Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4c8290e55929dd8d276c67bbb64e1fa1_JaffaCakes118

  • Size

    514KB

  • Sample

    240716-ddc25avarf

  • MD5

    4c8290e55929dd8d276c67bbb64e1fa1

  • SHA1

    bd5c114f4a1c725ad453913aab387cd2c75675f7

  • SHA256

    ecbd086a87b0718777755d42e81f49bec8d002b0a7eea291592b9be591701c93

  • SHA512

    5d53c1dab8e6690e9934435b1f58e2cd56c2de8999d447b4959b6f6ca7b1ff0c5d16d75ff61c052c7bc59ca7eca8742097e0e8fdce8e16a2612267cf145743e0

  • SSDEEP

    12288:j4vpLPRpNJ5aWuRyetzvRBgnOYgq/xFTrFs8ZVDB5FViivP45AEoq2m9V1azSnQS:j+pVjW1zgvtf6EilaOQk

Malware Config

Extracted

Family

cybergate

Version

v1.23.0

Botnet

tadeupratique

C2

demolidor22.no-ip.org:7050

cacatata.no-ip.org:7055

demolidor22.no-ip.org:7060

demolidor22.no-ip.org:7065

Mutex

84CX24F08W0E73

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    windows

  • install_file

    msn.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Atualizar agora?

  • message_box_title

    NOD32 4.2.71

  • password

    zzpratique

Targets

    • Target

      4c8290e55929dd8d276c67bbb64e1fa1_JaffaCakes118

    • Size

      514KB

    • MD5

      4c8290e55929dd8d276c67bbb64e1fa1

    • SHA1

      bd5c114f4a1c725ad453913aab387cd2c75675f7

    • SHA256

      ecbd086a87b0718777755d42e81f49bec8d002b0a7eea291592b9be591701c93

    • SHA512

      5d53c1dab8e6690e9934435b1f58e2cd56c2de8999d447b4959b6f6ca7b1ff0c5d16d75ff61c052c7bc59ca7eca8742097e0e8fdce8e16a2612267cf145743e0

    • SSDEEP

      12288:j4vpLPRpNJ5aWuRyetzvRBgnOYgq/xFTrFs8ZVDB5FViivP45AEoq2m9V1azSnQS:j+pVjW1zgvtf6EilaOQk

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks