Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2024 19:59

General

  • Target

    ceefcf02c92ab1bb3042b882e9a6637e.exe

  • Size

    1.6MB

  • MD5

    ceefcf02c92ab1bb3042b882e9a6637e

  • SHA1

    ac138746d5c3b5ca777cb4e7a057c6b84aaac76b

  • SHA256

    08bbf2e4657271c35a06e2288aa82fdfa663e06b98f3f5189d8749f03e3d9ba4

  • SHA512

    fcf0fd0099bec688db085d528de1c8a13a6cd13f023bf833260125d222482c7dbc84f24cd0db4a4a01149f67ecba5896e44df8ac7fcfd6f275759c3fc87ae316

  • SSDEEP

    49152:sMsxm4qZKuScUmS7tehSJhSHjLh9ENTalbZR:sQU7uyhSvENmtf

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

$TESTE$

C2

ocaradepauhackert.no-ip.biz:2000

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    regditclean.ocx não registrada

  • message_box_title

    error

  • password

    abcd1234

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
    "C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
      C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2556
        • C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
          "C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"
          3⤵
            PID:3096
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 76
              4⤵
              • Program crash
              PID:4868
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3096 -ip 3096
        1⤵
          PID:4984

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1736-0-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/1736-5-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2272-3-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

        • memory/2272-4-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

        • memory/2272-6-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

        • memory/2272-7-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

        • memory/2272-11-0x0000000010410000-0x000000001046C000-memory.dmp

          Filesize

          368KB

        • memory/2272-22-0x0000000010470000-0x00000000104CC000-memory.dmp

          Filesize

          368KB

        • memory/2272-28-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

        • memory/3096-18-0x00000000001E0000-0x00000000001E1000-memory.dmp

          Filesize

          4KB

        • memory/3096-19-0x0000000000580000-0x0000000000581000-memory.dmp

          Filesize

          4KB