Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    20/03/2025, 04:59

General

  • Target

    JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe

  • Size

    344KB

  • MD5

    816ac199375ddab6a4fe6ae65faab5f5

  • SHA1

    f266c4d3a92f4a1eb2bde021aca7b8a3788eb58f

  • SHA256

    96d896e36f29e0ab7810d62ade596240e1cbcb42eec34af42f3ca647cae7d630

  • SHA512

    bdca672acd31d657df1f4d8483d28bdca3ca40592a615429cb757248297a933bed38efd15963f88a10f6f02cf72bbd87cc2cc275d3206b900cd1ff9754e06754

  • SSDEEP

    6144:L/G0N63UDkF+yGHGb3BtBxVrADqTxIC1h76QsLUXISGN1A3aWzns:rx6zOgPBx1b7X7wLUVGQ7s

Malware Config

Extracted

Family

cybergate

Version

v1.00.0

Botnet

remote

C2

122.3.6.90:9000

Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 30 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 30 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1792
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            PID:1224
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2280
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2788
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:408
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2552
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2664
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2464
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1668
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2460
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1716
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1752
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1600
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1420
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2496
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2956
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2728
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2452
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2516
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3048
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:840
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:324
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2508
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1564
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1328
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1988
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2216
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2064
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            PID:2444
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

      Filesize

      237KB

      MD5

      5f6cd69e641085107c9e9f273fd72623

      SHA1

      4b5a3e5d699696f2a73ddec5c39a93e3d120a762

      SHA256

      24be1d02175e885dd864e69afdea73629280d7913aefdbeca7683b49799f28db

      SHA512

      169a3d029c242c459915505b4c6881dd0db307fc502749688a76759e98fc28078235d330ed6dd0cb7bb258a596adc3bf49faf63a31a28441371df126c4899827

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

      Filesize

      237KB

      MD5

      d11d644d97e855ab0a35488e77223e5d

      SHA1

      3f4a21b0232abe2c94222387d772de47841931d3

      SHA256

      3d42182201feeba48941db4bc34fef3f489ff88aa70b26dbedd1dd97f51598ad

      SHA512

      a2f1225f8d79abf129997662c9de97541d8b2f73da30eee602758ed9ceadeb36970ec80a3711c403d7d5f980f4d231bb81748bf9af05e5244f57bd0e22bfc155

    • C:\Windows\install\server.exe

      Filesize

      344KB

      MD5

      816ac199375ddab6a4fe6ae65faab5f5

      SHA1

      f266c4d3a92f4a1eb2bde021aca7b8a3788eb58f

      SHA256

      96d896e36f29e0ab7810d62ade596240e1cbcb42eec34af42f3ca647cae7d630

      SHA512

      bdca672acd31d657df1f4d8483d28bdca3ca40592a615429cb757248297a933bed38efd15963f88a10f6f02cf72bbd87cc2cc275d3206b900cd1ff9754e06754

    • memory/1196-3-0x0000000002E00000-0x0000000002E01000-memory.dmp

      Filesize

      4KB

    • memory/1792-246-0x00000000000A0000-0x00000000000A1000-memory.dmp

      Filesize

      4KB

    • memory/1792-261-0x00000000000E0000-0x00000000000E1000-memory.dmp

      Filesize

      4KB

    • memory/1792-524-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

    • memory/1792-534-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB