General

  • Target

    1dc3c89cb600a26e331343ab01c5c5fd_JaffaCakes118

  • Size

    384KB

  • Sample

    240702-2w3bqsthkb

  • MD5

    1dc3c89cb600a26e331343ab01c5c5fd

  • SHA1

    345408bf1671d522678e38d59327e603f844595c

  • SHA256

    19901a810eae1683d24ea9b4a4fb404ef38fdf70dd0c649e9a7a68afc6c90c03

  • SHA512

    58c8b8c331a941b8048277d65c3bc41101929911cb6bd849f4ac556ddd4801820369f922ef71cea59911d12baa6ec0e840baf91273152c1e61f9c570c83a50e6

  • SSDEEP

    6144:u4ABF94OGGGpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXKkNc7UVKpL7L3Q0gI6e:lUtGGNGLE0kuGnESB17UQpXLA9I6kMYD

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

2_israel

C2

alkasber.no-ip.info:444

Mutex

NWC682016D27A4

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      1dc3c89cb600a26e331343ab01c5c5fd_JaffaCakes118

    • Size

      384KB

    • MD5

      1dc3c89cb600a26e331343ab01c5c5fd

    • SHA1

      345408bf1671d522678e38d59327e603f844595c

    • SHA256

      19901a810eae1683d24ea9b4a4fb404ef38fdf70dd0c649e9a7a68afc6c90c03

    • SHA512

      58c8b8c331a941b8048277d65c3bc41101929911cb6bd849f4ac556ddd4801820369f922ef71cea59911d12baa6ec0e840baf91273152c1e61f9c570c83a50e6

    • SSDEEP

      6144:u4ABF94OGGGpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXKkNc7UVKpL7L3Q0gI6e:lUtGGNGLE0kuGnESB17UQpXLA9I6kMYD

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks