cybergate | 978120e164b27555838cc38b3ea91aa0c286cb61228b5c0f0dba30ac1c807e8e

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
Size

1.4MB
MD5

0806b29c44e2328b884d8f3d1733ab98
SHA1

3720afe7fcddb259001fc0546f0a51b31c888e34
SHA256

978120e164b27555838cc38b3ea91aa0c286cb61228b5c0f0dba30ac1c807e8e
SHA512

37e3497336a303bc0fbd31162696b86cfe8fe11fc187edcc1e3095a181bc0e59468293e151c031ae4885f48fd138f37489af78da927b9afea9e295a7c2a7bfe7
SSDEEP

24576:/l3puR/jIzc/y6dW2fVH+/FI2c65wgPlEo/CAv4kswYdbCx2j86DPOd:/38/jIqJfA/Fk6p9EuCAvmdG27Od

Score

10^/10

cybergate cyber stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

ownedagain.no-ip.biz:2333

127.0.0.1:2333

Mutex

D512UPORS20W4Y

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
Svchost.exe
install_dir
Svchosts
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Suspicious use of SetThreadContext 1 IoCs

Processes:

0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe

description pid process target process

PID 4416 set thread context of 444 4416 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2172 444 WerFault.exe 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 4416 0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe

description	pid	process	target process
PID 4416 set thread context of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe

pid	pid_target	process	target process
2172	444	WerFault.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe

description	pid	process	target process
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
PID 4416 wrote to memory of 444	4416	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe	0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\0806b29c44e2328b884d8f3d1733ab98_JaffaCakes118.exe
2⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 12
3⤵
- Program crash
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 444 -ip 444
1⤵
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4380,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3644 /prefetch:8
1⤵
PID:3836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/444-3-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4416-0-0x0000000075362000-0x0000000075363000-memory.dmp

Filesize
4KB

Download
memory/4416-1-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4416-2-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4416-5-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download