General

  • Target

    f4ce755adbf16a96fb3ba7bab9991866_JaffaCakes118

  • Size

    351KB

  • Sample

    240417-cj2f8sah46

  • MD5

    f4ce755adbf16a96fb3ba7bab9991866

  • SHA1

    5e33c6fc7d758b280b1eb74bdfc279792191cd1c

  • SHA256

    33b2de00d2e380b6e7936aa7d4e3e2af5cfdda94a52b7c1a554ade0ee7939bb4

  • SHA512

    d9a4fd4eb2a7daebf2b73efc41030b3612ea0f51d85277a70de28aa28fae88678353ce0288a9ce013122f8ee7c9c1a9b4fab298923d5957507ea00b1ebc34d46

  • SSDEEP

    6144:c/RzW2+1yO6Wt8LFdzc22Z9wA8qfQghYAho6nQb2xaUq2rdh+LrC1M:sJT6+PA22Z182hYso6QCxaULj+LrqM

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

127.0.0.1:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    t?tulo da mensagem

  • password

    abcd1234

Targets

    • Target

      f4ce755adbf16a96fb3ba7bab9991866_JaffaCakes118

    • Size

      351KB

    • MD5

      f4ce755adbf16a96fb3ba7bab9991866

    • SHA1

      5e33c6fc7d758b280b1eb74bdfc279792191cd1c

    • SHA256

      33b2de00d2e380b6e7936aa7d4e3e2af5cfdda94a52b7c1a554ade0ee7939bb4

    • SHA512

      d9a4fd4eb2a7daebf2b73efc41030b3612ea0f51d85277a70de28aa28fae88678353ce0288a9ce013122f8ee7c9c1a9b4fab298923d5957507ea00b1ebc34d46

    • SSDEEP

      6144:c/RzW2+1yO6Wt8LFdzc22Z9wA8qfQghYAho6nQb2xaUq2rdh+LrC1M:sJT6+PA22Z182hYso6QCxaULj+LrqM

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks