General

  • Target

    2334848b7f99524ebeffe785565fc479_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240703-v3pkwszfkm

  • MD5

    2334848b7f99524ebeffe785565fc479

  • SHA1

    358a5d3a02f45c58f34837b25015fb4bb715a54a

  • SHA256

    77fca175f393e6f43c1cb06cf8a0ef4b82a52f06662922f7e41568eda88b7162

  • SHA512

    d7b15db04ec09185a3e3e1be6307f862ebd2d2cf4dc0973cea1b968bafe84fddd9a7238be197d7c60697e5e77c336b2e8cccb0815a3851aab1330494994f01ec

  • SSDEEP

    24576:HhqMYdprgqE8sleQy2bkqjZcFMV3bLCHYvnphtX3t3P42:HhqDpJE3QOnjZy1HsxBt

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

itzh4cked

C2

itzh4cked.no-ip.biz:6661

Mutex

CY4GD3PW1Q0B43

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    test this bitch.exe

  • install_dir

    Windows

  • install_file

    chrome.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    what459sit512

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      2334848b7f99524ebeffe785565fc479_JaffaCakes118

    • Size

      1.2MB

    • MD5

      2334848b7f99524ebeffe785565fc479

    • SHA1

      358a5d3a02f45c58f34837b25015fb4bb715a54a

    • SHA256

      77fca175f393e6f43c1cb06cf8a0ef4b82a52f06662922f7e41568eda88b7162

    • SHA512

      d7b15db04ec09185a3e3e1be6307f862ebd2d2cf4dc0973cea1b968bafe84fddd9a7238be197d7c60697e5e77c336b2e8cccb0815a3851aab1330494994f01ec

    • SSDEEP

      24576:HhqMYdprgqE8sleQy2bkqjZcFMV3bLCHYvnphtX3t3P42:HhqDpJE3QOnjZy1HsxBt

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks