General

  • Target

    050b0046fc7c0f1e8655503e24d82dfc_JaffaCakes118

  • Size

    368KB

  • Sample

    240620-l7yjxswdlj

  • MD5

    050b0046fc7c0f1e8655503e24d82dfc

  • SHA1

    642eb2e9b764a5d9ada18657bed1a273b5219e2c

  • SHA256

    0b8098f301ea5086cea87a56c3ad8741589f63ca096236a7c81026b7f3ef6d02

  • SHA512

    a1e38bc193eb09c2a81093b866c65c40bf65c13f6d9f7ab27eafaa5bda602678d4d70d5d0c717fc68f2aec56b978f7cb3851f8ee4c9e14c10dea1943c6a830b6

  • SSDEEP

    6144:d4JBuEDkxMXUliAo9ZEHUNBPKu5GumZ1G6DqEHhkKwudoC6aoT:d4y/x7lzo2UN4u5/6jmHhudMT

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

vítima

C2

mrtrojanm.no-ip.org:288

mrtrojann.no-ip.biz:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      050b0046fc7c0f1e8655503e24d82dfc_JaffaCakes118

    • Size

      368KB

    • MD5

      050b0046fc7c0f1e8655503e24d82dfc

    • SHA1

      642eb2e9b764a5d9ada18657bed1a273b5219e2c

    • SHA256

      0b8098f301ea5086cea87a56c3ad8741589f63ca096236a7c81026b7f3ef6d02

    • SHA512

      a1e38bc193eb09c2a81093b866c65c40bf65c13f6d9f7ab27eafaa5bda602678d4d70d5d0c717fc68f2aec56b978f7cb3851f8ee4c9e14c10dea1943c6a830b6

    • SSDEEP

      6144:d4JBuEDkxMXUliAo9ZEHUNBPKu5GumZ1G6DqEHhkKwudoC6aoT:d4y/x7lzo2UN4u5/6jmHhudMT

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks