Overview

overview

10

Static

static

3

JaffaCakes...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2025, 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_a63edd8d2d5f2e573d8107119aaf4db3.exe

  • Size

    367KB

  • MD5

    a63edd8d2d5f2e573d8107119aaf4db3

  • SHA1

    0bee1eb9746d0c71dcc035ab60b3d7e1d2c1de40

  • SHA256

    10f70ce579cc6de56b378b54ea27114a472d7a0a8eb006fee17ac771cb3f2d60

  • SHA512

    77e10c1ada6f9a3f33cd7e18575314fcc59132ad4bf8947a6355f77a7b21a957c18154f890733c85de97978f88b7a086eef3c3fe76c8f8311e4b94daa20a6991

  • SSDEEP

    6144:ec8aCmNfATSR0QxDDB9ejFP1HbcwoMIu0/cNIfqqVc2XhVjghvfFMseN2VfaCeCn:bBCmUSmuDteR1HbboZ3UNAxcMghvusCQ

Score
10/10
cybergateremotepersistencestealertrojan

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

C2

127.0.0.1:3737

ackraizo.no-ip.biz:3737
Mutex

FR7T6X611K06A2

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    201094

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Cybergate family
    cybergate
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a63edd8d2d5f2e573d8107119aaf4db3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a63edd8d2d5f2e573d8107119aaf4db3.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    PID:5628
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Kernel32.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\Kernel32.exe
      C:\Users\Admin\AppData\Local\Temp\Kernel32.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:4456

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Kernel32.exe
    Filesize

    367KB

    MD5

    a63edd8d2d5f2e573d8107119aaf4db3

    SHA1

    0bee1eb9746d0c71dcc035ab60b3d7e1d2c1de40

    SHA256

    10f70ce579cc6de56b378b54ea27114a472d7a0a8eb006fee17ac771cb3f2d60

    SHA512

    77e10c1ada6f9a3f33cd7e18575314fcc59132ad4bf8947a6355f77a7b21a957c18154f890733c85de97978f88b7a086eef3c3fe76c8f8311e4b94daa20a6991

    Download Submit

  • C:\Windows\Updater.exe
    Filesize

    276KB

    MD5

    b9c7acecdbb69907fd74c7fc16b61d76

    SHA1

    e292c943307bd630c85945286badacc8d2b916a8

    SHA256

    8da8bc120e76b20e7512952749f89db0d2f045da5649239d597b92877138e6ad

    SHA512

    6eb40abdbd6f67e7896b3ded1a0c591b781580498aa1467921c066a171096497e364ea25955d4d83965a4b23103f273466164e56dccd177544be97e27e965098

    Download Submit

  • memory/4456-26-0x00007FFA842F0000-0x00007FFA84C91000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4456-22-0x00007FFA842F0000-0x00007FFA84C91000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4456-21-0x00007FFA842F0000-0x00007FFA84C91000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4456-20-0x00007FFA842F0000-0x00007FFA84C91000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4456-19-0x00007FFA842F0000-0x00007FFA84C91000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/5628-8-0x00007FFA842F0000-0x00007FFA84C91000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/5628-0-0x00007FFA845A5000-0x00007FFA845A6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5628-9-0x00007FFA842F0000-0x00007FFA84C91000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/5628-12-0x000000001E150000-0x000000001E1B0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/5628-7-0x000000001BD90000-0x000000001BDDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5628-18-0x00007FFA842F0000-0x00007FFA84C91000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/5628-5-0x00007FFA842F0000-0x00007FFA84C91000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/5628-6-0x00000000009D0000-0x00000000009D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/5628-4-0x000000001BC60000-0x000000001BCFC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5628-2-0x00007FFA842F0000-0x00007FFA84C91000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/5628-3-0x000000001B6F0000-0x000000001BBBE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/5628-1-0x000000001B170000-0x000000001B216000-memory.dmp

    Filesize

    664KB

    Download