cybergate | 0b3d871ff876dd443cad3abd47d39c1c4ac4813ea5b14748427a335d89c3d723 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

8bb92127ca53a2cd7567582066657b4d_JaffaCakes118
Size

492KB
Sample

240811-yh4e4aygmf
MD5

8bb92127ca53a2cd7567582066657b4d
SHA1

9150d5cfe7e5dbd82d34557a4a05a5b4c4c890b1
SHA256

0b3d871ff876dd443cad3abd47d39c1c4ac4813ea5b14748427a335d89c3d723
SHA512

8225195360c1a0fa30acfcd152c5bab1863db4c502882167ba81f0a558291e69973f247f5abf3b8cf0cdda107e5e2e9779f7bb5ca838cec64e4340a54a6b99aa
SSDEEP

12288:wwKwmA+LwvzvAUqyiGT+MMpYzODHwaa9QkDff3gk4WEBsvIwrcG/98k:wnA+szveXIXxYfhG

Score

10^/10

cybergate certainty discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Certainty

C2

ssigs.zapto.org:6118

Mutex

2H678004WX353N

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
The selected text file is invalid.
message_box_title
Invalid Text Format
password
z1U4o4b7a0l6H4d1t2b8A6F8
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  8bb92127ca53a2cd7567582066657b4d_JaffaCakes118
- Size
  
  492KB
- MD5
  
  8bb92127ca53a2cd7567582066657b4d
- SHA1
  
  9150d5cfe7e5dbd82d34557a4a05a5b4c4c890b1
- SHA256
  
  0b3d871ff876dd443cad3abd47d39c1c4ac4813ea5b14748427a335d89c3d723
- SHA512
  
  8225195360c1a0fa30acfcd152c5bab1863db4c502882167ba81f0a558291e69973f247f5abf3b8cf0cdda107e5e2e9779f7bb5ca838cec64e4340a54a6b99aa
- SSDEEP
  
  12288:wwKwmA+LwvzvAUqyiGT+MMpYzODHwaa9QkDff3gk4WEBsvIwrcG/98k:wnA+szveXIXxYfhG
Score

10^/10

cybergate certainty discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatecertaintydiscoverypersistencestealertrojanupx

behavioral2

cybergatecertaintydiscoverypersistencestealertrojanupx