Analysis

  • max time kernel
    150s
  • max time network
    111s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2025, 04:59

General

  • Target

    JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe

  • Size

    344KB

  • MD5

    816ac199375ddab6a4fe6ae65faab5f5

  • SHA1

    f266c4d3a92f4a1eb2bde021aca7b8a3788eb58f

  • SHA256

    96d896e36f29e0ab7810d62ade596240e1cbcb42eec34af42f3ca647cae7d630

  • SHA512

    bdca672acd31d657df1f4d8483d28bdca3ca40592a615429cb757248297a933bed38efd15963f88a10f6f02cf72bbd87cc2cc275d3206b900cd1ff9754e06754

  • SSDEEP

    6144:L/G0N63UDkF+yGHGb3BtBxVrADqTxIC1h76QsLUXISGN1A3aWzns:rx6zOgPBx1b7X7wLUVGQ7s

Malware Config

Extracted

Family

cybergate

Version

v1.00.0

Botnet

remote

C2

122.3.6.90:9000

Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 29 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 31 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • System Location Discovery: System Language Discovery
          PID:2760
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3680
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3904
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3568
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1004
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:4816
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:5432
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:828
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:4028
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3640
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1564
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:5632
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:5732
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1256
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:5636
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:5272
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1492
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:5560
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:4180
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:6008
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:4080
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:5052
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1668
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2876
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3944
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:6052
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:4648
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:5664
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:4772
          • C:\Windows\install\server.exe
            "C:\Windows\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2852

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

      Filesize

      237KB

      MD5

      5f6cd69e641085107c9e9f273fd72623

      SHA1

      4b5a3e5d699696f2a73ddec5c39a93e3d120a762

      SHA256

      24be1d02175e885dd864e69afdea73629280d7913aefdbeca7683b49799f28db

      SHA512

      169a3d029c242c459915505b4c6881dd0db307fc502749688a76759e98fc28078235d330ed6dd0cb7bb258a596adc3bf49faf63a31a28441371df126c4899827

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

      Filesize

      237KB

      MD5

      d11d644d97e855ab0a35488e77223e5d

      SHA1

      3f4a21b0232abe2c94222387d772de47841931d3

      SHA256

      3d42182201feeba48941db4bc34fef3f489ff88aa70b26dbedd1dd97f51598ad

      SHA512

      a2f1225f8d79abf129997662c9de97541d8b2f73da30eee602758ed9ceadeb36970ec80a3711c403d7d5f980f4d231bb81748bf9af05e5244f57bd0e22bfc155

    • C:\Windows\install\server.exe

      Filesize

      344KB

      MD5

      816ac199375ddab6a4fe6ae65faab5f5

      SHA1

      f266c4d3a92f4a1eb2bde021aca7b8a3788eb58f

      SHA256

      96d896e36f29e0ab7810d62ade596240e1cbcb42eec34af42f3ca647cae7d630

      SHA512

      bdca672acd31d657df1f4d8483d28bdca3ca40592a615429cb757248297a933bed38efd15963f88a10f6f02cf72bbd87cc2cc275d3206b900cd1ff9754e06754

    • memory/2760-7-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

      Filesize

      4KB

    • memory/2760-8-0x00000000010A0000-0x00000000010A1000-memory.dmp

      Filesize

      4KB

    • memory/2760-66-0x0000000003B80000-0x0000000003B81000-memory.dmp

      Filesize

      4KB

    • memory/2760-68-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

    • memory/2760-67-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

    • memory/2760-74-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

    • memory/2956-3-0x0000000024010000-0x0000000024070000-memory.dmp

      Filesize

      384KB

    • memory/2956-63-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB