General

  • Target

    025241c703c5ef6c5dd9e6d1da233983_JaffaCakes118

  • Size

    697KB

  • Sample

    240622-qhwq9atdmp

  • MD5

    025241c703c5ef6c5dd9e6d1da233983

  • SHA1

    24c25edf562dbe394ae26e662b24e2ac2249a3ae

  • SHA256

    38105f91d9926e8c952072a61fa73295f28642a595e462ddae1dbf0faba96c4a

  • SHA512

    e06ee5a245a082d619ad2609f51787b7c9ad952b3a16f39597e77357af9b0ab86254da2fc93ac96b6442df4a2ee0598da632fbd63fd57174e67dece67a215f0a

  • SSDEEP

    12288:1OHOEiOF4UMi2ETjLqOR+j03lSB58EY82qew4DDuMAabkklxzLuHv31B:1MF3Mi2/OR+j03lSB58pwE/AAkkTuP3v

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

mas

C2

w7cod-update.serveftp.com:2300

Mutex

tjk4uym67uk

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    System.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    intruder1705

  • regkey_hkcu

    System

  • regkey_hklm

    System.exe

Targets

    • Target

      025241c703c5ef6c5dd9e6d1da233983_JaffaCakes118

    • Size

      697KB

    • MD5

      025241c703c5ef6c5dd9e6d1da233983

    • SHA1

      24c25edf562dbe394ae26e662b24e2ac2249a3ae

    • SHA256

      38105f91d9926e8c952072a61fa73295f28642a595e462ddae1dbf0faba96c4a

    • SHA512

      e06ee5a245a082d619ad2609f51787b7c9ad952b3a16f39597e77357af9b0ab86254da2fc93ac96b6442df4a2ee0598da632fbd63fd57174e67dece67a215f0a

    • SSDEEP

      12288:1OHOEiOF4UMi2ETjLqOR+j03lSB58EY82qew4DDuMAabkklxzLuHv31B:1MF3Mi2/OR+j03lSB58pwE/AAkkTuP3v

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Virtualization/Sandbox Evasion

1
T1497

Tasks