

efccvoopeer.sytes.net:4140

Mutex

26SJ8Y4856L5D1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
csrss.exe
install_dir
install
install_file
Lss.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_1196827547a13d6ed0516f9596e2d0ce
- Size
  
  394KB
- MD5
  
  1196827547a13d6ed0516f9596e2d0ce
- SHA1
  
  c2cea3e3a5093e8b2c38d936d57d78549cf746b7
- SHA256
  
  13cd74ad708fd6de4c020f5917493206efa2e8f3908a558d0c6792078930f865
- SHA512
  
  c1f0f2ce5f3e6433d555824c2cc27e15dd0f746fe304161095dabb2b442f3a82747623c8f50e06df4d12d4559ea11c57033a700b855aa672c903ef65ed894bcf
- SSDEEP
  
  12288:7fx/0O11fcKxHwQ/55PIY9g5ohylRzKzJelRF:7WObE2HwQn93hylQJefF
Score

10^/10

discovery cybergate users persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

cybergateusersdiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy