General

  • Target

    028e1ae680f08f9dcb668f8f3170c232_JaffaCakes118

  • Size

    780KB

  • Sample

    240622-rhwxpavgjp

  • MD5

    028e1ae680f08f9dcb668f8f3170c232

  • SHA1

    91969a1b38517afc8a892a459b394aabf46f4475

  • SHA256

    3e63424c1a99b5226eb245fa04dcd8952e73e28b7b0d401b1ccc0710df14c290

  • SHA512

    c15ab214946903647ac6b98d27a93088a35f07adb7e72cb3582980a6e399e14a39bc715c80c084804d22d326ed5f2f0628820079bb282b0b20126cb3fc9827d0

  • SSDEEP

    12288:ewXZ6sAZLwGoLQQDRfqZ3avWT8v7g8n3I7pZKtz+r4UTZBfg0fGHq4Sav:T6sAZLw9vxE9T8vb+pX4aBo0Mv

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

FUD4LIFE

C2

spread22.dyndns.org:60123

[email protected]:60123

Mutex

QI2854Q653B3T3

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    windows update

  • install_file

    winupdate.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Activate now?

  • message_box_title

    ....::::....::::....::::....::::....::::....::::....::::....::::....::::....::::....

  • password

    lmaa

  • regkey_hkcu

    Windows Update

  • regkey_hklm

    Windows Update

Targets

    • Target

      028e1ae680f08f9dcb668f8f3170c232_JaffaCakes118

    • Size

      780KB

    • MD5

      028e1ae680f08f9dcb668f8f3170c232

    • SHA1

      91969a1b38517afc8a892a459b394aabf46f4475

    • SHA256

      3e63424c1a99b5226eb245fa04dcd8952e73e28b7b0d401b1ccc0710df14c290

    • SHA512

      c15ab214946903647ac6b98d27a93088a35f07adb7e72cb3582980a6e399e14a39bc715c80c084804d22d326ed5f2f0628820079bb282b0b20126cb3fc9827d0

    • SSDEEP

      12288:ewXZ6sAZLwGoLQQDRfqZ3avWT8v7g8n3I7pZKtz+r4UTZBfg0fGHq4Sav:T6sAZLw9vxE9T8vb+pX4aBo0Mv

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Active Setup

1
T1547.014

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks