General

  • Target

    23d9cdb17fffdade49f0b52c768fb330_JaffaCakes118

  • Size

    840KB

  • Sample

    240703-3hhwlstcrf

  • MD5

    23d9cdb17fffdade49f0b52c768fb330

  • SHA1

    3cc261ba982ae2a325c9b6e88a7960274cbbf1be

  • SHA256

    28c64ea04aa9233f6fc1ccc3fac814cfc186fd4bd37d09ca801c3787d9866653

  • SHA512

    630d519cc517570f1b112e44910fba3bdedf73613dd832f400d3c1ab5b46567bd7b16250b6c9773a804813450bbf66448e38b8697e53bcb4cc3680eeebad6296

  • SSDEEP

    24576:ub6AohPUM/4yH6NNSUhV46VAj8nECXbcjrWA3NR/x1prL:uhohP77ySCK6kLCX4x7x1B

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

30-4-2012

C2

abodeeg.no-ip.org:53961

abode80.linkpc.net:53962

Mutex

***frewq***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    instell

  • install_file

    windos.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    the file is corrupted

  • message_box_title

    error

  • password

    1980

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      23d9cdb17fffdade49f0b52c768fb330_JaffaCakes118

    • Size

      840KB

    • MD5

      23d9cdb17fffdade49f0b52c768fb330

    • SHA1

      3cc261ba982ae2a325c9b6e88a7960274cbbf1be

    • SHA256

      28c64ea04aa9233f6fc1ccc3fac814cfc186fd4bd37d09ca801c3787d9866653

    • SHA512

      630d519cc517570f1b112e44910fba3bdedf73613dd832f400d3c1ab5b46567bd7b16250b6c9773a804813450bbf66448e38b8697e53bcb4cc3680eeebad6296

    • SSDEEP

      24576:ub6AohPUM/4yH6NNSUhV46VAj8nECXbcjrWA3NR/x1prL:uhohP77ySCK6kLCX4x7x1B

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks