Overview

overview

10

Static

static

10

JaffaCakes...ab.exe

windows7-x64

10

JaffaCakes...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/03/2025, 06:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_7932d30640ca45be7c0a8b191b5fffab.exe

  • Size

    334KB

  • MD5

    7932d30640ca45be7c0a8b191b5fffab

  • SHA1

    886bdcecda5dee44b03968cd851cd1721d9f3dbe

  • SHA256

    3d5cfcd88d97cfa67be004185c5f391578b66ff5cc90e0ca636c939503493225

  • SHA512

    1498b8375c9bc938d034fd8d4be64d5b4321f2a1030798ad75f684e68d973713687481ed31def8bae6b42f6f3e97b1e07abb5e8f1fb7a929f330002eda028d9a

  • SSDEEP

    6144:T/G0N63UDkI8uszQAzrUnYkxezUT9inFj9PShCpDiTxu3g9yLzwwIH7UlC:Tx69usyn3okGFj59gK8JY0

Score
10/10
cybergatecyberdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.01.0

Botnet

Cyber

C2

bakainu.no-ip.info:82

Mutex

Updater

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 64 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 62 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 58 IoCs
  • Adds Run key to start application 2 TTPs 62 IoCs
    persistence
  • Drops file in System32 directory 60 IoCs
  • UPX packed file 43 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7932d30640ca45be7c0a8b191b5fffab.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7932d30640ca45be7c0a8b191b5fffab.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2276
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            PID:2588
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            PID:2204
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2060
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2144
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:704
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:1708
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:1112
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:1128
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:1628
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:716
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:916
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:1516
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:3012
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2708
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:1224
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2640
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2180
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:528
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:720
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:1736
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2164
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2504
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2856
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:1380
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2792
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:692
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:3016
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2184
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:1964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      227KB

      MD5

      a50de978a929673f4414eacb03f3a948

      SHA1

      d967de8484421443efdf29eb20932027ebaab82f

      SHA256

      78ef33ab60a20dad082bd7c7d1b256f2c453fe21a6d4e2f125e8ad5c3480f632

      SHA512

      00d1cfaae7ae51f3709b5b63d1f9afe16b32e4131aecafc78757d0c983a4ccbc21f4187874707dd54e612eb1f1a3f3b1d7ee63c379a854afb51ebda5391f2b8b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      227KB

      MD5

      fd834a96c72abdbe797ef21786bf510c

      SHA1

      acbd81fa9f7c70e4b78ad4ee4febb9d836008916

      SHA256

      0501dba434a6c004c878cf44b147f7f53255cb270a5b8f47596f2c54aea44ca3

      SHA512

      4e42a7244654a5f26cab79a8d4f95c3102e853f381df2fe1b6a0d12f604371dec66363058c63276bced4057781b447f3ad333c8767c627f49d231b42a93c0fbf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      227KB

      MD5

      fc82f52592f75cee046c947e87efab23

      SHA1

      aab9bf5f351d97a81cde1190be4ecb0813750bf9

      SHA256

      ab696e015fcbcc329e0bc7d2d977fe5d83d0b1cf22a64e3902f29860e2453690

      SHA512

      25139ddb1655137b26fa5a70b8ca3610ca437d62ee8d78a91daa336d9f8c5b9eb9c9a5da985cc11ba9a28397171183074f160865863d59e7f0427e7a9b88c42d

      Download Submit

    • C:\Windows\SysWOW64\install\server.exe
      Filesize

      334KB

      MD5

      7932d30640ca45be7c0a8b191b5fffab

      SHA1

      886bdcecda5dee44b03968cd851cd1721d9f3dbe

      SHA256

      3d5cfcd88d97cfa67be004185c5f391578b66ff5cc90e0ca636c939503493225

      SHA512

      1498b8375c9bc938d034fd8d4be64d5b4321f2a1030798ad75f684e68d973713687481ed31def8bae6b42f6f3e97b1e07abb5e8f1fb7a929f330002eda028d9a

      Download Submit

    • memory/528-655-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/528-648-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/692-687-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/692-680-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/704-579-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/716-616-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/720-659-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/720-652-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/916-623-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1112-593-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1128-600-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1204-4-0x0000000002990000-0x0000000002991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1224-643-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1380-672-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1380-679-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1516-630-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1628-608-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1708-586-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1736-656-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1736-662-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2060-554-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2060-565-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2144-572-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2164-667-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2180-651-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2204-546-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2204-558-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2276-249-0x0000000000120000-0x0000000000121000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2276-533-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2276-647-0x0000000003990000-0x00000000039E5000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2276-603-0x0000000003990000-0x00000000039E5000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2276-247-0x00000000000E0000-0x00000000000E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2276-663-0x0000000003990000-0x00000000039E5000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2276-542-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2276-538-0x0000000003990000-0x00000000039E5000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2276-615-0x0000000003990000-0x00000000039E5000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2504-671-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2504-664-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2588-550-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2640-646-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2708-640-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2756-0-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2756-304-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2792-676-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2792-683-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2856-675-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2856-668-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/3012-637-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/3016-684-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/3016-690-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download