General

  • Target

    1c5bf532937789fb47ac1fe5bb4248ee_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240701-y3jw7axdlb

  • MD5

    1c5bf532937789fb47ac1fe5bb4248ee

  • SHA1

    c15e22036807d942934f2c48f6df385be2e89af8

  • SHA256

    ba03ab391ebacff7cd602a3f90d0b344b605a4c75d59679a616603ad58b97953

  • SHA512

    1531c726e714426d2fb8060902f9387f72b33fa9c3df1492153082a61d1a68f4ae14de8f9aff5b65ab9abbf4525b4f5e2705ef700545e13b925830f40e85358f

  • SSDEEP

    6144:UWHoMzl/CwTJ3rYBfkQR20eDnnexUvgHNInp4SmcvQpDMc:UYoMZKYYBcQRCznexU4Hyn2

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

xMiNe

C2

xmine.no-ip.biz:6884

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    system

  • install_file

    src_rtw.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    qwert

  • regkey_hkcu

    HKCU

Targets

    • Target

      1c5bf532937789fb47ac1fe5bb4248ee_JaffaCakes118

    • Size

      1.1MB

    • MD5

      1c5bf532937789fb47ac1fe5bb4248ee

    • SHA1

      c15e22036807d942934f2c48f6df385be2e89af8

    • SHA256

      ba03ab391ebacff7cd602a3f90d0b344b605a4c75d59679a616603ad58b97953

    • SHA512

      1531c726e714426d2fb8060902f9387f72b33fa9c3df1492153082a61d1a68f4ae14de8f9aff5b65ab9abbf4525b4f5e2705ef700545e13b925830f40e85358f

    • SSDEEP

      6144:UWHoMzl/CwTJ3rYBfkQR20eDnnexUvgHNInp4SmcvQpDMc:UYoMZKYYBcQRCznexU4Hyn2

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks