cybergate | 99906d4357bf27fb769af9778a557fb3113e21a3bdecc23cc90df45c89b4e0b8

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe
Size

844KB
MD5

b60313aaf39ac29319fb3685f3feb5dc
SHA1

3a9d1e2da1b90410f5e0f785a16c7955188bbfc2
SHA256

99906d4357bf27fb769af9778a557fb3113e21a3bdecc23cc90df45c89b4e0b8
SHA512

14857df3a545b1358d33f36c69bbab92c87ff6f7bfca9dc59f956bad2c2d6b0c769f2c7fc9de016189ec1af5ad92e33d65853909ae9f26163b5676d69fe09168
SSDEEP

12288:CmGHOOyegIHwz0KmeBpPUeYzXGc7bOZR02B1ZMbPEeCEeU1S9K06fRvUWvYkHD15:CwwQKH3bVlv/ikHQf

Score

10^/10

cybergate cam discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cam

127.0.0.1:110

camsxbox.no-ip.biz:110

Mutex

Y04R5X5087D8YW

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
svchost
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cameron
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\svchost\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\svchost\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ4UE546-7JV5-V5HR-NSFW-U2K15VWGMFVC}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ4UE546-7JV5-V5HR-NSFW-U2K15VWGMFVC}\StubPath = "C:\\Windows\\svchost\\svchost.exe Restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ4UE546-7JV5-V5HR-NSFW-U2K15VWGMFVC}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ4UE546-7JV5-V5HR-NSFW-U2K15VWGMFVC}\StubPath = "C:\\Windows\\svchost\\svchost.exe"	explorer.exe

Executes dropped EXE 29 IoCs

pid	Process
4024	svchost.exe
2712	svchost.exe
4020	svchost.exe
5068	svchost.exe
5468	svchost.exe
1628	svchost.exe
452	svchost.exe
4172	svchost.exe
2120	svchost.exe
6052	svchost.exe
1552	svchost.exe
5852	svchost.exe
1776	svchost.exe
872	svchost.exe
5416	svchost.exe
3416	svchost.exe
4296	svchost.exe
1588	svchost.exe
1932	svchost.exe
3960	svchost.exe
3156	svchost.exe
5336	svchost.exe
4872	svchost.exe
3868	svchost.exe
3772	svchost.exe
5876	svchost.exe
1248	svchost.exe
5344	svchost.exe
1984	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\svchost\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\svchost\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 368 set thread context of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/536-13-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/536-21-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2276-86-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/2276-92-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\svchost\svchost.exe	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4696	4436	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
536	svchost.exe
536	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2276	explorer.exe
Token: SeRestorePrivilege	2276	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
536	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 368 wrote to memory of 536	368	JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe	88
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56
PID 536 wrote to memory of 3460	536	svchost.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b60313aaf39ac29319fb3685f3feb5dc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 84
        5⤵
        Program crash
        
        PID:4696
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2276
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4024
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2712
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4020
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:5068
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:5468
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1628
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:452
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4172
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2120
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:6052
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1552
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:5852
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1776
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:872
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:5416
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3416
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4296
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1588
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1932
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3960
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3156
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:5336
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4872
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3868
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3772
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:5876
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1248
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:5344
    - - C:\Windows\svchost\svchost.exe
        
        "C:\Windows\svchost\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4436 -ip 4436
1⤵
PID:4680

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
4352311120647f5d9ba4625cc5302165

SHA1
2139b93dad8570f12e2a69af76087bb8223f6644

SHA256
b56c883805aef04748dc439efbf9292ce616b70b49884da474acd5579b2904aa

SHA512
be3c257a576db01fdeb87befcf5f1f9349127a90380f39885b454a75f5930b67a1c82ac56779b8c70d5d09ed1bf95adcd2ff5c46f9b7dc5cd94fe0d5af05893b

Download Submit
C:\Windows\svchost\svchost.exe

Filesize
45KB

MD5
b7c999040d80e5bf87886d70d992c51e

SHA1
a8ed9a51cc14ccf99b670e60ebbc110756504929

SHA256
5c3257b277f160109071e7e716040e67657341d8c42aa68d9afafe1630fcc53e

SHA512
71ba2fbd705e51b488afe3bb33a67212cf297e97e8b1b20ada33e16956f7ec8f89a79e04a4b256fd61a442fada690aff0c807c2bdcc9165a9c7be3de725de309

Download Submit
memory/368-0-0x0000000075492000-0x0000000075493000-memory.dmp

Filesize
4KB

Download
memory/368-1-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/368-2-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/368-90-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/368-7-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/368-8-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/536-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/536-13-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/536-21-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/536-87-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/536-6-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/536-9-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/536-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2276-86-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/2276-92-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/4436-18-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/4436-17-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download