Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...94.exe

windows7-x64

10

JaffaCakes...94.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_766fcf84557e58631c31cbeed119e594

  • Size

    1.8MB

  • Sample

    250315-plx8taxkz3

  • MD5

    766fcf84557e58631c31cbeed119e594

  • SHA1

    2e1a884b2daeec84eaae5836bdb62cddb2842b45

  • SHA256

    68c964d716cc2a167e0db871cfdbcb692d51dfff26a0378e35404d7575984cf8

  • SHA512

    d94038ca344bfd282da61e659a25ed283af6dfb6990b3b9f3692da2f0b593f07ed47cf70fcaff64f0d957067d64b470d7563dd57ae7f095251fab703883a2d47

  • SSDEEP

    49152:6W+Beitl1P6+/oLR7I9muUuO4x3uRiTTTw/OqRmc1zQOtH:65BVtHWRiwiTTvatyO

Score
10/10
cybergateremotediscoverypersistenceprivilege_escalationstealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

C2

pinkpanther54.no-ip.org:81

Mutex

G25T0M4X7BTVS4

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    zis589xyz28wwi

  • regkey_hkcu

    HKCU

Targets

    • Target

      JaffaCakes118_766fcf84557e58631c31cbeed119e594

    • Size

      1.8MB

    • MD5

      766fcf84557e58631c31cbeed119e594

    • SHA1

      2e1a884b2daeec84eaae5836bdb62cddb2842b45

    • SHA256

      68c964d716cc2a167e0db871cfdbcb692d51dfff26a0378e35404d7575984cf8

    • SHA512

      d94038ca344bfd282da61e659a25ed283af6dfb6990b3b9f3692da2f0b593f07ed47cf70fcaff64f0d957067d64b470d7563dd57ae7f095251fab703883a2d47

    • SSDEEP

      49152:6W+Beitl1P6+/oLR7I9muUuO4x3uRiTTTw/OqRmc1zQOtH:65BVtHWRiwiTTvatyO

    Score
    10/10
    cybergateremotediscoverypersistenceprivilege_escalationstealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks