General

  • Target

    1d3d07300341b5e68c436e4b137f42bd_JaffaCakes118

  • Size

    499KB

  • Sample

    240702-yp33xazhnl

  • MD5

    1d3d07300341b5e68c436e4b137f42bd

  • SHA1

    b1badd8f9e619b27a128c403710e41680d86bce6

  • SHA256

    f66c3afafce949ca6ba00b58681d509ef44432161f7d655c13afdabd57f60cf2

  • SHA512

    3e705309b5ca645ea2104b0fe8a6f3c08e6736121a805a531c61a263379b1b49de9e8d5a9d387f0be676af66695289fd60d152b4bf4077134deb31a9474c5298

  • SSDEEP

    12288:Uw9pA8NujB9nt5CBV35GCYSZfqFCbSf/Tg5/ziPxQyrvl:UmtNujPtkGsZCRfmz8xR

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

total

C2

getarm.no-ip.biz:5110

Mutex

K2G3LVLAL71YRC

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    man.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Error in True!

  • message_box_title

    Windows

  • password

    afrane

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      1d3d07300341b5e68c436e4b137f42bd_JaffaCakes118

    • Size

      499KB

    • MD5

      1d3d07300341b5e68c436e4b137f42bd

    • SHA1

      b1badd8f9e619b27a128c403710e41680d86bce6

    • SHA256

      f66c3afafce949ca6ba00b58681d509ef44432161f7d655c13afdabd57f60cf2

    • SHA512

      3e705309b5ca645ea2104b0fe8a6f3c08e6736121a805a531c61a263379b1b49de9e8d5a9d387f0be676af66695289fd60d152b4bf4077134deb31a9474c5298

    • SSDEEP

      12288:Uw9pA8NujB9nt5CBV35GCYSZfqFCbSf/Tg5/ziPxQyrvl:UmtNujPtkGsZCRfmz8xR

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks