General
-
Target
463c853a8d273082998e219fbfdfd6b9_JaffaCakes118
-
Size
1.4MB
-
Sample
240714-ryk55avaml
-
MD5
463c853a8d273082998e219fbfdfd6b9
-
SHA1
ddd8bc8a398b47cb3e97fed9c5377819e03752a5
-
SHA256
3c83296b084e4c34daf64a26548bc15131dd9ecdeb160571c8e4893b639c6065
-
SHA512
02de6f2ded05ba56f2e1dfe7bd5674b28710ccd353120bc00bd797cacdbdc4bc77ffd7d7262987b7a9c3f33d0c8183f50e29b6f78de69237788f3cf91d22a20b
-
SSDEEP
24576:TPfxhfxVcGLv8UIxq1ioQ/ZvAnWcuXqQ8AQe4X9Zg8X9hOzGI1Yfz:bxR/1vApvE9l
Malware Config
Extracted
cybergate
2.7 Final
vítima
ilyasdx.no-ip.org:99
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
5
-
ftp_password
sengonul
-
ftp_port
21
-
ftp_server
bot-online.zxq.net
-
ftp_username
bot-online_zxq
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
winlogon.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
RESTART
-
message_box_title
RESTART
-
password
abcd1234
Targets
-
-
Target
463c853a8d273082998e219fbfdfd6b9_JaffaCakes118
-
Size
1.4MB
-
MD5
463c853a8d273082998e219fbfdfd6b9
-
SHA1
ddd8bc8a398b47cb3e97fed9c5377819e03752a5
-
SHA256
3c83296b084e4c34daf64a26548bc15131dd9ecdeb160571c8e4893b639c6065
-
SHA512
02de6f2ded05ba56f2e1dfe7bd5674b28710ccd353120bc00bd797cacdbdc4bc77ffd7d7262987b7a9c3f33d0c8183f50e29b6f78de69237788f3cf91d22a20b
-
SSDEEP
24576:TPfxhfxVcGLv8UIxq1ioQ/ZvAnWcuXqQ8AQe4X9Zg8X9hOzGI1Yfz:bxR/1vApvE9l
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-