General

  • Target

    f4240f75144ddc097ee1b9f549e2727e_JaffaCakes118

  • Size

    450KB

  • Sample

    240416-xvfzwsbf61

  • MD5

    f4240f75144ddc097ee1b9f549e2727e

  • SHA1

    068bca2ec8aaf26e9420a169fbb445f00c9bae09

  • SHA256

    305357f5666733744973536696642240a08ba733aa5663bc34bf4d8c957c41ca

  • SHA512

    cdd1fbc60ba4793ad6c9b7878688f24edb03954ec602ce0a86ac346fcd5198ba5d3ff8ba2012eb3092d370c5a4150d865662af6390c18c04ec0f7996597edc6e

  • SSDEEP

    6144:4ASyUF+PRKE6hCsIqrKP5moSgq/oyEx/+M31IhOUkWfl3eCxFa4:4VxuR6hCsLrKh3jUdEx/+Q1Ujl3eb4

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

AndroMeda

C2

cocox.no-ip.biz:15967

Mutex

561XUOBN7E8N03

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    ati

  • install_file

    catalysts.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    ControL

  • regkey_hkcu

    catalyst

  • regkey_hklm

    catalyst

Targets

    • Target

      f4240f75144ddc097ee1b9f549e2727e_JaffaCakes118

    • Size

      450KB

    • MD5

      f4240f75144ddc097ee1b9f549e2727e

    • SHA1

      068bca2ec8aaf26e9420a169fbb445f00c9bae09

    • SHA256

      305357f5666733744973536696642240a08ba733aa5663bc34bf4d8c957c41ca

    • SHA512

      cdd1fbc60ba4793ad6c9b7878688f24edb03954ec602ce0a86ac346fcd5198ba5d3ff8ba2012eb3092d370c5a4150d865662af6390c18c04ec0f7996597edc6e

    • SSDEEP

      6144:4ASyUF+PRKE6hCsIqrKP5moSgq/oyEx/+M31IhOUkWfl3eCxFa4:4VxuR6hCsLrKh3jUdEx/+Q1Ujl3eb4

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks