General

  • Target

    10b939bc9868674d4d252b017384fac3_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240626-e4yl7aveqe

  • MD5

    10b939bc9868674d4d252b017384fac3

  • SHA1

    f50a5a805e849dfd5b96de9bab905d6e4e4cc41b

  • SHA256

    54856b06a53ad6db7eee56e5dcf9d95c164fc00fccf85dcd6279b16d7a2015c3

  • SHA512

    27269a810a85cc38a23aca2a6c8dc7a4494ef136b24e56e481a5add204f513acd87f2053528fb0afa0af90e9e64de747b33840005056fe38500867b83c8c9306

  • SSDEEP

    12288:BJ0jeLHQsnMDbxAeFJJvfUQKP0om7T+zx8KmFfhEjxGKOelAsapM/L9z1V62R4pi:B6j2n86OZKsj2LMcu46q

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

cutescreen.no-ip.info:5120

Mutex

AP747BTU6W84N0

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    msgprs.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    eggbert

Targets

    • Target

      10b939bc9868674d4d252b017384fac3_JaffaCakes118

    • Size

      1.1MB

    • MD5

      10b939bc9868674d4d252b017384fac3

    • SHA1

      f50a5a805e849dfd5b96de9bab905d6e4e4cc41b

    • SHA256

      54856b06a53ad6db7eee56e5dcf9d95c164fc00fccf85dcd6279b16d7a2015c3

    • SHA512

      27269a810a85cc38a23aca2a6c8dc7a4494ef136b24e56e481a5add204f513acd87f2053528fb0afa0af90e9e64de747b33840005056fe38500867b83c8c9306

    • SSDEEP

      12288:BJ0jeLHQsnMDbxAeFJJvfUQKP0om7T+zx8KmFfhEjxGKOelAsapM/L9z1V62R4pi:B6j2n86OZKsj2LMcu46q

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks