Analysis
-
max time kernel
104s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
18/03/2025, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe
-
Size
353KB
-
MD5
7ecdfa2be06d0df2a9062fda28f5f545
-
SHA1
5c483762aacc799b60b43cce0fc9aeb51f05d12a
-
SHA256
9ea62f5674df0374f792631e7cda29e364be5e31d99a84f0b347c379e12e5541
-
SHA512
d4012f5694a1be60a2c1341243e380e2808e1a83fdd529eb451e4423bef24bf2fb19a99c65eb04ca336b72785898633a9216ba5702f3c5ed25923a886dbef8be
-
SSDEEP
6144:6dYGe6dn2u9DYBcAKCKy1AqsDS88oDkOt8cfD288qbY87jh+nAYSxciL:6OGLp2u9DQKCgqsDr8oDktxqbxnhtNe+
Malware Config
Extracted
cybergate
v1.07.5
remote
127.0.0.1:999
CyberGate1
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe -
Executes dropped EXE 3 IoCs
pid Process 4440 server.exe 1644 server.exe 1656 server.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4484 set thread context of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4440 set thread context of 1644 4440 server.exe 94 -
resource yara_rule behavioral2/memory/6100-10-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/6100-14-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/6100-11-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/6100-45-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2008 3240 WerFault.exe 89 948 1656 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 1644 server.exe 1644 server.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 3240 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 4440 server.exe 4440 server.exe 1656 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 4484 wrote to memory of 6100 4484 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 86 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88 PID 6100 wrote to memory of 3836 6100 JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6100 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ecdfa2be06d0df2a9062fda28f5f545.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 7484⤵
- Program crash
PID:2008
-
-
-
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4440 -
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1644 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:6112
-
-
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 7686⤵
- Program crash
PID:948
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3240 -ip 32401⤵PID:4704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1656 -ip 16561⤵PID:4400
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD59b596f99b4ff30b15ea5aa06f9d37f2e
SHA1863e8ce1d3c84ac36d7f8d40c59efaa3a86cf842
SHA256fd65969d8ba1daca7ce2a716007104933ed53bfd4d8512fc0b815b20f180046f
SHA51298f01394efff9add45e18f0b246596c1f23ca54807acb4ed60b6c19bea7a2796d910bce4530392253a0ecf3edc1278f13eb5f3bf9ec505e8aa62caa430d3a941
-
Filesize
353KB
MD57ecdfa2be06d0df2a9062fda28f5f545
SHA15c483762aacc799b60b43cce0fc9aeb51f05d12a
SHA2569ea62f5674df0374f792631e7cda29e364be5e31d99a84f0b347c379e12e5541
SHA512d4012f5694a1be60a2c1341243e380e2808e1a83fdd529eb451e4423bef24bf2fb19a99c65eb04ca336b72785898633a9216ba5702f3c5ed25923a886dbef8be