Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...74.exe

windows7-x64

10

JaffaCakes...74.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_85e41b7a50e4ddcbde67f217a8284274

  • Size

    325KB

  • Sample

    250322-gnaarssqw6

  • MD5

    85e41b7a50e4ddcbde67f217a8284274

  • SHA1

    3f06cd919cac50e59e2d33f8d68d841bc592a3e3

  • SHA256

    188230f69d1d74dcbdcdd47d5ff49589cf7dbb36479f4f0cf979adaebf055a91

  • SHA512

    b8ee225569003568fa9b0fe81f9ce9824fab7c9eab6b44cf5c33cbecd16b479d4414beab786cfa5d97f6626f089b370fb8563c27d5d95406e9b2a637b805b048

  • SSDEEP

    6144:PzCYvnJC1idbeY+rhHfgik9MymRoS6xt4ExDDQN5xfTdwT8caNYhO7VJ2PFcmcIT:PfvJC1qbahHfgg5CS6xtRDCxfTdm53O6

Score
10/10
cybergateseafight botsdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Seafight Bots

C2

troyanospesao.sytes.net:80

troyanospesao.sytes.net:81

troyanospesao.sytes.net:82

troyanospesao.sytes.net:83

troyanospesao.sytes.net:84

troyanospesao.sytes.net:85

troyanospesao.sytes.net:86

troyanospesao.sytes.net:87

troyanospesao.sytes.net:88

troyanospesao.sytes.net:89

troyanospesao.sytes.net:90

troyanospesao.sytes.net:200

troyanospesao.sytes.net:8080
Mutex

Seafight

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Drivers

  • install_file

    Update Drivers.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    No se pudo inicial porque farta el componente Powerbot.sca

  • message_box_title

    Seafight Bot

  • password

    147147147

  • regkey_hkcu

    Windows Security

  • regkey_hklm

    Microsoft Update

Targets

    • Target

      JaffaCakes118_85e41b7a50e4ddcbde67f217a8284274

    • Size

      325KB

    • MD5

      85e41b7a50e4ddcbde67f217a8284274

    • SHA1

      3f06cd919cac50e59e2d33f8d68d841bc592a3e3

    • SHA256

      188230f69d1d74dcbdcdd47d5ff49589cf7dbb36479f4f0cf979adaebf055a91

    • SHA512

      b8ee225569003568fa9b0fe81f9ce9824fab7c9eab6b44cf5c33cbecd16b479d4414beab786cfa5d97f6626f089b370fb8563c27d5d95406e9b2a637b805b048

    • SSDEEP

      6144:PzCYvnJC1idbeY+rhHfgik9MymRoS6xt4ExDDQN5xfTdwT8caNYhO7VJ2PFcmcIT:PfvJC1qbahHfgg5CS6xtRDCxfTdm53O6

    Score
    10/10
    cybergateseafight botsdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks