General

  • Target

    210cb1dbb8b573d140588f8901f6747f_JaffaCakes118

  • Size

    395KB

  • Sample

    240703-ev281sxbjh

  • MD5

    210cb1dbb8b573d140588f8901f6747f

  • SHA1

    6c886fdf3b3ba5d0c000ab45f621527ff47c0a5c

  • SHA256

    bbca79a038ff41f1003de36830ae8e8ca66a6de882d18efd8d1f67ad126a5dd5

  • SHA512

    85f63c1650ca7a282d05f1fa128c6457f03071d2dbc2551a383ff9ef76f0994dcdfc8f708a7852145e274fa0877da33e6d163be568a9f9bb2b90286478752fcc

  • SSDEEP

    6144:jWtl80NATdMsQff2h5kwDfkexiRvw1daKRLtC1SytL87d/GX5uixI/SVCM4B:1QuGsUfakgiRf8t8bL87BGJvxI/pB

Malware Config

Extracted

Family

cybergate

Version

v1.18.0

Botnet

myown

C2

vic.myftp.biz:2121

Mutex

6X033DWGU1PWC3

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Prefetch

  • install_file

    svhost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    myvic

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      210cb1dbb8b573d140588f8901f6747f_JaffaCakes118

    • Size

      395KB

    • MD5

      210cb1dbb8b573d140588f8901f6747f

    • SHA1

      6c886fdf3b3ba5d0c000ab45f621527ff47c0a5c

    • SHA256

      bbca79a038ff41f1003de36830ae8e8ca66a6de882d18efd8d1f67ad126a5dd5

    • SHA512

      85f63c1650ca7a282d05f1fa128c6457f03071d2dbc2551a383ff9ef76f0994dcdfc8f708a7852145e274fa0877da33e6d163be568a9f9bb2b90286478752fcc

    • SSDEEP

      6144:jWtl80NATdMsQff2h5kwDfkexiRvw1daKRLtC1SytL87d/GX5uixI/SVCM4B:1QuGsUfakgiRf8t8bL87BGJvxI/pB

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks