Overview

overview

10

Static

static

3

JaffaCakes...f4.exe

windows7-x64

10

JaffaCakes...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2025, 21:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_84c8b1fbeeb717c572934e564de714f4.exe

  • Size

    903KB

  • MD5

    84c8b1fbeeb717c572934e564de714f4

  • SHA1

    2609343d195368a5b118e4d5b4587b11680c109b

  • SHA256

    2f5bdc3c1540373a46565095571394adbe591b3b8b11322aefe461111d650d42

  • SHA512

    d5fd6e30e64591cb8f3bcdf0e7e65f93ce3f9331516e6f8560a4124c3d0cd41a568442b04644ebee13582ecfc910a19008ddbe67dcb6979bdb650fc462b556b9

  • SSDEEP

    12288:NBJHa4SSqrzuhQ88jIYSl10R/IqSBk58tKTGPM2Leov6uqoi2W+/gF1chxGZZlxt:NrHaFSIR/998CGPMAHgzmxGE0

Score
10/10
cybergateviko89discoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.01.0

Botnet

viko89

C2

124.123.38.124:82

Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Winlog

  • install_file

    winlogonn.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    allahisgreat

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Adds policy Run key to start application 2 TTPs 64 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 29 IoCs
  • Adds Run key to start application 2 TTPs 60 IoCs
    persistence
  • Drops file in System32 directory 58 IoCs
  • UPX packed file 42 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84c8b1fbeeb717c572934e564de714f4.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84c8b1fbeeb717c572934e564de714f4.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
          "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3948
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:184
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1680
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:2992
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:1932
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:1832
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:3264
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:4032
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:3756
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:4012
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:1856
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:2528
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:2924
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:3676
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:4604
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:1728
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:2100
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:2168
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:1520
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:2532
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:4436
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:3640
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:1448
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:3680
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:4372
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:2212
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:4876
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:4920
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:2872
            • C:\Windows\SysWOW64\Winlog\winlogonn.exe
              "C:\Windows\system32\Winlog\winlogonn.exe"
              5⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:2996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      Filesize

      274KB

      MD5

      919dd12016105c1c493266b8cf953be4

      SHA1

      c10905f567ed84e902558dc28a4403e31d9156f5

      SHA256

      a59d766c381fe3fa7f273b42ecc646a8ccca83d432dac96d75aebb422539a3f9

      SHA512

      7e8a9ad5b0c1d306f0b75c49d01de7dc006c28180152a4191b38e6486d3e0ac5f67cb2cf1fbaf0f9729a821d44a2117a511635720046245a39f6d1cd6ba3e47b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      227KB

      MD5

      af61e40bb6fefb8cc39bafd1630dce8f

      SHA1

      8a854139b4305ed184eb73ca47c677c44aa50cf5

      SHA256

      15c4c1213a79675ec0f2ea4ea16fadee790c65dd4cb6dc6faeb0313e937b1a78

      SHA512

      e3cee1a34fea429ac7c0db231b2005a4013f2ac79aac0e30647ae15e7545e7417c41aa1fc5b9cf74669bf371bde4ffb9020c7c5443ad5e3c676dcb7d1fc64aac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      227KB

      MD5

      55d3f623c6ca6abc5ef4065b90f4b819

      SHA1

      1673dd7e6a9ab865ef9f0d6ba62097225b8b48c8

      SHA256

      add9d847001f41cf1c6ad5f15d835b77eff0fb6ee7ac9defc801e1873e2f4b77

      SHA512

      8509ad33d53eba356a076f8c9023de0d1a15415427ba47f51639ff31093b950d88b52d98a271b48ed2e78ea53cc2d3cb8ad44d3a1a70051963f55c861470d50c

      Download Submit

    • memory/184-96-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/184-88-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/184-86-0x0000000003660000-0x0000000003661000-memory.dmp

      Filesize

      4KB

      Download

    • memory/184-27-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/184-28-0x0000000000B80000-0x0000000000B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1448-355-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1448-325-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1520-260-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1520-281-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1576-1-0x000000001B2B0000-0x000000001B356000-memory.dmp

      Filesize

      664KB

      Download

    • memory/1576-4-0x00007FFFD6130000-0x00007FFFD6AD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1576-8-0x00007FFFD6130000-0x00007FFFD6AD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1576-7-0x000000001BF80000-0x000000001BFCC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1576-6-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1576-2-0x00007FFFD6130000-0x00007FFFD6AD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1576-0-0x00007FFFD63E5000-0x00007FFFD63E6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1576-19-0x00007FFFD6130000-0x00007FFFD6AD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1576-3-0x000000001B860000-0x000000001BD2E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/1576-5-0x000000001BE20000-0x000000001BEBC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1680-103-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1728-237-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1832-126-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1856-174-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1932-119-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2100-250-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2168-266-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2212-390-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2528-186-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2532-276-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2532-307-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2872-418-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2924-204-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2992-110-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2996-436-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3264-134-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3640-340-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3676-218-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3680-370-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3680-341-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3756-153-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3948-83-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3948-17-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3948-92-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3948-26-0x0000000024070000-0x00000000240D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3948-23-0x0000000024010000-0x0000000024070000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4012-164-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4032-144-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4372-374-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4436-313-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4436-292-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4604-230-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4604-205-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4876-404-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4920-424-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download