General

  • Target

    7ab5739713a50926d007b1d798358872_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240731-bg25basgrd

  • MD5

    7ab5739713a50926d007b1d798358872

  • SHA1

    5b5abbdb09a89bb19e888a01210fe02a19d706d5

  • SHA256

    147afb5230dbd1b5db79bd1600c1611a4ba9316fc03349e2b135d25fa9f13a36

  • SHA512

    789df7e1e847e626b6ea12a749e3e8e752d449ffd9232586d710e89562e7490e63e81afe8e29b8d9bc06234e31667f622f396166b72ec8c1e20fb2081f4180cb

  • SSDEEP

    12288:W1rIK/91mYvb/4nRPoWWEqWd9SA71WrY8j3FQMX608IRiQL0GK1cpBltEM2pAUDP:W1v27qU1lYZtvIei7v1

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

CG-User

C2

haburger961966.zapto.org:3737

Mutex

AHRE6H0UN5676G

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    griluk

Extracted

Family

latentbot

C2

haburger961966.zapto.org

Targets

    • Target

      7ab5739713a50926d007b1d798358872_JaffaCakes118

    • Size

      1.1MB

    • MD5

      7ab5739713a50926d007b1d798358872

    • SHA1

      5b5abbdb09a89bb19e888a01210fe02a19d706d5

    • SHA256

      147afb5230dbd1b5db79bd1600c1611a4ba9316fc03349e2b135d25fa9f13a36

    • SHA512

      789df7e1e847e626b6ea12a749e3e8e752d449ffd9232586d710e89562e7490e63e81afe8e29b8d9bc06234e31667f622f396166b72ec8c1e20fb2081f4180cb

    • SSDEEP

      12288:W1rIK/91mYvb/4nRPoWWEqWd9SA71WrY8j3FQMX608IRiQL0GK1cpBltEM2pAUDP:W1v27qU1lYZtvIei7v1

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks