General

  • Target

    0ea5a2f905a8d3e22af189b59cf40de3_JaffaCakes118

  • Size

    1.3MB

  • Sample

    240625-tave1asamm

  • MD5

    0ea5a2f905a8d3e22af189b59cf40de3

  • SHA1

    b551ea6d4ec0530e562772fd65b5ee890c003eac

  • SHA256

    c4d811abc868e60604a7c76fee0798751227f530c6f2ae5b12f3be1ab8ab843f

  • SHA512

    d716ff17f221456d8188a6acf5973ff1fd049102f1e10c99ddcbb6e8d622f2b3ac11fd460225fa56040b9247bb0ef11a66f1e57d20a5737c603ad4e323758753

  • SSDEEP

    24576:ENs+SU++GSVu4UaGWQJlmPoqlMOLTho+cC:ENsvTsVu4U6QJ4tyOLT2+1

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

twichz.no-ip.biz:82

Mutex

51RT1SK021WEI8

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cool

Targets

    • Target

      0ea5a2f905a8d3e22af189b59cf40de3_JaffaCakes118

    • Size

      1.3MB

    • MD5

      0ea5a2f905a8d3e22af189b59cf40de3

    • SHA1

      b551ea6d4ec0530e562772fd65b5ee890c003eac

    • SHA256

      c4d811abc868e60604a7c76fee0798751227f530c6f2ae5b12f3be1ab8ab843f

    • SHA512

      d716ff17f221456d8188a6acf5973ff1fd049102f1e10c99ddcbb6e8d622f2b3ac11fd460225fa56040b9247bb0ef11a66f1e57d20a5737c603ad4e323758753

    • SSDEEP

      24576:ENs+SU++GSVu4UaGWQJlmPoqlMOLTho+cC:ENsvTsVu4U6QJ4tyOLT2+1

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks