cybergate | 3e35d55178e3bb404d6981774d4a92ea8079505a6972c661cd918020450e6240

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
Size

212KB
MD5

82d690c38dab37c257d67d5700c16c8d
SHA1

b02b6d8349d36d32af48747dcf9ce8facf8cdf08
SHA256

3e35d55178e3bb404d6981774d4a92ea8079505a6972c661cd918020450e6240
SHA512

f346b25284e546e773daaf4b15949b357e26a42db14c8620b7e6d1a9836fa8bd51da239f3020ea8dc7af6249cd2e9cd1d78952b54c88fd49f5b4bee0f1b04b8b
SSDEEP

6144:rr2BmkVkkehiXeUSmYfzTiTMjUO73BbRF:rr2Bgk5XVSm4T/Z7v

Score

10^/10

cybergate asad discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.2.2

Botnet

asad

192.168.1.3:85

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
config
install_file
explore.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
?? ??????? ?????? ?????? ???????
message_box_title
??? ?????
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Explorer = "C:\\Windows\\system32\\config\\explore.exe"	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Explorer = "C:\\Windows\\system32\\config\\explore.exe"	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\config\\explore.exe Restart"	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\config\\explore.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\config\\explore.exe"	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\config\\explore.exe"	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\explore.exe	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
File opened for modification	C:\Windows\SysWOW64\config\	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
File created	C:\Windows\SysWOW64\config\explore.exe	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
File opened for modification	C:\Windows\SysWOW64\config\explore.exe	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-0-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2376-3-0x0000000024010000-0x000000002404D000-memory.dmp	upx
behavioral1/memory/2376-267-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/files/0x000b000000012253-415.dat	upx
behavioral1/memory/1732-416-0x0000000024050000-0x000000002408D000-memory.dmp	upx
behavioral1/memory/2376-678-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2628-692-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2628-703-0x0000000000400000-0x000000000044D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2628	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
Token: SeDebugPrivilege	2628	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20
PID 2376 wrote to memory of 1156	2376	JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1156
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82d690c38dab37c257d67d5700c16c8d.exe"
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
140KB

MD5
ad3974b800fe219b7c72381364c954fd

SHA1
c0178668f2d1e304284ad6074c9f9df688c1e583

SHA256
9cc984b58b8c6ff872de6422084ec59e5bccdd7c6377d1d86f444a59a1383920

SHA512
ff43385950378c557671e28aa8db67a5e166e0ad106b0cc0993ceb02f13959d966416750ab67d6e5724f08facd65acb80b2650551a1514cfba4b552593667c92

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
86f3c87caff4d7973404ff22c664505b

SHA1
245bc19c345bc8e73645cd35f5af640bc489da19

SHA256
e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

SHA512
0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

Download Submit
C:\Windows\SysWOW64\config\explore.exe

Filesize
212KB

MD5
82d690c38dab37c257d67d5700c16c8d

SHA1
b02b6d8349d36d32af48747dcf9ce8facf8cdf08

SHA256
3e35d55178e3bb404d6981774d4a92ea8079505a6972c661cd918020450e6240

SHA512
f346b25284e546e773daaf4b15949b357e26a42db14c8620b7e6d1a9836fa8bd51da239f3020ea8dc7af6249cd2e9cd1d78952b54c88fd49f5b4bee0f1b04b8b

Download Submit
memory/1156-4-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1732-209-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-208-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1732-416-0x0000000024050000-0x000000002408D000-memory.dmp

Filesize
244KB

Download
memory/2376-267-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2376-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2376-438-0x0000000000490000-0x00000000004DD000-memory.dmp

Filesize
308KB

Download
memory/2376-3-0x0000000024010000-0x000000002404D000-memory.dmp

Filesize
244KB

Download
memory/2376-678-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2628-692-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2628-703-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download