General

  • Target

    02151183b258a15a10f02ebf0244ced2_JaffaCakes118

  • Size

    650KB

  • Sample

    240622-pfwsssxfpb

  • MD5

    02151183b258a15a10f02ebf0244ced2

  • SHA1

    db3131004872c6c8c39545203c63e43cce24ebc9

  • SHA256

    ece4223a987de4cba5373f4629dfa0e60f173444902cea43fb148081062e8ca3

  • SHA512

    4dfd7fc22a527fb29035fbde490ce6ac1669de324e80f92471dbcb8158331b5886cea91d0b665ff429f8402a255391ea6a21236f857acb139be31b73180e73a2

  • SSDEEP

    12288:HhqorrUiwQxw1Dpr69sCqEB1vmQ12cX5P9eQxc3VfjCbmTkXjPZRqcWebp:HhqEYdprgqE8sleQy2bkqjZcFM

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

itzh4cked

C2

itzh4cked.no-ip.biz:6661

Mutex

CY4GD3PW1Q0B43

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    test this bitch.exe

  • install_dir

    Windows

  • install_file

    chrome.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    what459sit512

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      02151183b258a15a10f02ebf0244ced2_JaffaCakes118

    • Size

      650KB

    • MD5

      02151183b258a15a10f02ebf0244ced2

    • SHA1

      db3131004872c6c8c39545203c63e43cce24ebc9

    • SHA256

      ece4223a987de4cba5373f4629dfa0e60f173444902cea43fb148081062e8ca3

    • SHA512

      4dfd7fc22a527fb29035fbde490ce6ac1669de324e80f92471dbcb8158331b5886cea91d0b665ff429f8402a255391ea6a21236f857acb139be31b73180e73a2

    • SSDEEP

      12288:HhqorrUiwQxw1Dpr69sCqEB1vmQ12cX5P9eQxc3VfjCbmTkXjPZRqcWebp:HhqEYdprgqE8sleQy2bkqjZcFM

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Tasks