cybergate | a3b2f5829ec774048fc85bb8ad4c2af0005eaa1ebb5638346c5311dde9137693 | Triage

Sharing

General

Target

29c9b946a74765d1cafc56fcb2341416_JaffaCakes118
Size

392KB
Sample

240707-g4ekesyanf
MD5

29c9b946a74765d1cafc56fcb2341416
SHA1

0ef09cfd2f49304b0cb06f3acb54130ba56bedd0
SHA256

a3b2f5829ec774048fc85bb8ad4c2af0005eaa1ebb5638346c5311dde9137693
SHA512

0be1d4689d1037c3a43e20b45883322b3c55051d2fad59924d0b2ea105c362b112a1bea1da03f28ecc8f9254e68367a849e973667f3cda8b7ddb6539eb4cc14d
SSDEEP

6144:sr9gtp2pu05Bo7qhZIIbirJgcLhPJ6WJjjUIRFK6EjIQgipPu:MA2pLB8qg3hPJ3JjIIe6EjI2Pu

Score

10^/10

cybergate öíóå persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

ÖÍÓå

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Targets

- Target
  
  29c9b946a74765d1cafc56fcb2341416_JaffaCakes118
- Size
  
  392KB
- MD5
  
  29c9b946a74765d1cafc56fcb2341416
- SHA1
  
  0ef09cfd2f49304b0cb06f3acb54130ba56bedd0
- SHA256
  
  a3b2f5829ec774048fc85bb8ad4c2af0005eaa1ebb5638346c5311dde9137693
- SHA512
  
  0be1d4689d1037c3a43e20b45883322b3c55051d2fad59924d0b2ea105c362b112a1bea1da03f28ecc8f9254e68367a849e973667f3cda8b7ddb6539eb4cc14d
- SSDEEP
  
  6144:sr9gtp2pu05Bo7qhZIIbirJgcLhPJ6WJjjUIRFK6EjIQgipPu:MA2pLB8qg3hPJ3JjIIe6EjI2Pu
Score

10^/10

cybergate öíóå persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateöíóåpersistencestealertrojanupx

behavioral2

cybergateöíóåpersistencestealertrojanupx