General

  • Target

    034f6afa20baf7d6ad95723309f34575_JaffaCakes118

  • Size

    372KB

  • Sample

    240622-wqm2zaxgmd

  • MD5

    034f6afa20baf7d6ad95723309f34575

  • SHA1

    38c7a2dd72917d5e5131d731ddbfe83bea37e28a

  • SHA256

    776ed4c439ab9c08f0cd28618a7d538ed7aa3c27a68d3d1d093c4f63cffa1593

  • SHA512

    46b799c060c1895787ddb470df1cd8a296592cf60d2531d585022c87e74b9a063ab83425a4608dc879f6f6affe8575ef6a6eaacfef799af617f0f71ee529ed4f

  • SSDEEP

    6144:JgjmGOWDK6sktlbgalW8ajj0YT/nh1xYRRnLeYKrxfa6umT3w:q5iqlbg78ajfTh1xanLrKFC6Pzw

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

mrrochdi.no-ip.info:82

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      034f6afa20baf7d6ad95723309f34575_JaffaCakes118

    • Size

      372KB

    • MD5

      034f6afa20baf7d6ad95723309f34575

    • SHA1

      38c7a2dd72917d5e5131d731ddbfe83bea37e28a

    • SHA256

      776ed4c439ab9c08f0cd28618a7d538ed7aa3c27a68d3d1d093c4f63cffa1593

    • SHA512

      46b799c060c1895787ddb470df1cd8a296592cf60d2531d585022c87e74b9a063ab83425a4608dc879f6f6affe8575ef6a6eaacfef799af617f0f71ee529ed4f

    • SSDEEP

      6144:JgjmGOWDK6sktlbgalW8ajj0YT/nh1xYRRnLeYKrxfa6umT3w:q5iqlbg78ajfTh1xanLrKFC6Pzw

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

2
T1112

Tasks