General

  • Target

    899d71edfd93b02874bfe620736d4480_JaffaCakes118

  • Size

    355KB

  • Sample

    240811-jxw71a1gkr

  • MD5

    899d71edfd93b02874bfe620736d4480

  • SHA1

    7f6a382da4b34f5d3b5da63f3b21416bd2f19a9a

  • SHA256

    c89232b9392166c2c29424ac0129238f6557cbf42a69f60ebae473bf785e975a

  • SHA512

    b2d99b1377f5a3c878b563142565338c38c8318a8d16d2d8aea6f74275c505a28427c3ba212216b515422fbcda383e61ecefb513fce1a738eb35cb33e0450b51

  • SSDEEP

    6144:49BHmtW3dfReDKodfut+fRI1iAFNjKYU5M9GFfMvmCCzhoy88F:4eWtfaCVPTjKn5M4pC2hoI

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

46.37.180.197:2300

Mutex

M2PUXL8BFYT2U7

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Targets

    • Target

      899d71edfd93b02874bfe620736d4480_JaffaCakes118

    • Size

      355KB

    • MD5

      899d71edfd93b02874bfe620736d4480

    • SHA1

      7f6a382da4b34f5d3b5da63f3b21416bd2f19a9a

    • SHA256

      c89232b9392166c2c29424ac0129238f6557cbf42a69f60ebae473bf785e975a

    • SHA512

      b2d99b1377f5a3c878b563142565338c38c8318a8d16d2d8aea6f74275c505a28427c3ba212216b515422fbcda383e61ecefb513fce1a738eb35cb33e0450b51

    • SSDEEP

      6144:49BHmtW3dfReDKodfut+fRI1iAFNjKYU5M9GFfMvmCCzhoy88F:4eWtfaCVPTjKn5M4pC2hoI

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Tasks