General

  • Target

    00206be750ed7fe90b89b7439fb88259_JaffaCakes118

  • Size

    433KB

  • Sample

    240425-1gx8ssfd38

  • MD5

    00206be750ed7fe90b89b7439fb88259

  • SHA1

    60f488b1cde6001212553681236f7c92ddbf3ebb

  • SHA256

    ac25a53da34a39eefcc480c10ef43b50337312c53fd90feecd2d5c59007b0f5a

  • SHA512

    7de2e2737b67c5d05785ff916767b4d21180afb2aa5f8e49c578f9d912764a1799dae657fc54f3252a30284b2f2774b9d5ced5be4336250a1bb4c568a1e1fb5d

  • SSDEEP

    6144:CWD40Vvp0WQCcOEYWMCOADxa1qloDQIs1b6MqBIKVSuvVfm/nYMpgj3cPi/bjr8d:0ovp0WcOuMCLaIoDQR6M8xf5M4qi/E

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

tkr

C2

rjpc1.hopto.org:81

Mutex

Y2A1F8FM7BS8O5

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    azerty123

Targets

    • Target

      00206be750ed7fe90b89b7439fb88259_JaffaCakes118

    • Size

      433KB

    • MD5

      00206be750ed7fe90b89b7439fb88259

    • SHA1

      60f488b1cde6001212553681236f7c92ddbf3ebb

    • SHA256

      ac25a53da34a39eefcc480c10ef43b50337312c53fd90feecd2d5c59007b0f5a

    • SHA512

      7de2e2737b67c5d05785ff916767b4d21180afb2aa5f8e49c578f9d912764a1799dae657fc54f3252a30284b2f2774b9d5ced5be4336250a1bb4c568a1e1fb5d

    • SSDEEP

      6144:CWD40Vvp0WQCcOEYWMCOADxa1qloDQIs1b6MqBIKVSuvVfm/nYMpgj3cPi/bjr8d:0ovp0WcOuMCLaIoDQR6M8xf5M4qi/E

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks