cybergate | d8b1dd15a7867c2d74b655bbc55c96b8ad689d93c423fab1c9e8c4fb8a5e6c55 | Triage

Sharing

General

Target

40f82ce361a215334908649e8e8593f1_JaffaCakes118
Size

376KB
Sample

240713-klh2nstgmk
MD5

40f82ce361a215334908649e8e8593f1
SHA1

cd16817ed8f9fa4a4fb57c29516078e385e0795a
SHA256

d8b1dd15a7867c2d74b655bbc55c96b8ad689d93c423fab1c9e8c4fb8a5e6c55
SHA512

2e17ccdcb9489c9a04db3f960e5adbef946cd79a44d97a01e5488ed8bb69ac9757b76e6292e4472f008d0064bd91a0b6dd78ef49af75d38efadcc3254474a586
SSDEEP

6144:9NjcznADtqhGmV5pikVXUTSOpmczaTrecbZ1rfFZh5vRA:9NILSWGmvkTrq5Xfv3m

Score

10^/10

cybergate igxpersistinjexploreroffusboffp2poffrk persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

igxPersistInjExplorerOffUSBOffP2pOffRk

C2

babas.ishidden.net:3129

bitcomet.hopto.org:3129

babas.ishidden.net:8081

bitcomet.hopto.org:8081

Mutex

***igx***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
igxPersist.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
ilovespynet@123
regkey_hkcu
igxPersistDLL
regkey_hklm
igxPersistModul

Targets

- Target
  
  40f82ce361a215334908649e8e8593f1_JaffaCakes118
- Size
  
  376KB
- MD5
  
  40f82ce361a215334908649e8e8593f1
- SHA1
  
  cd16817ed8f9fa4a4fb57c29516078e385e0795a
- SHA256
  
  d8b1dd15a7867c2d74b655bbc55c96b8ad689d93c423fab1c9e8c4fb8a5e6c55
- SHA512
  
  2e17ccdcb9489c9a04db3f960e5adbef946cd79a44d97a01e5488ed8bb69ac9757b76e6292e4472f008d0064bd91a0b6dd78ef49af75d38efadcc3254474a586
- SSDEEP
  
  6144:9NjcznADtqhGmV5pikVXUTSOpmczaTrecbZ1rfFZh5vRA:9NILSWGmvkTrq5Xfv3m
Score

10^/10

cybergate igxpersistinjexploreroffusboffp2poffrk persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateigxpersistinjexploreroffusboffp2poffrkpersistencestealertrojan

behavioral2

cybergateigxpersistinjexploreroffusboffp2poffrkpersistencestealertrojanupx