General

  • Target

    22927dadc82b4b88a12d148d97ff1ab8_JaffaCakes118

  • Size

    394KB

  • Sample

    240703-q4t5jszfkg

  • MD5

    22927dadc82b4b88a12d148d97ff1ab8

  • SHA1

    db47640abfb6e3732414cacfc7e451800b896f0e

  • SHA256

    6fd767fac2f838bf7c6792b2c76af9a8bbcfda7fb2c9fa1e78be24ce996c66e0

  • SHA512

    3081091bd4cf67d3ce86b7a2d2b8c297fa3aafa253bed643457ba081b69b34318b9778afdb1def76ba9872efdefde8b6f9a249dc25e011a4b4e8e525764abeeb

  • SSDEEP

    12288:GgJwonsizk0saVx0dPemKXnVpy9hzpBesnf:GewujsaVhmKlp8hz1

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

tunisia-sat

C2

klach.hopto.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    CHROME.exe

  • install_dir

    system32

  • install_file

    cmd23.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      22927dadc82b4b88a12d148d97ff1ab8_JaffaCakes118

    • Size

      394KB

    • MD5

      22927dadc82b4b88a12d148d97ff1ab8

    • SHA1

      db47640abfb6e3732414cacfc7e451800b896f0e

    • SHA256

      6fd767fac2f838bf7c6792b2c76af9a8bbcfda7fb2c9fa1e78be24ce996c66e0

    • SHA512

      3081091bd4cf67d3ce86b7a2d2b8c297fa3aafa253bed643457ba081b69b34318b9778afdb1def76ba9872efdefde8b6f9a249dc25e011a4b4e8e525764abeeb

    • SSDEEP

      12288:GgJwonsizk0saVx0dPemKXnVpy9hzpBesnf:GewujsaVhmKlp8hz1

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks