General

  • Target

    076d2b995e80da2d2c2a6cb5392b6477_JaffaCakes118

  • Size

    440KB

  • Sample

    240620-s72d5szbmm

  • MD5

    076d2b995e80da2d2c2a6cb5392b6477

  • SHA1

    8846b8ab7779ea0ddbbe60b024d5ce1c0dcb4a95

  • SHA256

    42ad47cab85e3c88f9864cd1d696785e3be52f112da2d171569c8b85b4ed9d11

  • SHA512

    fcdcb408a798d74d8af748153b408da8c2f53ee28b7d559344b1658a0b5ccbd0a689d49694e4f0e67e43845d362e95ab622451ab7bf86c3f961c5aa294e0efb9

  • SSDEEP

    12288:yzsjaeayUc+N0LStP4VmspYyiykBo14Sg:ygrD+NLP4VmIYyhkBo14t

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

lover810.zapto.org:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    t?tulo da mensagem

  • password

    abcd1234

Targets

    • Target

      076d2b995e80da2d2c2a6cb5392b6477_JaffaCakes118

    • Size

      440KB

    • MD5

      076d2b995e80da2d2c2a6cb5392b6477

    • SHA1

      8846b8ab7779ea0ddbbe60b024d5ce1c0dcb4a95

    • SHA256

      42ad47cab85e3c88f9864cd1d696785e3be52f112da2d171569c8b85b4ed9d11

    • SHA512

      fcdcb408a798d74d8af748153b408da8c2f53ee28b7d559344b1658a0b5ccbd0a689d49694e4f0e67e43845d362e95ab622451ab7bf86c3f961c5aa294e0efb9

    • SSDEEP

      12288:yzsjaeayUc+N0LStP4VmspYyiykBo14Sg:ygrD+NLP4VmIYyhkBo14t

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks