Overview

overview

10

Static

static

3

28af68c72a...18.exe

windows7-x64

10

28af68c72a...18.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    28af68c72ae2bdafc431c5c1209b7217_JaffaCakes118

  • Size

    2.1MB

  • Sample

    240706-s3cvzstapp

  • MD5

    28af68c72ae2bdafc431c5c1209b7217

  • SHA1

    c150ceb2521a4868258ed7d1de24ab938284b946

  • SHA256

    019ba460bc54743c22f974dc29e7e42f4b709f133a2b269a421b377b049d4309

  • SHA512

    eeb0d646e6a0be82234f99495e8d741ebcaa667c66f1895f5d6f404cdc08a9fee9a1b08887eb824e5015c8c23c011493aa846cd73388a2324d00e750be31aae5

  • SSDEEP

    49152:MVZXbQsV+pCz4PeeLmvAOQ8DrMFdsA/SKRHvia27o:UZXbQHO4GeSvA386sA/SKdvC0

Score
10/10
cybergatedank-41dankvic-0401bootkitpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Dank-41

C2

finders.hopto.org:423

Mutex

YFD613TQ8U868X

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    taskmgr.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    knarf0909

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

cybergate

Version

v1.04.8

Botnet

dankvic-0401

C2

dankpicserve.no-ip.org:420

finders.hopto.org:412
Mutex

527CC1HD5CF3C5

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    csrss.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Operating System not supported

  • message_box_title

    Slideshow

  • password

    knarf0909

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      28af68c72ae2bdafc431c5c1209b7217_JaffaCakes118

    • Size

      2.1MB

    • MD5

      28af68c72ae2bdafc431c5c1209b7217

    • SHA1

      c150ceb2521a4868258ed7d1de24ab938284b946

    • SHA256

      019ba460bc54743c22f974dc29e7e42f4b709f133a2b269a421b377b049d4309

    • SHA512

      eeb0d646e6a0be82234f99495e8d741ebcaa667c66f1895f5d6f404cdc08a9fee9a1b08887eb824e5015c8c23c011493aa846cd73388a2324d00e750be31aae5

    • SSDEEP

      49152:MVZXbQsV+pCz4PeeLmvAOQ8DrMFdsA/SKRHvia27o:UZXbQHO4GeSvA386sA/SKdvC0

    Score
    10/10
    cybergatedank-41bootkitpersistencestealertrojandankvic-0401upx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks