Extracted

• • Target

    JaffaCakes118_1a04851007f4947ad62955d906b18050

  • Size

    512KB

  • MD5

    1a04851007f4947ad62955d906b18050

  • SHA1

    c87e741053c79aacb909810000b15f5067eb2b46

  • SHA256

    50bb155d0dd79e69fd530615d61deb1410c2cee67caf3718910b781b05a27d16

  • SHA512

    1368e9651cff7813d63c4ba876d6d57b0e0827dc5358d260854ecd9111249f3340c62430ee19174d5f08032d1d60f033e19304f9475780a93da0a0e3afb47485

  • SSDEEP

    12288:gGfkwc4ybTNaaaqvE9mJ/2aZQ/4u4RZC3fOcEFiLg:nMwVWf2aj0WcD

  Score

  10^/10

  cybergatecyberdiscoverypersistencestealertrojanupx

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • Cybergate family

    cybergate

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2