General

  • Target

    f5936824639405899d884a425b783ea4_JaffaCakes118

  • Size

    704KB

  • Sample

    240417-mnd7lsdg6s

  • MD5

    f5936824639405899d884a425b783ea4

  • SHA1

    2c7af206b623745a641e2b025e71cd236e5bd828

  • SHA256

    1474c5244a29dd1c0e6f3f34fa5533653300cbe8b479f57c517b2daa0fc99119

  • SHA512

    4576af1a83cd2908c4dbdacf020809396387f3cb054fbec3988236edeea57b4a578abcc18dfa7c24517c07042974060f280eaa60911283cce2b50c7c90a74add

  • SSDEEP

    12288:7+IspyV1t4TPGzp0Z61Ztpbivqg5XkWG/VBYpDBopdnCGgW9TmuReyYU:ZspeDQ40Z8Niv1XlaVB6iNJ3

Malware Config

Extracted

Family

cybergate

Version

v1.15.4

Botnet

April427

C2

microsoft11a.serveftp.com:20161

microsoft11a.dyndns.org:20161

Mutex

DAS5N81EPWJVID

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    matt422s

Targets

    • Target

      f5936824639405899d884a425b783ea4_JaffaCakes118

    • Size

      704KB

    • MD5

      f5936824639405899d884a425b783ea4

    • SHA1

      2c7af206b623745a641e2b025e71cd236e5bd828

    • SHA256

      1474c5244a29dd1c0e6f3f34fa5533653300cbe8b479f57c517b2daa0fc99119

    • SHA512

      4576af1a83cd2908c4dbdacf020809396387f3cb054fbec3988236edeea57b4a578abcc18dfa7c24517c07042974060f280eaa60911283cce2b50c7c90a74add

    • SSDEEP

      12288:7+IspyV1t4TPGzp0Z61Ztpbivqg5XkWG/VBYpDBopdnCGgW9TmuReyYU:ZspeDQ40Z8Niv1XlaVB6iNJ3

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks