General

  • Target

    8c1c1afab654e16c0b9aefd82d351137_JaffaCakes118

  • Size

    632KB

  • Sample

    240811-1qykxsvakh

  • MD5

    8c1c1afab654e16c0b9aefd82d351137

  • SHA1

    01f57b5a5a75ec49bd22bac5a645b9860f8832eb

  • SHA256

    1a7fdd296a685fdfe86009157d6bdebc142faec4abf0029958c83f350008107a

  • SHA512

    a5697ed43184d5f4c92df90bafc96891fc313bb9e41f390622150ddf304f65a25869170f41d827b20768018b9a2402afce485a993a624dbbf61d9c3467b47f32

  • SSDEEP

    12288:F1dlZo5yQKnCOTLgbA3TvfhSR9JTd99UjCJC7w4M5acYgcx6vsCYcph9:F1dlZo5hounJz9UticNkph9

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

sovaj.sytes.net:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    Svchost.exe

  • install_dir

    AppPatch

  • install_file

    AcAdProc.dll

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      8c1c1afab654e16c0b9aefd82d351137_JaffaCakes118

    • Size

      632KB

    • MD5

      8c1c1afab654e16c0b9aefd82d351137

    • SHA1

      01f57b5a5a75ec49bd22bac5a645b9860f8832eb

    • SHA256

      1a7fdd296a685fdfe86009157d6bdebc142faec4abf0029958c83f350008107a

    • SHA512

      a5697ed43184d5f4c92df90bafc96891fc313bb9e41f390622150ddf304f65a25869170f41d827b20768018b9a2402afce485a993a624dbbf61d9c3467b47f32

    • SSDEEP

      12288:F1dlZo5yQKnCOTLgbA3TvfhSR9JTd99UjCJC7w4M5acYgcx6vsCYcph9:F1dlZo5hounJz9UticNkph9

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks