General

  • Target

    49d560535d15d6bb1e5c8c6ee7e80cf3_JaffaCakes118

  • Size

    309KB

  • Sample

    240715-pyks9avbkh

  • MD5

    49d560535d15d6bb1e5c8c6ee7e80cf3

  • SHA1

    5df33e1418f59dfce46fb1adcaeff97ed60b0631

  • SHA256

    18873a8370def157f017569415a77839eeb9ae833e3e76bf84800d9ad859ce3f

  • SHA512

    8d8db01a8df5156e92523aea71c8aeda9bb9a1b6b6b22cfc7490492cbfecf61c559ea7d8278105435946b5b785c55e353014dfb39eb7ae72fcfc14fd04bce81b

  • SSDEEP

    6144:vrwJMppth2M4evgn4ySn9n5jQ4KC5VFp3QCAwQM+bpDW8SP8cmKsAW+n8of:hpdw4lxlQYBpANwQTpmPDlU+h

Malware Config

Extracted

Family

cybergate

Version

v1.11.0 - Public Version

Botnet

Cyber

C2

freecoolstuff.dyndns.org:3332

127.0.0.1:3332

Mutex

X042XRUC3743WE

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Diskoteka

  • install_file

    smc.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    456789

  • regkey_hklm

    Vesna

Targets

    • Target

      49d560535d15d6bb1e5c8c6ee7e80cf3_JaffaCakes118

    • Size

      309KB

    • MD5

      49d560535d15d6bb1e5c8c6ee7e80cf3

    • SHA1

      5df33e1418f59dfce46fb1adcaeff97ed60b0631

    • SHA256

      18873a8370def157f017569415a77839eeb9ae833e3e76bf84800d9ad859ce3f

    • SHA512

      8d8db01a8df5156e92523aea71c8aeda9bb9a1b6b6b22cfc7490492cbfecf61c559ea7d8278105435946b5b785c55e353014dfb39eb7ae72fcfc14fd04bce81b

    • SSDEEP

      6144:vrwJMppth2M4evgn4ySn9n5jQ4KC5VFp3QCAwQM+bpDW8SP8cmKsAW+n8of:hpdw4lxlQYBpANwQTpmPDlU+h

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

2
T1112

Tasks