cybergate | 347f35146474ebed8098cf2a4fbf08cf46fd904a1ab90360ff95784428e59fc3

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe
Size

359KB
MD5

82568847da4a28c86c9afb21aaebc979
SHA1

803caf3642fbd5ab5a8f6740733699be33f1bde7
SHA256

347f35146474ebed8098cf2a4fbf08cf46fd904a1ab90360ff95784428e59fc3
SHA512

b8bbc9533f893a06ab0eb82f53253fe5722372776291756e93f8a3fb3ac03d8b69d55291d812db4f296fd417bc053d4e5298c5e36bcbb1bbfbb83169d521f1da
SSDEEP

6144:hNLxba3M5s4cf59OxoPsNyrtfzmiuDKIN0ghArpdbJq/jBHdsKUwaOLmaATJ:hNLxbj58i/NMxr9INKzc/hFUwad

Score

10^/10

cybergate kuroiryu defense_evasion discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.0

Botnet

kuroiryu

vobis.no-ip.biz:123

Mutex

G70C4O447U4J13

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
System32
install_file
Windows Update
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Die Datei ist beschädigt
message_box_title
Error
password
123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\System32\\Windows Update"	twunk_32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	twunk_32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\System32\\Windows Update"	twunk_32.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EBA31CT-7G6Y-84X8-Q338-4G0N733ID5BH}\StubPath = "C:\\Windows\\system32\\System32\\Windows Update"	twunk_32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EBA31CT-7G6Y-84X8-Q338-4G0N733ID5BH}	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EBA31CT-7G6Y-84X8-Q338-4G0N733ID5BH}\StubPath = "C:\\Windows\\system32\\System32\\Windows Update Restart"	twunk_32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EBA31CT-7G6Y-84X8-Q338-4G0N733ID5BH}	twunk_32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\System32\\Windows Update"	twunk_32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\System32\\Windows Update"	twunk_32.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System32\Windows Update	twunk_32.exe
File opened for modification	C:\Windows\SysWOW64\System32\Windows Update	twunk_32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 2828	2664	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe	31

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2828-8-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2828-20-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2828-18-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2828-17-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2828-16-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2828-11-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2828-5-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2828-830-0x0000000000400000-0x0000000000457000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twunk_32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twunk_32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2828	twunk_32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1928	twunk_32.exe
Token: SeRestorePrivilege	1928	twunk_32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2828	twunk_32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2828	2664	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe	31
PID 2664 wrote to memory of 2828	2664	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe	31
PID 2664 wrote to memory of 2828	2664	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe	31
PID 2664 wrote to memory of 2828	2664	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe	31
PID 2664 wrote to memory of 2828	2664	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe	31
PID 2664 wrote to memory of 2828	2664	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe	31
PID 2664 wrote to memory of 2828	2664	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe	31
PID 2664 wrote to memory of 2828	2664	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe	31
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21
PID 2828 wrote to memory of 1188	2828	twunk_32.exe	21

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82568847da4a28c86c9afb21aaebc979.exe"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2664
- - C:\Windows\twunk_32.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:700
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:684
  - - C:\Windows\twunk_32.exe
      "C:\Windows\twunk_32.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
b3758b6e605a519740ad2b8f5861ad22

SHA1
d4678cf561975ced456ea36572e8e072bbd669e8

SHA256
438af156a657268fa60797b3ac356647e2a40318910f81b93159178be1b623b8

SHA512
efb796f7f4d60639b5871f0fd7fbd3005f329477e52a4b0d4af61aa657655d704df02eef6428770c40bc7879f2d81ac13673b2f5359ab72b2ec5d918cfe0f807

Download Submit
C:\Windows\SysWOW64\System32\Windows Update

Filesize
30KB

MD5
0bd6e68f3ea0dd62cd86283d86895381

SHA1
e207de5c580279ad40c89bf6f2c2d47c77efd626

SHA256
a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b

SHA512
26504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4

Download Submit
memory/1188-24-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2664-0-0x0000000074E71000-0x0000000074E72000-memory.dmp

Filesize
4KB

Download
memory/2664-1-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2664-2-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2664-19-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-17-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2828-18-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2828-16-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2828-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-11-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2828-5-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2828-20-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2828-830-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2828-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2828-3-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download