cybergate | 7012780fca5bf288f0e6379d207e28cee4b7bb50b3edd105cce197568c959533 | Triage

Submit
Reports

Overview

overview

Static

static

JaffaCakes...d3.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_b91476760806e680785528dda23263d3
Size

281KB
Sample

250414-3qvkdatpt2
MD5

b91476760806e680785528dda23263d3
SHA1

413b33012d985fece77460e6754ed5370d5b7cf4
SHA256

7012780fca5bf288f0e6379d207e28cee4b7bb50b3edd105cce197568c959533
SHA512

11ea8ae1f5b31dd969d070d2635afbfb5e97e4c3ccb7db5187411c8a6bba12249e8b6b414ed08adb755c0edeeeacd352d6d8dc08cb4194c934d70035c3552c44
SSDEEP

6144:gScrLe4mp8D6WGc/YSlIipBReubLzeh7Yy0DMIdeXij6:xcxy78QSVnNyhsFMCeSj6

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Static task

static1

remote cybergate

2 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_b91476760806e680785528dda23263d3.exe

Resource

win10v2004-20250410-en

cybergate remote discovery persistence stealer trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

C2

doctorproz.no-ip.biz:85

Mutex

44L08QS24SF2SN

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
calc.exe
install_dir
install
install_file
calcler.exe
install_flag
true
keylogger_enable_ftp
false
password
123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_b91476760806e680785528dda23263d3
- Size
  
  281KB
- MD5
  
  b91476760806e680785528dda23263d3
- SHA1
  
  413b33012d985fece77460e6754ed5370d5b7cf4
- SHA256
  
  7012780fca5bf288f0e6379d207e28cee4b7bb50b3edd105cce197568c959533
- SHA512
  
  11ea8ae1f5b31dd969d070d2635afbfb5e97e4c3ccb7db5187411c8a6bba12249e8b6b414ed08adb755c0edeeeacd352d6d8dc08cb4194c934d70035c3552c44
- SSDEEP
  
  6144:gScrLe4mp8D6WGc/YSlIipBReubLzeh7Yy0DMIdeXij6:xcxy78QSVnNyhsFMCeSj6
Score

10^/10

cybergate remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

remotecybergate

behavioral1

cybergateremotediscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy