General

  • Target

    20dd44c47c9f86697c04752f9e588e31_JaffaCakes118

  • Size

    290KB

  • Sample

    240703-dh9xnaycnp

  • MD5

    20dd44c47c9f86697c04752f9e588e31

  • SHA1

    5e6058dc2fc5e5c59d121f975ea981886bc1a1bd

  • SHA256

    1ee9069339b9ba48212352b16e9ba37bfe9b00a8463e49a94e96d46a62d9c311

  • SHA512

    1779df89c161e0885de6cafd6de2adab6f34d248882202753983ada0c1e899833b0af5360c58f86cc42c664022c46dbff5e5c1aa6d6f7e4644e85f573e9cf450

  • SSDEEP

    6144:uh4whJzhfqoLa0PgSlJ4WyyxU44cGnzqTMFuJ4GoRbj2cyPINkplq7x0:Q4azhRm0PplJ4Wys2cazqTMFuwRv2v+O

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

CyberFlash

C2

cyberflash1234.zapto.org:8080

Mutex

SX7710J21884BU

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    svhost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    rq27qvb2hackersoftware114rq27qvb2

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      20dd44c47c9f86697c04752f9e588e31_JaffaCakes118

    • Size

      290KB

    • MD5

      20dd44c47c9f86697c04752f9e588e31

    • SHA1

      5e6058dc2fc5e5c59d121f975ea981886bc1a1bd

    • SHA256

      1ee9069339b9ba48212352b16e9ba37bfe9b00a8463e49a94e96d46a62d9c311

    • SHA512

      1779df89c161e0885de6cafd6de2adab6f34d248882202753983ada0c1e899833b0af5360c58f86cc42c664022c46dbff5e5c1aa6d6f7e4644e85f573e9cf450

    • SSDEEP

      6144:uh4whJzhfqoLa0PgSlJ4WyyxU44cGnzqTMFuJ4GoRbj2cyPINkplq7x0:Q4azhRm0PplJ4Wys2cazqTMFuwRv2v+O

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks