cybergate | 9dae201039484054b1ff046169b7b4b5647c391b6bdb5817bcb25684fe364c09

General

Target

JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
Size

2.7MB
MD5

5a064addca31cc7ca448cbb6e4c78a4a
SHA1

c0d38bf7c40d50643f0e98b023edf9d46a845372
SHA256

9dae201039484054b1ff046169b7b4b5647c391b6bdb5817bcb25684fe364c09
SHA512

62d2aaa1a51c0008f572ba0ca1c2c646abc6279bec26c6f8a5fbd99526403cc30a49906e9480dbc00faf48e253ad41fa6ab52a5801d2af239a7aa7fda6b83e2a
SSDEEP

24576:okK1WysBo+d8ZktrvSGBJm4gWp87NYOYLXWo2XC4JMC00ruymlE8Lx7/7BsifSB6:okK3sBBzONos00Ahtsd0Fmq/INJI

Score

10^/10

cybergate discovery persistence stealer trojan

Malware Config

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Executes dropped EXE 2 IoCs

pid	Process
2404	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
536	tPOqY.exe.exe

Loads dropped DLL 7 IoCs

pid	Process
2764	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
2764	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
2404	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
2404	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
2404	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
2404	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
2404	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\YfvXWmcfWvYEBjXsiZnxggTTuDQrLqPgsheYqnKtFLHSjkGHRo = "C:\\Users\\Admin\\AppData\\Local\\JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe"	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tPOqY.exe.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1424	timeout.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2404	2764	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe	30
PID 2764 wrote to memory of 2404	2764	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe	30
PID 2764 wrote to memory of 2404	2764	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe	30
PID 2764 wrote to memory of 2404	2764	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe	30
PID 2404 wrote to memory of 536	2404	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe	31
PID 2404 wrote to memory of 536	2404	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe	31
PID 2404 wrote to memory of 536	2404	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe	31
PID 2404 wrote to memory of 536	2404	JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe	31
PID 536 wrote to memory of 592	536	tPOqY.exe.exe	32
PID 536 wrote to memory of 592	536	tPOqY.exe.exe	32
PID 536 wrote to memory of 592	536	tPOqY.exe.exe	32
PID 536 wrote to memory of 592	536	tPOqY.exe.exe	32
PID 592 wrote to memory of 1424	592	cmd.exe	34
PID 592 wrote to memory of 1424	592	cmd.exe	34
PID 592 wrote to memory of 1424	592	cmd.exe	34
PID 592 wrote to memory of 1424	592	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe
  "C:\Users\Admin\AppData\Roaming\JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tPOqY.exe.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tPOqY.exe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\TPOQYE~1.EXE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Twain.dll

Filesize
18KB

MD5
2153e2d85da316a0fe302227e0f9af88

SHA1
48b334c27d604ce7d89c9c825d211d26427176cf

SHA256
645b30a3ef5cf05ad0df575fbbdbc05387b5493ce1778935b60d98681fea7bc0

SHA512
647b0b95622c2e9086f072ccf110371b38953619b4cb6697e259165ce12e0dd1854bc6351abb8f693d052d730f8790d72929a8c822a26ac369c372478c1e4fac

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_5a064addca31cc7ca448cbb6e4c78a4a.exe

Filesize
2.7MB

MD5
5a064addca31cc7ca448cbb6e4c78a4a

SHA1
c0d38bf7c40d50643f0e98b023edf9d46a845372

SHA256
9dae201039484054b1ff046169b7b4b5647c391b6bdb5817bcb25684fe364c09

SHA512
62d2aaa1a51c0008f572ba0ca1c2c646abc6279bec26c6f8a5fbd99526403cc30a49906e9480dbc00faf48e253ad41fa6ab52a5801d2af239a7aa7fda6b83e2a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tPOqY.exe.exe

Filesize
768KB

MD5
01e708ff68dc56cfc2585f652e573c37

SHA1
be2ec4312e2bb07b9606257e0b87132943c94eb3

SHA256
aa34cf13d9291f9afc6e154f2f643e84d59031cb56491e83e883a62254d7ef9d

SHA512
efe791e2a320515d2345e50e6f8578a0a29127cef369b35d2e9b9cc42289cad2038ef53ed06f3e243a7841632c5a658d7472aff8b1717a36d48e3c69d49d1e2c

Download Submit
memory/2404-19-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2404-22-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2404-16-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2404-43-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/2764-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-15-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads