General
-
Target
fed62f18b8f0aca58596014b4faf3270_JaffaCakes118
-
Size
820KB
-
Sample
240421-j283csfb5y
-
MD5
fed62f18b8f0aca58596014b4faf3270
-
SHA1
551c89483f925ce2ca3020c9ac3a7d0f7d453ee1
-
SHA256
20604f1b548043558e282ea1b410e8ee4ef4e1d3de204d0c6854217e0122c79f
-
SHA512
614ada3b666b4fbd2088d17d3b84c87815bb59a581b1819bf0db8db61edf3661c28d7079f1ff16d6efab71802df2dafb70878e2ecb4ea6a1dbb57e87b9c35e8c
-
SSDEEP
12288:YC2HyyhNd3orG6tPXDR3i4C+DBmEXBPX9reTSV0RM0R4p:YTSMXYtPXDRy4zzgTY0RM0K
Malware Config
Extracted
cybergate
v1.07.5
Rat
ragebo.no-ip.biz:2341
2MVY7377748RYS
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
.//domains/sharebionotes.neru9.com/public_html/Log/
-
ftp_interval
30
-
ftp_password
12XcQi
-
ftp_port
21
-
ftp_server
box6.host1free.com
-
ftp_username
shareb3
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
The application failed to initialize properly (0xc000007b). Click on OK to terminate the application.
-
message_box_title
Application Error
-
password
123456
Targets
-
-
Target
fed62f18b8f0aca58596014b4faf3270_JaffaCakes118
-
Size
820KB
-
MD5
fed62f18b8f0aca58596014b4faf3270
-
SHA1
551c89483f925ce2ca3020c9ac3a7d0f7d453ee1
-
SHA256
20604f1b548043558e282ea1b410e8ee4ef4e1d3de204d0c6854217e0122c79f
-
SHA512
614ada3b666b4fbd2088d17d3b84c87815bb59a581b1819bf0db8db61edf3661c28d7079f1ff16d6efab71802df2dafb70878e2ecb4ea6a1dbb57e87b9c35e8c
-
SSDEEP
12288:YC2HyyhNd3orG6tPXDR3i4C+DBmEXBPX9reTSV0RM0R4p:YTSMXYtPXDRy4zzgTY0RM0K
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-