General

  • Target

    086ab5bce3a7e528c3eaa9a0e3cada29_JaffaCakes118

  • Size

    272KB

  • Sample

    240620-wh3sfsvajj

  • MD5

    086ab5bce3a7e528c3eaa9a0e3cada29

  • SHA1

    20eeaf0567e25d1b9d9e1418e88be079905a9fa2

  • SHA256

    c74595dd2d49f104e79ae9b9be61457e645b41bb85e145bfe110637979da0c93

  • SHA512

    7cbc000e1c719652dac2b9d916269ae80e6e40230a6be9312aa54570865330925a143b5352930ad1845742df406abe798e60efff387e9641412ecd9aeca3d49c

  • SSDEEP

    6144:Tk4qm10ny1HintLQsgsoSA+/AWNtqCyyu4EqJXv/Kp:o9ZgatLFV/AWruLqRv/

Malware Config

Extracted

Family

cybergate

Botnet

TRUE

C2

ÝØðÕÞÎÝÎÅý¼¼ûÙÈìÎÓßýØØÎÙÏϼ¼êÕÎÈÉÝÐìÎÓÈÙßȼ¼êÕÎÈÉÝÐýÐÐÓß¼¼êÕÎÈÉÝÐúÎÙÙ¼¼¼ùÄÕÈìÎÓßÙÏϼ¼¼ðÏÝÿÐÓÏÙ¼¼ÿÎÅÌÈéÒÌÎÓÈÙßÈøÝÈݼ¼ÿÓèÝÏ×ñÙÑúÎÙÙ¼¼¼ïÅÏúÎÙÙïÈÎÕÒÛ¼¼¼ìïÈÓÎÙÿÎÙÝÈÙõÒÏÈÝÒßÙ¼¼îÝÏùÒÉÑùÒÈÎÕÙÏý¼¼¼ïôûÙÈïÌÙßÕÝÐúÓÐØÙÎìÝÈÔý¼¼¼èÓýÏßÕÕ¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼-W7A330P7C5RL}

HKLM

HKCU

FALSE

16

0

título da mensagem

texto da mensagem

TRUE

ftp.server.com

./logs/

ftp_user

ªš÷Öº+Þ

21

30

Mutex

Attributes
  • enable_keylogger

    false

  • enable_message_box

    true

  • install_dir

    TRUE

  • install_file

    TRUE

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    FALSE

  • message_box_title

    FALSE

  • password

    TRUE

  • regkey_hkcu

    TRUE

  • regkey_hklm

    TRUE

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

trankonyak.no-ip.biz:4444

Mutex

x423ASD13dsasdffs23R

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Windows Live Messenger

  • install_file

    msnmgr.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      086ab5bce3a7e528c3eaa9a0e3cada29_JaffaCakes118

    • Size

      272KB

    • MD5

      086ab5bce3a7e528c3eaa9a0e3cada29

    • SHA1

      20eeaf0567e25d1b9d9e1418e88be079905a9fa2

    • SHA256

      c74595dd2d49f104e79ae9b9be61457e645b41bb85e145bfe110637979da0c93

    • SHA512

      7cbc000e1c719652dac2b9d916269ae80e6e40230a6be9312aa54570865330925a143b5352930ad1845742df406abe798e60efff387e9641412ecd9aeca3d49c

    • SSDEEP

      6144:Tk4qm10ny1HintLQsgsoSA+/AWNtqCyyu4EqJXv/Kp:o9ZgatLFV/AWruLqRv/

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks