cybergate | 81619ae3dfcd9e529d0d747ba80b336e41ee2f0a9c4bda2fc63cd4e762066a41

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
Size

281KB
MD5

0d6019360e32fd94574cbdfd26399ee6
SHA1

6b946a4efce59f94dc2595ac977641522086151f
SHA256

81619ae3dfcd9e529d0d747ba80b336e41ee2f0a9c4bda2fc63cd4e762066a41
SHA512

b093346683570ea52fb53c77cc3651fec72964543de84d783765848fbddfd91b05f6f6033f7341a2423b1e1d063502c2903e6b08ba901710b03b026df5e770c3
SSDEEP

6144:oY6IauNefYvjpuBBH1IZbWGw6N1SrMxriKiXrDEK:ovfjfYrkbLGw6MxcK

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

vítima

127.0.0.1:81

cstrikemexico.servegame.com:81

Mutex

SoundBlaster

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
win32
install_file
msnmgrs.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
SoundBlaster
regkey_hklm
SoundBlaster

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\win32\\msnmgrs.exe"	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\win32\\msnmgrs.exe"	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{81EYAX6L-6HM1-E4B7-456S-TKXBLSWWV05R}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81EYAX6L-6HM1-E4B7-456S-TKXBLSWWV05R}\StubPath = "C:\\win32\\msnmgrs.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{81EYAX6L-6HM1-E4B7-456S-TKXBLSWWV05R}	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81EYAX6L-6HM1-E4B7-456S-TKXBLSWWV05R}\StubPath = "C:\\win32\\msnmgrs.exe Restart"	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2616-10-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2616-6-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2616-4-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2616-12-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2616-13-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2616-14-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2616-15-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2616-16-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2844-449-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral1/memory/2616-726-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2844-760-0x0000000024060000-0x00000000240A2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundBlaster = "C:\\win32\\msnmgrs.exe"	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SoundBlaster = "C:\\win32\\msnmgrs.exe"	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

description pid process target process

PID 2664 set thread context of 2616 2664 0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe 0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

pid process

2616 0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2988 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 2988 explorer.exe
Token: SeDebugPrivilege 2988 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

pid process

2616 0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

pid process

2664 0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

description	pid	process	target process
PID 2664 set thread context of 2616	2664	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

pid	process
2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

pid	process
2988	explorer.exe

description	pid	process
Token: SeDebugPrivilege	2988	explorer.exe
Token: SeDebugPrivilege	2988	explorer.exe

pid	process
2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

pid	process
2664	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe

description	pid	process	target process
PID 2664 wrote to memory of 2616	2664	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
PID 2664 wrote to memory of 2616	2664	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
PID 2664 wrote to memory of 2616	2664	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
PID 2664 wrote to memory of 2616	2664	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
PID 2664 wrote to memory of 2616	2664	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
PID 2664 wrote to memory of 2616	2664	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
PID 2664 wrote to memory of 2616	2664	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
PID 2664 wrote to memory of 2616	2664	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE
PID 2616 wrote to memory of 1180	2616	0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d6019360e32fd94574cbdfd26399ee6_JaffaCakes118.exe"
3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
PID:2844

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2988

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
189KB

MD5
0bd49b49010b6303740bf717936fba15

SHA1
f52dd25c0b22c0e9cff87d56e08932b5b349c391

SHA256
c71770f16150cebc7619537937ae30ad34de72f6e39198b6c28093a811a6a8b6

SHA512
dee09d1a6b0a916951711ba7637aa475b72840f7301d4098aed607e9003786a0530124eaf459b3d434fdf1e97783dc53d8f6eefbff242bbcabb102e6bed059f6

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat
Filesize
15B

MD5
4362e21af8686f5ebba224768d292a5b

SHA1
504510a4d10e230dcd1605ab3342525b38a10933

SHA256
b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3

SHA512
f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850

Download Submit
C:\win32\msnmgrs.exe
Filesize
281KB

MD5
0d6019360e32fd94574cbdfd26399ee6

SHA1
6b946a4efce59f94dc2595ac977641522086151f

SHA256
81619ae3dfcd9e529d0d747ba80b336e41ee2f0a9c4bda2fc63cd4e762066a41

SHA512
b093346683570ea52fb53c77cc3651fec72964543de84d783765848fbddfd91b05f6f6033f7341a2423b1e1d063502c2903e6b08ba901710b03b026df5e770c3

Download Submit
memory/1180-20-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2616-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2616-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2616-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2616-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2616-16-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2616-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2616-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2616-10-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2616-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2616-726-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2844-223-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2844-449-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/2844-224-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/2844-760-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download