General

  • Target

    40e6399922a37801674a6aaa3540070e_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240713-j7r12atclk

  • MD5

    40e6399922a37801674a6aaa3540070e

  • SHA1

    8b855cca3019772cba5c27e9ec5f3e7b141b0920

  • SHA256

    0b837e6042fcde02f3893fa1912f400b58671c32b4cc66cd3158b63e5fc20685

  • SHA512

    edebbdfa084a7e981d2cc7ba927290c1f863c0e3ffb946021d2e733924373c727858374d91e47591e734b715de286bdf8a2b10e5b13503a1ab0deb079a45796a

  • SSDEEP

    24576:HhqMYdprgqE8sleQy2bkqjZcFMV3bLCHYvnphtX3t3bf2:HhqDpJE3QOnjZy1HsxBK

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

itzh4cked

C2

itzh4cked.no-ip.biz:6661

Mutex

CY4GD3PW1Q0B43

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    test this bitch.exe

  • install_dir

    Windows

  • install_file

    chrome.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    what459sit512

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      40e6399922a37801674a6aaa3540070e_JaffaCakes118

    • Size

      1.2MB

    • MD5

      40e6399922a37801674a6aaa3540070e

    • SHA1

      8b855cca3019772cba5c27e9ec5f3e7b141b0920

    • SHA256

      0b837e6042fcde02f3893fa1912f400b58671c32b4cc66cd3158b63e5fc20685

    • SHA512

      edebbdfa084a7e981d2cc7ba927290c1f863c0e3ffb946021d2e733924373c727858374d91e47591e734b715de286bdf8a2b10e5b13503a1ab0deb079a45796a

    • SSDEEP

      24576:HhqMYdprgqE8sleQy2bkqjZcFMV3bLCHYvnphtX3t3bf2:HhqDpJE3QOnjZy1HsxBK

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks