General

  • Target

    529c8d386a2896a1666ebdd132b89ad6_JaffaCakes118

  • Size

    284KB

  • Sample

    240717-ml8y7sxalk

  • MD5

    529c8d386a2896a1666ebdd132b89ad6

  • SHA1

    05c292fdf7caefaa04a9df5e2d96f578ef40b177

  • SHA256

    b730545b2a971b3288f09b516afad7842e26f2960398c369c251ac5a10d17afb

  • SHA512

    14d130547dbadae742d52926f61e5165f2d683a203e6b3ee83060526ccf9f50938429787be9d3d2b18fb2540b8299f73ff76170aae3cf91e4faacb5165992181

  • SSDEEP

    6144:1k4qmAmhq+bB6VNJmafqIykD4fYFKuTVM52XAA5+3Q:S92B6HIIRb6YFKcXw3Q

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

ahmedahmed2011.no-ip.info:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    t?tulo da mensagem

  • password

    abcd1234

Targets

    • Target

      529c8d386a2896a1666ebdd132b89ad6_JaffaCakes118

    • Size

      284KB

    • MD5

      529c8d386a2896a1666ebdd132b89ad6

    • SHA1

      05c292fdf7caefaa04a9df5e2d96f578ef40b177

    • SHA256

      b730545b2a971b3288f09b516afad7842e26f2960398c369c251ac5a10d17afb

    • SHA512

      14d130547dbadae742d52926f61e5165f2d683a203e6b3ee83060526ccf9f50938429787be9d3d2b18fb2540b8299f73ff76170aae3cf91e4faacb5165992181

    • SSDEEP

      6144:1k4qmAmhq+bB6VNJmafqIykD4fYFKuTVM52XAA5+3Q:S92B6HIIRb6YFKcXw3Q

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks