Overview

overview

10

Static

static

3

097c3e7e49...18.exe

windows7-x64

10

097c3e7e49...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    097c3e7e498d50ddfe881bd930857ba4_JaffaCakes118

  • Size

    371KB

  • Sample

    240624-th9vnatgmr

  • MD5

    097c3e7e498d50ddfe881bd930857ba4

  • SHA1

    12539cf203ced8ee95e4dc80ef349c0ba253d5c4

  • SHA256

    be0989028d687c0423ab75913fbc68582d3f8ce191a0f3da0e9c7d3025a732c2

  • SHA512

    8aaf5d6ae53cbb883e486057ed5aedcfb5c871c51a01c13569a5c4d3ba2d28815c5e849db97a97be704fe5d9611e301b8b367c2d291ec843a205df0ca754660b

  • SSDEEP

    6144:qr8sXTkJPi5Q9Q5Toa3JwvLxxWHSGu4tv37/Omxj5LNk9z1ns8e+gzh9SIZYqWzE:BsXoKy9Q58J9xH4trOmxj5LNk9O39SqR

Score
10/10
cybergateserverpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

127.0.0.1:82

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    spynet

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

Targets

    • Target

      097c3e7e498d50ddfe881bd930857ba4_JaffaCakes118

    • Size

      371KB

    • MD5

      097c3e7e498d50ddfe881bd930857ba4

    • SHA1

      12539cf203ced8ee95e4dc80ef349c0ba253d5c4

    • SHA256

      be0989028d687c0423ab75913fbc68582d3f8ce191a0f3da0e9c7d3025a732c2

    • SHA512

      8aaf5d6ae53cbb883e486057ed5aedcfb5c871c51a01c13569a5c4d3ba2d28815c5e849db97a97be704fe5d9611e301b8b367c2d291ec843a205df0ca754660b

    • SSDEEP

      6144:qr8sXTkJPi5Q9Q5Toa3JwvLxxWHSGu4tv37/Omxj5LNk9z1ns8e+gzh9SIZYqWzE:BsXoKy9Q58J9xH4trOmxj5LNk9O39SqR

    Score
    10/10
    cybergateserverpersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks