General

  • Target

    43701f4b3ea7cc06db88f36e35676da6_JaffaCakes118

  • Size

    356KB

  • Sample

    240713-1gndlazhmh

  • MD5

    43701f4b3ea7cc06db88f36e35676da6

  • SHA1

    dc0a42ae4cd3dd8c4409c9d75e3705c6a7de1222

  • SHA256

    82422fe5c8f3835e5cc8b5bedfc2989bb799629cf279fdac7963373b0ce92a72

  • SHA512

    66057279316c793443980df0383249dbcce7127502c0bf7f166f70ba187d51381a31731d06949be73433d53afc0d6225f0bb4b9df0f517410f5767cdbb22e6f6

  • SSDEEP

    6144:gL9m8qT+UaxFiZPplC7omHnbNUrzoPgmIdSGHUpmQxKEq6HR9Z:gLY8qT+/xF0rzw9o70gHE7

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

46.37.180.197:2300

Mutex

M2PUXL8BFYT2U7

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Targets

    • Target

      43701f4b3ea7cc06db88f36e35676da6_JaffaCakes118

    • Size

      356KB

    • MD5

      43701f4b3ea7cc06db88f36e35676da6

    • SHA1

      dc0a42ae4cd3dd8c4409c9d75e3705c6a7de1222

    • SHA256

      82422fe5c8f3835e5cc8b5bedfc2989bb799629cf279fdac7963373b0ce92a72

    • SHA512

      66057279316c793443980df0383249dbcce7127502c0bf7f166f70ba187d51381a31731d06949be73433d53afc0d6225f0bb4b9df0f517410f5767cdbb22e6f6

    • SSDEEP

      6144:gL9m8qT+UaxFiZPplC7omHnbNUrzoPgmIdSGHUpmQxKEq6HR9Z:gLY8qT+/xF0rzw9o70gHE7

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks