cybergate | fd7f0b0d294e81918706df5147cd3d4477fde5942c6c5eed51f0d59a7763445a | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

JaffaCakes...06.exe

windows7-x64

JaffaCakes...06.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_635490b87d3ff1f83389fcffa975ea06
Size

289KB
Sample

250311-fln6gas1at
MD5

635490b87d3ff1f83389fcffa975ea06
SHA1

03c281ac15383f953f2c6d1fa822a464709eb5d9
SHA256

fd7f0b0d294e81918706df5147cd3d4477fde5942c6c5eed51f0d59a7763445a
SHA512

8ed3dbf3c9bac93db99ce9499760cfa0a5b81715126d9f193d12729457152b4a8dacd5950205b50e467b2410fd954e6bff5f8aba92e6de45f2ca0c3424223433
SSDEEP

6144:+OpslFlq8hdBCkWYxuukP1pjSKSNVkq/MVJbY:+wslNTBd47GLRMTbY

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Static task

static1

remote cybergate

2 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_635490b87d3ff1f83389fcffa975ea06.exe

Resource

win7-20240903-en

cybergate remote discovery persistence stealer trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_635490b87d3ff1f83389fcffa975ea06.exe

Resource

win10v2004-20250217-en

cybergate remote discovery persistence stealer trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

127.0.0.1:122

Mutex

7F8240DXBA7S30

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123

Targets

- Target
  
  JaffaCakes118_635490b87d3ff1f83389fcffa975ea06
- Size
  
  289KB
- MD5
  
  635490b87d3ff1f83389fcffa975ea06
- SHA1
  
  03c281ac15383f953f2c6d1fa822a464709eb5d9
- SHA256
  
  fd7f0b0d294e81918706df5147cd3d4477fde5942c6c5eed51f0d59a7763445a
- SHA512
  
  8ed3dbf3c9bac93db99ce9499760cfa0a5b81715126d9f193d12729457152b4a8dacd5950205b50e467b2410fd954e6bff5f8aba92e6de45f2ca0c3424223433
- SSDEEP
  
  6144:+OpslFlq8hdBCkWYxuukP1pjSKSNVkq/MVJbY:+wslNTBd47GLRMTbY
Score

10^/10

cybergate remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

remotecybergate

behavioral1

cybergateremotediscoverypersistencestealertrojanupx

behavioral2

cybergateremotediscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy