General

  • Target

    f55d8c5940a6b2b3c3db64fbd1fb01cd_JaffaCakes118

  • Size

    392KB

  • Sample

    240417-kajh3ahg48

  • MD5

    f55d8c5940a6b2b3c3db64fbd1fb01cd

  • SHA1

    88f4ae460a57854437317acc7affb23438af64fa

  • SHA256

    9c7e90c4dbe407deed1c49e834a8c4e2c956ff54a05487619145d3d99d88e1c5

  • SHA512

    3df78f29fc85d968d8e4c44cf50f73aef773638b042eff80901d895cafc3432638ea44acee1cca476e80feb0cba39f4607a3cd6726c0e859f61086debb94e0cf

  • SSDEEP

    6144:r4JTsV2VtYcSmCl6KeBvBQNsKIBMkiKF460PYu4UsTRGDmE01U3Y3HA1Hdgw:MJsVsuaK4vBQvIBMnKF4Bw3RGtLT

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

ÖÍíå

C2

kyfen.no-ip.biz:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    Messenger.exe

  • install_dir

    install

  • install_file

    java.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      f55d8c5940a6b2b3c3db64fbd1fb01cd_JaffaCakes118

    • Size

      392KB

    • MD5

      f55d8c5940a6b2b3c3db64fbd1fb01cd

    • SHA1

      88f4ae460a57854437317acc7affb23438af64fa

    • SHA256

      9c7e90c4dbe407deed1c49e834a8c4e2c956ff54a05487619145d3d99d88e1c5

    • SHA512

      3df78f29fc85d968d8e4c44cf50f73aef773638b042eff80901d895cafc3432638ea44acee1cca476e80feb0cba39f4607a3cd6726c0e859f61086debb94e0cf

    • SSDEEP

      6144:r4JTsV2VtYcSmCl6KeBvBQNsKIBMkiKF460PYu4UsTRGDmE01U3Y3HA1Hdgw:MJsVsuaK4vBQvIBMnKF4Bw3RGtLT

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks