General

  • Target

    8823af8e79cf6c84c915617f1bd17cf9_JaffaCakes118

  • Size

    731KB

  • Sample

    240810-3nrqpsycpf

  • MD5

    8823af8e79cf6c84c915617f1bd17cf9

  • SHA1

    d1113c09f4c5c6b35cdc96f083fb42edac0ba26a

  • SHA256

    8f360354c082aab5a0a7d705ac32f4a72a332328369dd0745b0fef800ed9ad40

  • SHA512

    d0ac3443759dbd473dfba0694d09e805fc5e0522d174ad0452f6a5bc3ff1dd2ef2787b87d85ad76d7b34bbca351364ed4948f17e16f5a99f7f23cc9dd1542151

  • SSDEEP

    12288:bmq9GMVA9BPAiX0R11u+IgvdBzKXAAF/EEkfhtMizLQhHlUs4DUDEdEbN639s:bmq9rVE4PRXdVBuXk5P3M2hYD2Ebi9s

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

ihazawp.no-ip.biz:100

Mutex

7RA437MU1R167M

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    The application has encountered an error and shutdown!

  • message_box_title

    A Fatal Error Occured!

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      8823af8e79cf6c84c915617f1bd17cf9_JaffaCakes118

    • Size

      731KB

    • MD5

      8823af8e79cf6c84c915617f1bd17cf9

    • SHA1

      d1113c09f4c5c6b35cdc96f083fb42edac0ba26a

    • SHA256

      8f360354c082aab5a0a7d705ac32f4a72a332328369dd0745b0fef800ed9ad40

    • SHA512

      d0ac3443759dbd473dfba0694d09e805fc5e0522d174ad0452f6a5bc3ff1dd2ef2787b87d85ad76d7b34bbca351364ed4948f17e16f5a99f7f23cc9dd1542151

    • SSDEEP

      12288:bmq9GMVA9BPAiX0R11u+IgvdBzKXAAF/EEkfhtMizLQhHlUs4DUDEdEbN639s:bmq9rVE4PRXdVBuXk5P3M2hYD2Ebi9s

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Tasks