General

  • Target

    cb909936c14c5e3f8f863550b24f9653

  • Size

    635KB

  • Sample

    240315-q3yrcahh5x

  • MD5

    cb909936c14c5e3f8f863550b24f9653

  • SHA1

    1669b7ecdc4fce01a48ee589dcd5df1b020f7003

  • SHA256

    c3d68bdf43e23290f1e766b774bc409cdedecc80f6d4eedd6f0d471140356948

  • SHA512

    18d91e096566fc476965ba9a5831f4dcdebb2f605f55d7c058eec3e223bb9d6094882c50f0f90c7895e6c841b0bd686ceedea297b312a38a206341de6ff13eb8

  • SSDEEP

    12288:1U2Yd+xaO5wKHsu7fY/aE6ZHDJsVLggrWhxNcNg7oUT0Iw5pM:1U2W+tEszZHDJsGgiNA6oFl

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Dofux

C2

127.0.0.1:85

admin10.no-ip.biz:85

Mutex

66606J1MF21IT0

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Drivers

  • install_file

    Winrar.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    1236

  • regkey_hkcu

    HKCR

  • regkey_hklm

    HKLD

Targets

    • Target

      cb909936c14c5e3f8f863550b24f9653

    • Size

      635KB

    • MD5

      cb909936c14c5e3f8f863550b24f9653

    • SHA1

      1669b7ecdc4fce01a48ee589dcd5df1b020f7003

    • SHA256

      c3d68bdf43e23290f1e766b774bc409cdedecc80f6d4eedd6f0d471140356948

    • SHA512

      18d91e096566fc476965ba9a5831f4dcdebb2f605f55d7c058eec3e223bb9d6094882c50f0f90c7895e6c841b0bd686ceedea297b312a38a206341de6ff13eb8

    • SSDEEP

      12288:1U2Yd+xaO5wKHsu7fY/aE6ZHDJsVLggrWhxNcNg7oUT0Iw5pM:1U2W+tEszZHDJsGgiNA6oFl

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks