Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

JaffaCakes...c8.exe

windows7-x64

10

JaffaCakes...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2025, 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6f7805f24b63fbec84b83dfc3b1190c8.exe

  • Size

    289KB

  • MD5

    6f7805f24b63fbec84b83dfc3b1190c8

  • SHA1

    49d35e7ab1c5eb0ed714c0b0421054dce333ab2c

  • SHA256

    2acb8795c2da3c0b117cc30bf9d12156464371abad53bb486f858c1dc74d7975

  • SHA512

    fbd8e1c95c42bdf9da126fa4489c085006540f915d66ca57189649a658c69cf6b9b233e93aa1cb6374949ff81e3d19f80162064f5fa0638abb14638baaa7b099

  • SSDEEP

    6144:D/G0N63UDkF+88uszQAzrUnYkxe81AN9PShCpD6vvBnB1Hxbt:Dx6Kusyn3oeAN5CvBTHH

Score
10/10
cybergateremotepersistencestealertrojan

Malware Config

Extracted

Family

cybergate

Version

v1.00.1

Botnet

remote

C2

127.0.0.1:999

Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f7805f24b63fbec84b83dfc3b1190c8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f7805f24b63fbec84b83dfc3b1190c8.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Suspicious behavior: EnumeratesProcesses
    PID:1628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1628-2-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download