Overview

overview

10

Static

static

10

JaffaCakes...97.exe

windows7-x64

10

JaffaCakes...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2025, 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_725aebd14ee0943dca1fba20b147eb97.exe

  • Size

    274KB

  • MD5

    725aebd14ee0943dca1fba20b147eb97

  • SHA1

    af953bd01021560dba224b4c3085fd1f93cf48cc

  • SHA256

    8c070f8784123aed713fd3967475691aaec119d68cf29992c05a9578b399f633

  • SHA512

    221325eb452319621bbe875066b9ae45687f7f46e72ebee4b59a336529d06e7a2f65d0a6ac0b9760e0b5af2ac0c4227363bbdf30ef83bd20059025bab38cea1f

  • SSDEEP

    6144:tHIOVengb+fGTSezhDyjgcqx1vWyd+FWOecWAoGH7/LG:DengAeFy0ckzOeuos

Score
10/10
cybergateremotediscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.00.1

Botnet

remote

C2

127.0.0.1:999

matrix-zloy.no-ip.biz:81

matrix-zloy.no-ip.biz:1435
Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    system.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    280485

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 30 IoCs
  • UPX packed file 54 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 31 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1388
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_725aebd14ee0943dca1fba20b147eb97.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_725aebd14ee0943dca1fba20b147eb97.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1816
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            PID:2476
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2492
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2260
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1912
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1040
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1224
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1700
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2644
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:580
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:892
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1736
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2868
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2948
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2628
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2784
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1784
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1640
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2100
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2236
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:924
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2512
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:956
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1656
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:936
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1536
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1560
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2968
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2944
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      227KB

      MD5

      5a0ab9450cc33724a78c514c25d083e2

      SHA1

      ae49e28c03cd3ce3ad5904cd9cc88d03cc3ebf36

      SHA256

      a2944661a9cec0ebc5c540776c1a4ccd9e2cecd772d397c68f394335993fcaba

      SHA512

      1ed23cbc54f45f62ac8ac90f9a5d895e6810a0f7973d03c4193792c72e81541e6d19d6035cab3bff50e03bc8b50c44012ab528a444389841385790f7aea2e7a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      227KB

      MD5

      9fc1bbe995ebfdaf9ae8a4d47ca77258

      SHA1

      375764fa4fa29e9d1ae6adea688826b191728685

      SHA256

      18147fe726ce1c0d51904ab5bc662d95c0b3bdf43506c8a8af21d04cf8aab550

      SHA512

      db6f0fdc6c9ce863d98fc83dc0a8433656f7ff9fb6d61215a15a15922f94940162dc9ba3c185894d79ce292f22f4ad516e2c39d644f05d2dc1dc52df468f339c

      Download Submit

    • C:\Windows\install\system.exe
      Filesize

      274KB

      MD5

      725aebd14ee0943dca1fba20b147eb97

      SHA1

      af953bd01021560dba224b4c3085fd1f93cf48cc

      SHA256

      8c070f8784123aed713fd3967475691aaec119d68cf29992c05a9578b399f633

      SHA512

      221325eb452319621bbe875066b9ae45687f7f46e72ebee4b59a336529d06e7a2f65d0a6ac0b9760e0b5af2ac0c4227363bbdf30ef83bd20059025bab38cea1f

      Download Submit

    • memory/580-620-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/892-616-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/892-632-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/924-751-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/924-770-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/936-810-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/936-828-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/956-781-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/956-798-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1040-582-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1224-591-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1388-4-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1536-844-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1536-825-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1560-842-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1560-862-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1640-705-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1640-723-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1656-812-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1656-795-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1700-599-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1736-628-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1736-643-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1784-709-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1816-619-0x0000000003BC0000-0x0000000003C16000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1816-566-0x0000000003BC0000-0x0000000003C16000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1816-841-0x00000000030D0000-0x0000000003126000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1816-861-0x00000000030D0000-0x0000000003126000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1816-544-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1816-541-0x0000000003BC0000-0x0000000003C16000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1816-536-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1816-252-0x00000000000E0000-0x00000000000E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-250-0x00000000000A0000-0x00000000000A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1912-563-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1912-575-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2100-739-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2100-720-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2236-754-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2236-735-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2240-0-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2240-304-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2260-567-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2260-555-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2476-551-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2492-548-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2492-559-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2512-767-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2512-783-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2628-665-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2628-682-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2644-609-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2752-893-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2784-694-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2784-678-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2868-656-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2868-640-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2944-876-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2948-668-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2948-652-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2968-858-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2968-878-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download