General

  • Target

    f3fdf474d4bf5fdb812ea340fe618834_JaffaCakes118

  • Size

    791KB

  • Sample

    240416-v9edhahh5w

  • MD5

    f3fdf474d4bf5fdb812ea340fe618834

  • SHA1

    1ca872eaf85d956f7aae4a500cbab38d013979b2

  • SHA256

    b1473a6a512a04d091be58d04c725b81f913b4ba4bb2f19a6b0cbd5d7c4f81d7

  • SHA512

    adfa63634dad7dc66abfbd1e3daa567517cba67d7383bdbd43c43def1059b4b629c057123d9b080c2eeb62901d2096a4bb2f83cbc9fdbdf68a2fe65c39b097a6

  • SSDEEP

    24576:bnmEdxIt3Du+TZCA8MYKlRPkCYu//Bx2wJHMPo:DkakTYc97/OFo

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

TESTER

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    1111

Targets

    • Target

      f3fdf474d4bf5fdb812ea340fe618834_JaffaCakes118

    • Size

      791KB

    • MD5

      f3fdf474d4bf5fdb812ea340fe618834

    • SHA1

      1ca872eaf85d956f7aae4a500cbab38d013979b2

    • SHA256

      b1473a6a512a04d091be58d04c725b81f913b4ba4bb2f19a6b0cbd5d7c4f81d7

    • SHA512

      adfa63634dad7dc66abfbd1e3daa567517cba67d7383bdbd43c43def1059b4b629c057123d9b080c2eeb62901d2096a4bb2f83cbc9fdbdf68a2fe65c39b097a6

    • SSDEEP

      24576:bnmEdxIt3Du+TZCA8MYKlRPkCYu//Bx2wJHMPo:DkakTYc97/OFo

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks