cybergate | 96bf6960b257b8d61599dddf6b6a132ce4e091a50ad270ab201acd7736dfedc1

General

Target

737e132016fdacf970a67c2f9b3f1da7_JaffaCakes118
Size

280KB
Sample

240726-ljv4wszapp
MD5

737e132016fdacf970a67c2f9b3f1da7
SHA1

f740bcabfb5669e1df622bf134f065b4de2759e0
SHA256

96bf6960b257b8d61599dddf6b6a132ce4e091a50ad270ab201acd7736dfedc1
SHA512

8c435007cf9bfb601a10482009e3a25acc7c7ded9422b7281126a198dae95eb92370d9c390ce229e51c05bde6b50c32c60c264673a4e338317805342953a82af
SSDEEP

6144:Kk4qmNsQLdRYHqXC4C2/C2Lkyv/HC4lK8pPLZ9cSP:V9MfpRy6C4TtkqijU9

Score

10^/10

Malware Config

Extracted

Family

cybergate

Botnet

TRUE

C2

ÝØðÕÞÎÝÎÅý¼¼ûÙÈìÎÓßýØØÎÙÏÏ¼¼êÕÎÈÉÝÐìÎÓÈÙßÈ¼¼êÕÎÈÉÝÐýÐÐÓß¼¼êÕÎÈÉÝÐúÎÙÙ¼¼¼ùÄÕÈìÎÓßÙÏÏ¼¼¼ðÏÝÿÐÓÏÙ¼¼ÿÎÅÌÈéÒÌÎÓÈÙßÈøÝÈÝ¼¼ÿÓèÝÏ×ñÙÑúÎÙÙ¼¼¼ïÅÏúÎÙÙïÈÎÕÒÛ¼¼¼ìïÈÓÎÙÿÎÙÝÈÙõÒÏÈÝÒßÙ¼¼îÝÏùÒÉÑùÒÈÎÕÙÏý¼¼¼ïôûÙÈïÌÙßÕÝÐúÓÐØÙÎìÝÈÔý¼¼¼èÓýÏßÕÕ¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼Y4BH6X30Y}

HKCU

FALSE

16

0

t?tulo da mensagem

texto da mensagem

TRUE

ftp.server.com

./logs/

ftp_user

ª÷Öº+Þ

21

30

Mutex

Attributes

enable_keylogger
false
enable_message_box
false
install_dir
TRUE
install_file
TRUE
install_flag
true
keylogger_enable_ftp
false
message_box_caption
FALSE
message_box_title
FALSE
password
TRUE
regkey_hkcu
TRUE
regkey_hklm
TRUE

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

aymoon1983.zapto.org:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
t?tulo da mensagem
password
abcd1234
regkey_hkcu
HKCU

Targets

- Target
  
  737e132016fdacf970a67c2f9b3f1da7_JaffaCakes118
- Size
  
  280KB
- MD5
  
  737e132016fdacf970a67c2f9b3f1da7
- SHA1
  
  f740bcabfb5669e1df622bf134f065b4de2759e0
- SHA256
  
  96bf6960b257b8d61599dddf6b6a132ce4e091a50ad270ab201acd7736dfedc1
- SHA512
  
  8c435007cf9bfb601a10482009e3a25acc7c7ded9422b7281126a198dae95eb92370d9c390ce229e51c05bde6b50c32c60c264673a4e338317805342953a82af
- SSDEEP
  
  6144:Kk4qmNsQLdRYHqXC4C2/C2Lkyv/HC4lK8pPLZ9cSP:V9MfpRy6C4TtkqijU9
Score

10^/10

cybergate öííé discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2