General

  • Target

    f3d3d200b79045b4eee73a11dcd8e127_JaffaCakes118

  • Size

    635KB

  • Sample

    240416-the1aafh41

  • MD5

    f3d3d200b79045b4eee73a11dcd8e127

  • SHA1

    d86951bbc64a771fb0a3cb8cb9fd08b90da690e9

  • SHA256

    6d24a7f52f9778880dce34bdc6f63d2934a793e483686994a0151d9eab3b58dd

  • SHA512

    e43666b54e6845d47e4a94b6608ebdb2bccf5791f46537cec7c1b51a9eff3da786136e2e36cc08c132fe435e93b362f0981ff8faabe45733a63c659a2560c882

  • SSDEEP

    12288:n8u0htAL6WMPqHtmjyFeym59HNAJtDG9XJwF6CQc8ZUc77+f4:9tMPqHtmj/159HNYtDcXaxQc82c77+f4

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

new6

C2

wsb52000.no-ip.biz:83

Mutex

T2TNC771014BX2

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    svchoster.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    83917400

Targets

    • Target

      f3d3d200b79045b4eee73a11dcd8e127_JaffaCakes118

    • Size

      635KB

    • MD5

      f3d3d200b79045b4eee73a11dcd8e127

    • SHA1

      d86951bbc64a771fb0a3cb8cb9fd08b90da690e9

    • SHA256

      6d24a7f52f9778880dce34bdc6f63d2934a793e483686994a0151d9eab3b58dd

    • SHA512

      e43666b54e6845d47e4a94b6608ebdb2bccf5791f46537cec7c1b51a9eff3da786136e2e36cc08c132fe435e93b362f0981ff8faabe45733a63c659a2560c882

    • SSDEEP

      12288:n8u0htAL6WMPqHtmjyFeym59HNAJtDG9XJwF6CQc8ZUc77+f4:9tMPqHtmj/159HNYtDcXaxQc82c77+f4

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks