General

  • Target

    4b7937a9e3d4f1e9aeab8c0ea8b3d515_JaffaCakes118

  • Size

    706KB

  • Sample

    240715-1adwkssemg

  • MD5

    4b7937a9e3d4f1e9aeab8c0ea8b3d515

  • SHA1

    6cca2ad8498a9393aa41ca3a2103aef318f2db72

  • SHA256

    9ae553bc8dc4074d36206b24d58020cce9f0a71f164874c2e01eea071298fb0e

  • SHA512

    245747967c54bd1baa6b6c7a0c813d86e355bd863869773abf576d8c15b89f7dfd7cc023ac12ef35c9aa79b47e545f91bf4730ce3fa882f7f16bd441597e954b

  • SSDEEP

    12288:faQw4/Wb55Ko8J+GxA7CxLnwNRm4XKgV6exhR795GDmpifcunQzzluMC:fPO+EGG78nwC4XKgV6uTpifcunQz6

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

barthsss.no-ip.biz:5622

Mutex

WSB167W58C4SND

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    SearchIndexer.exe

  • install_dir

    System32

  • install_file

    explorer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    passworddecrypter.ocx & winrarpass.ocx are missing please reinstall aplication

  • message_box_title

    OCX Files missing

  • password

    123456

Targets

    • Target

      4b7937a9e3d4f1e9aeab8c0ea8b3d515_JaffaCakes118

    • Size

      706KB

    • MD5

      4b7937a9e3d4f1e9aeab8c0ea8b3d515

    • SHA1

      6cca2ad8498a9393aa41ca3a2103aef318f2db72

    • SHA256

      9ae553bc8dc4074d36206b24d58020cce9f0a71f164874c2e01eea071298fb0e

    • SHA512

      245747967c54bd1baa6b6c7a0c813d86e355bd863869773abf576d8c15b89f7dfd7cc023ac12ef35c9aa79b47e545f91bf4730ce3fa882f7f16bd441597e954b

    • SSDEEP

      12288:faQw4/Wb55Ko8J+GxA7CxLnwNRm4XKgV6exhR795GDmpifcunQzzluMC:fPO+EGG78nwC4XKgV6uTpifcunQz6

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks