General

  • Target

    204411ebf8a7c4e957c6a2e7dd46427b_JaffaCakes118

  • Size

    960KB

  • Sample

    240702-wc75zsthlg

  • MD5

    204411ebf8a7c4e957c6a2e7dd46427b

  • SHA1

    eed270cbc625e3a9237ba8ac8ae9e07a7aab8aef

  • SHA256

    e5e166f76e414b64424de1ac5229514592fcfea9da4dc8cae1c0ee011d7d2dbc

  • SHA512

    ca115f2b523bc3453a971d3d6992da333b5b368daab7da5517d742cef6222cefeb7afacc29a76929032b5cc3f493363c54b4c1d8d273bbe0414920c2151ecd7f

  • SSDEEP

    24576:QLodkamnGGY8LA8oJUuxpnM77OK1kmwdhRa:eo2nGGL5oJtWHotG

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

MiSt

C2

all.no-ip.biz:999

Mutex

G0B2IJUG3BE15Y

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Targets

    • Target

      204411ebf8a7c4e957c6a2e7dd46427b_JaffaCakes118

    • Size

      960KB

    • MD5

      204411ebf8a7c4e957c6a2e7dd46427b

    • SHA1

      eed270cbc625e3a9237ba8ac8ae9e07a7aab8aef

    • SHA256

      e5e166f76e414b64424de1ac5229514592fcfea9da4dc8cae1c0ee011d7d2dbc

    • SHA512

      ca115f2b523bc3453a971d3d6992da333b5b368daab7da5517d742cef6222cefeb7afacc29a76929032b5cc3f493363c54b4c1d8d273bbe0414920c2151ecd7f

    • SSDEEP

      24576:QLodkamnGGY8LA8oJUuxpnM77OK1kmwdhRa:eo2nGGL5oJtWHotG

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks