Overview

overview

10

Static

static

3

JaffaCakes...68.exe

windows7-x64

10

JaffaCakes...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/03/2025, 05:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_7d123a6cea56c134196f1e17bda73768.exe

  • Size

    288KB

  • MD5

    7d123a6cea56c134196f1e17bda73768

  • SHA1

    ffd6ffa08dbd4e533ecf3dbd8c09ad6cdb38bf6c

  • SHA256

    59529d8437321dd60f012d897d9c8555135c51cd654576e6eca18bd1db9835e5

  • SHA512

    d4d1c914c31ca9a20af48d55c9e4c682c7b928f094c3266f8fcd8b0087b65bc496c156e45ea003a7645fd91896464bbc6ca7e649403b65f80e792c4e46b2b5fc

  • SSDEEP

    6144:zrNz9gf9mCPDvjR1bhcQdO4YfxpfN/+QCXS3Ldx+5mTa6Ll3TZv2G5:zrNpgACThcKPUjfN/+QCXATkmTaq9v75

Score
10/10
cybergatecyberstealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.01.0

Botnet

Cyber

C2

0o3.no-ip.org:82

Mutex

Update

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Winbooterr

  • install_file

    scvhost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • password

    123456

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d123a6cea56c134196f1e17bda73768.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d123a6cea56c134196f1e17bda73768.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Temp\NimBot2.exe
      "C:\Users\Admin\AppData\Local\Temp\NimBot2.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NimBot2.exe
    Filesize

    269KB

    MD5

    089606b026d70a62b816c2f24e2d433c

    SHA1

    f653ad3e9d044cce19463febb812d48f1918cf57

    SHA256

    a78c831fca3ce00bbf2dc7e37609ba070ed9a0f022cc1d66a7e6b2f58122a140

    SHA512

    8919f8629f154f1e65194a602d97a30215657b3cf4a756068a6e3e472f57daef72f63710c6a5552fdf93a55174984acd04b1f97afb2fdb0ebf8ff6f321b73ed6

    Download Submit

  • memory/2156-0-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-1-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2156-3-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2156-11-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2816-10-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2816-15-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download