Overview

overview

10

Static

static

10

JaffaCakes...97.exe

windows7-x64

10

JaffaCakes...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2025, 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_725aebd14ee0943dca1fba20b147eb97.exe

  • Size

    274KB

  • MD5

    725aebd14ee0943dca1fba20b147eb97

  • SHA1

    af953bd01021560dba224b4c3085fd1f93cf48cc

  • SHA256

    8c070f8784123aed713fd3967475691aaec119d68cf29992c05a9578b399f633

  • SHA512

    221325eb452319621bbe875066b9ae45687f7f46e72ebee4b59a336529d06e7a2f65d0a6ac0b9760e0b5af2ac0c4227363bbdf30ef83bd20059025bab38cea1f

  • SSDEEP

    6144:tHIOVengb+fGTSezhDyjgcqx1vWyd+FWOecWAoGH7/LG:DengAeFy0ckzOeuos

Score
10/10
cybergateremotediscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.00.1

Botnet

remote

C2

127.0.0.1:999

matrix-zloy.no-ip.biz:81

matrix-zloy.no-ip.biz:1435
Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    system.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    280485

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 29 IoCs
  • UPX packed file 48 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 31 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3400
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_725aebd14ee0943dca1fba20b147eb97.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_725aebd14ee0943dca1fba20b147eb97.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3432
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          PID:1796
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:4292
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2792
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3652
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3232
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2196
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2616
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2860
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:724
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1936
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:4460
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:5032
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3424
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1260
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3084
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1760
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3688
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3212
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3868
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2704
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:924
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2424
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1112
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1236
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3172
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2464
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1304
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3280
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:464
          • C:\Windows\install\system.exe
            "C:\Windows\install\system.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:4304

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      227KB

      MD5

      5a0ab9450cc33724a78c514c25d083e2

      SHA1

      ae49e28c03cd3ce3ad5904cd9cc88d03cc3ebf36

      SHA256

      a2944661a9cec0ebc5c540776c1a4ccd9e2cecd772d397c68f394335993fcaba

      SHA512

      1ed23cbc54f45f62ac8ac90f9a5d895e6810a0f7973d03c4193792c72e81541e6d19d6035cab3bff50e03bc8b50c44012ab528a444389841385790f7aea2e7a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      227KB

      MD5

      9fc1bbe995ebfdaf9ae8a4d47ca77258

      SHA1

      375764fa4fa29e9d1ae6adea688826b191728685

      SHA256

      18147fe726ce1c0d51904ab5bc662d95c0b3bdf43506c8a8af21d04cf8aab550

      SHA512

      db6f0fdc6c9ce863d98fc83dc0a8433656f7ff9fb6d61215a15a15922f94940162dc9ba3c185894d79ce292f22f4ad516e2c39d644f05d2dc1dc52df468f339c

      Download Submit

    • C:\Windows\install\system.exe
      Filesize

      274KB

      MD5

      725aebd14ee0943dca1fba20b147eb97

      SHA1

      af953bd01021560dba224b4c3085fd1f93cf48cc

      SHA256

      8c070f8784123aed713fd3967475691aaec119d68cf29992c05a9578b399f633

      SHA512

      221325eb452319621bbe875066b9ae45687f7f46e72ebee4b59a336529d06e7a2f65d0a6ac0b9760e0b5af2ac0c4227363bbdf30ef83bd20059025bab38cea1f

      Download Submit

    • memory/464-387-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/724-128-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/924-282-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1112-302-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1112-283-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1236-331-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1260-179-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1260-165-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1304-350-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1304-386-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1760-202-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1796-76-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1796-9-0x0000000001370000-0x0000000001371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1796-70-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1796-8-0x0000000000E70000-0x0000000000E71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1936-142-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2196-104-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2424-297-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2424-267-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2464-367-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2464-332-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2616-112-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2704-266-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2704-238-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2792-88-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2860-119-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3084-191-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3172-349-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3172-315-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3212-227-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3232-98-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3280-405-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3280-368-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3424-154-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3424-176-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3432-0-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3432-7-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3432-3-0x0000000024010000-0x0000000024070000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3432-65-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3432-24-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3432-4-0x0000000024010000-0x0000000024070000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3652-91-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3688-215-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3868-252-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4292-80-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4304-406-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4460-153-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/5032-143-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/5032-164-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download