General

  • Target

    23fc32ac9e231cac1291f1c73413ec84_JaffaCakes118

  • Size

    292KB

  • Sample

    240704-amtjpatflr

  • MD5

    23fc32ac9e231cac1291f1c73413ec84

  • SHA1

    100f30713863302eb87df17e9074bf067f87cbbe

  • SHA256

    cf8c6cf9b2cb5f120d22bc6d6d8b053c5b29e3b230ea9445c838e0da46c24d28

  • SHA512

    95b6d6e397032ee09f701c39fcc1f0de71be64a3b46e3116d9f93c213eb0504910190bd3cf6253909847e87e4492f020f60001e7845a9b830c23d33babcb1b51

  • SSDEEP

    6144:uaZZ2+A8Zpzz0HYYpQWBmQqMBUAW4HZsgF+W05D0n2QAruQbdxsX:D2+b3zzXYpBmK+AW4ZFInQAA

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

man

C2

127.0.0.1:81

Mutex

SX2I16B64HG163

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    1234567

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      23fc32ac9e231cac1291f1c73413ec84_JaffaCakes118

    • Size

      292KB

    • MD5

      23fc32ac9e231cac1291f1c73413ec84

    • SHA1

      100f30713863302eb87df17e9074bf067f87cbbe

    • SHA256

      cf8c6cf9b2cb5f120d22bc6d6d8b053c5b29e3b230ea9445c838e0da46c24d28

    • SHA512

      95b6d6e397032ee09f701c39fcc1f0de71be64a3b46e3116d9f93c213eb0504910190bd3cf6253909847e87e4492f020f60001e7845a9b830c23d33babcb1b51

    • SSDEEP

      6144:uaZZ2+A8Zpzz0HYYpQWBmQqMBUAW4HZsgF+W05D0n2QAruQbdxsX:D2+b3zzXYpBmK+AW4ZFInQAA

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks