cybergate | 2fa8bcf495068af2c8c3e2fa739fbbbfeb821f1c65369138a65c5cca38dabe71

Analysis

max time kernel
78s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_808ca92cf63d8366f9d8416d67c8b428.exe
Size

792KB
MD5

808ca92cf63d8366f9d8416d67c8b428
SHA1

cdd6aacc6633879ba7d88105905fa07ee5042887
SHA256

2fa8bcf495068af2c8c3e2fa739fbbbfeb821f1c65369138a65c5cca38dabe71
SHA512

f7704050ebc8d6aff8dad7487e4e89f7b571343faaa5c10617684851c44ec52aa95663baadf20351a870375bdeffa3193d23ed6ef68a294bb84c6c081ecaeee6
SSDEEP

12288:Cz0/s0vSwsuoeJTrGu+8zmOyFoVgrx+PBuTRMYgtAAtw9k3p9FHGLyuVJE8:Cz0kXTeJTyu+uyFoVgNjpA+qC

Score

10^/10

cybergate at-6 discovery stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

AT-6

127.0.0.1:10001

c4tnt.no-ip.biz:10001

192.168.1.4:10001

Mutex

***11sqdsqds6541654qds***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
1234
regkey_hkcu
HKCU

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_808ca92cf63d8366f9d8416d67c8b428.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	JaffaCakes118_808ca92cf63d8366f9d8416d67c8b428.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_808ca92cf63d8366f9d8416d67c8b428.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_808ca92cf63d8366f9d8416d67c8b428.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2432
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_808ca92cf63d8366f9d8416d67c8b428.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_808ca92cf63d8366f9d8416d67c8b428.exe"
  2⤵
  PID:40156
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:97992
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_808ca92cf63d8366f9d8416d67c8b428.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_808ca92cf63d8366f9d8416d67c8b428.exe"
    3⤵
    PID:43088
  - - C:\Windows\Microsoft\svchost.exe
      "C:\Windows\Microsoft\svchost.exe"
      4⤵
      PID:135648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
d8ac25ebe162b7e984becc34fdc6d8e0

SHA1
ea42c834e3fcbc4dc3d164ca91092e7f43d4d56d

SHA256
c83b3fa828a1f4cb833fb416470b1530d7989d298a3f0fccd9221b21a4431893

SHA512
fdfabdb6df263c4caf839d5b5b9f244de0ea97434beeb9584c775e6e044b83813d61e062221ddf9a10727ed822bf1b8a7b502dc46199d0453358f9dfa13a45ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
d62039ae45fdcedc353a9232941103e0

SHA1
6ee6469f0bccf625a4a9ffe902787246608960f0

SHA256
2a7e2f5fe73d8d9fb02c2d324173b8d7fa9f6437088c447314c9f581e1d15615

SHA512
7c08f106ae9d7c910c2b553658bfa9b33e926262d0c9f5f7afdd50b13081e9e42224a948baf6b76dc2bc581110d6e24d0bc9a08ef110c9a19d1df36d1a1e30bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cc5dad5d3c7fede1807457b740b5cf64

SHA1
e9951fc4ec9b2dafc8f538ac788bcc0dc9d65f65

SHA256
e84835caace1662bd68dbe5f293e28da8f3a5fcee31f6ea6a5250c9ca43bb755

SHA512
d4912ebb92dbf8dbc898f20dfdba9ec43424c9bd7650fe42924d004b2be363452beee50e3fed7af3f85c537da8b8f6f9120d5ba40ec7d181f1d19bf215783159

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0fce6d56a3c3f1721754164be67c6c5f

SHA1
9aa9ac0731a35f411ce8d0c2880d21f0670f4b29

SHA256
7c62efd511881079ad60faa438cafefac0e7f566fc1dccb129229c5f57aeb886

SHA512
d9bd8f73c7070a7dcd201766dd4f4b0ee50074ddc43cfb19797aa05f03e3f3094b488646a40254ade48f04df9c9f37da5835c2f08e2dd9c4a6c0ef5e8a3e7357

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9964e670940730292775361ed764080e

SHA1
bb765acef1be820805cbcfbae86c76f47ef09787

SHA256
ad3f31a79aca26f8c08a8704d9e4fd83223e4c93069e23da28d8cec12bb54e8b

SHA512
e527e04cb19918eaf28fe09b89eb26db033a925e1fd15145bf622359b3bc3370b12411e066d5d934ad7ccdcaa0584a38bce954d7994d3e2aa470e1b7ca2eb64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f06849e7286f022d5b616b6685cdd41e

SHA1
677ff67f5fd55af71e4e1920002ddd9146388ecc

SHA256
5fa702b2de3c8505640d58000ef3af292da21532b4238f7414f668d2a06bef3a

SHA512
f8c0e64afaac4c9b6bf17b83f40cc6973e0f433a98cc039f0e5958d44abbd40a1e28ffea429f8e20cb5bbb1163318f5f26dd70c117fed238fb22875c774c5738

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
75b8cebdf10e6c3f9562c7724942d4d6

SHA1
a85c000848e8d1157b1fc1d270f957fba0d161eb

SHA256
4c9ab482989c0c50f81f9f2a832abdfbdbbb35d4576d06ef93adbfaaf8dca509

SHA512
b3b9272208408d98034ce8ea6435d6d26e62733994ef4f807d9aebbfd83e0076735a42c1b5b3016e5f8fbac2db6979b94f2f37be3501e93279e4fcdc820aed0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
abdcdffc2a1dbc0928b2ec70e0162e51

SHA1
b2b5de3688c0723c70678f8a3560bbcc3ca98580

SHA256
bab093a01926ca73c8f595b2b54c2a703167b6a92efa2d09582cd1f4156a4168

SHA512
1cb25329b51f1c5c1fe21232ac49264da8d87f432d035119e2cb23fc666e46c1d34fad5d9f84e664aba7064b03469c8079b2939394a3b2033341602f42e4aedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2fe49fae97005375463440f76ab4994c

SHA1
3a39f48b4c89cb98ac78bd432bcc9353c050c26a

SHA256
3611457c4ebe93ce9fd67bd144cf21ef7ec01d6aeabe331eb825b362985f1429

SHA512
802de1084ebd699d5b567066671ea6ece2e7fbc10861fc4841fa28d47cc1aae4ace5440e41492ced58e3479f0d66a92bed104780b2cf62d9ab1e87ae14ccccaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
af9f655a1469aafefe12c26a8a6563ea

SHA1
00c6b0c47ab1a7208b8c88278d2f97da9bf2d0dc

SHA256
8df7830734ed4c4a7c389c78340f57e27b47f3518e7e7ee908b2ccf21983afe9

SHA512
8aaec282ed17a217893f3038e937153aaa9a1e0226bc0afca7bad821ead5299ebf4ec81906da93fa44d9e614a9a0b1fd44bc484e19dff0a3a1fef78957ca18cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4e4ad5668512658fe22bca06c22e2353

SHA1
35616c4a8866cbc033fa9cebc4fadbd6c45e9b90

SHA256
8827d1f157b840ffb346e4d07d0c4409ce9d48e5e0c84e94dda6d3e19ecf3259

SHA512
c6eadb23941544b9d0225ca0a2d194f73cd41bec93ddac3a2d86443265696ebdcf3e48e78119d77d23d44776006050ff9b75ceff99ff19c34247f67f8e97930f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c236d462d048389a7270131d530d1bb0

SHA1
a320c33de4f5c27b85c365a548a626661a27bf47

SHA256
aae64f6bc74202d3904312c6360dcd73d07e448eda71dd47cae0ec27e98ff6f5

SHA512
f0bacaff94fd8ea589bc852d91efda5d3a082708e0c0ca0c38fffa00935ae5eb0e35d956c0132c9738f7841e682fddbcab469b1fd161be3b2f83b0ceed26298b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e793348d8adbce6fab736684f228db1

SHA1
fbc72fc452bf360f1076b6097d29856d913c46e0

SHA256
9edb4f9b3c5a548047e928222d43e0099ef23069cd20f95090063e2b176556f8

SHA512
568848d64fd707c0cdebe4d91814402fc2c50d3fa098edccf45bde64aeca936b4a42ca4d7b952313e348a524c83dc2cf4be549efa2a203a9a38701eae322fd9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3fe3e5e98bf2b3c477ccdabd49475c20

SHA1
abdd50b4e7af578e0648de493c760dd18a2cb755

SHA256
9d1c7ab20925ade00fb9cda7f898e26d621f9ebdc43d9c076c031cff09c16356

SHA512
4b446d1039c914bee3cd3d4894a8846510f52ba882c93756f55e5c3bb1d5c75dc0877ff88c0b5263a4643730d7421c0f602276bade319b354068fd162083d597

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\Microsoft\svchost.exe

Filesize
792KB

MD5
808ca92cf63d8366f9d8416d67c8b428

SHA1
cdd6aacc6633879ba7d88105905fa07ee5042887

SHA256
2fa8bcf495068af2c8c3e2fa739fbbbfeb821f1c65369138a65c5cca38dabe71

SHA512
f7704050ebc8d6aff8dad7487e4e89f7b571343faaa5c10617684851c44ec52aa95663baadf20351a870375bdeffa3193d23ed6ef68a294bb84c6c081ecaeee6

Download Submit
memory/2432-39258-0x0000000002690000-0x0000000002757000-memory.dmp

Filesize
796KB

Download
memory/2432-38789-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/40156-2478568-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/40156-2478570-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/40156-2478582-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/40156-2478580-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/40156-2478587-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/40156-2478585-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/40156-2478566-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/40156-2478592-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/40156-2478581-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/40156-2478572-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/40156-2478574-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/40156-2478576-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/40156-2478578-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/43088-2478608-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/43088-2478599-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download