General

  • Target

    406d867938b0d45fc5c3e529645f0526_JaffaCakes118

  • Size

    601KB

  • Sample

    240713-ghsj6azhme

  • MD5

    406d867938b0d45fc5c3e529645f0526

  • SHA1

    649a42647b94e2c9a7b1e6f7281c6095bbaf39af

  • SHA256

    7cfd9f1bca0c7405b778835b46d25efc86566022979b02305dec33c1dcc79f87

  • SHA512

    83ca2d0117bc5117acc310dddc9263ab4671cd491b665f0701ffd57df2a31e51e79288bc122b2a09319d75204950040a2e290d5c81b6eaeef2ab2a4536a0b875

  • SSDEEP

    12288:tBaf4dfo4M4lLvhmXu1ejPS+3HN7SUM6p7RT0SuCtOnlq:mf4FoMvYUej9NijZCUlq

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

dafatir

C2

boucraa.no-ip.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    adobe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Please try again later.

  • message_box_title

    Error

  • password

    abcd1234

Targets

    • Target

      406d867938b0d45fc5c3e529645f0526_JaffaCakes118

    • Size

      601KB

    • MD5

      406d867938b0d45fc5c3e529645f0526

    • SHA1

      649a42647b94e2c9a7b1e6f7281c6095bbaf39af

    • SHA256

      7cfd9f1bca0c7405b778835b46d25efc86566022979b02305dec33c1dcc79f87

    • SHA512

      83ca2d0117bc5117acc310dddc9263ab4671cd491b665f0701ffd57df2a31e51e79288bc122b2a09319d75204950040a2e290d5c81b6eaeef2ab2a4536a0b875

    • SSDEEP

      12288:tBaf4dfo4M4lLvhmXu1ejPS+3HN7SUM6p7RT0SuCtOnlq:mf4FoMvYUej9NijZCUlq

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks