General

  • Target

    90bbf01146714f2829fdb9a115cfb864_JaffaCakes118

  • Size

    292KB

  • Sample

    240812-3ght8a1fqe

  • MD5

    90bbf01146714f2829fdb9a115cfb864

  • SHA1

    72aefeaca973ae017927980c1d3af1cbc3753a67

  • SHA256

    8e8aa7b8f76ed9a34dc21405e3b64d2d7d3183474c03eaa23a4e1a31dbf8c3ec

  • SHA512

    64a19c3440c597d20c2f1f5c925824ac73073499c56bfc5248d26ba9ad8d2052d894b622f8b700a9a60fbec4ecd8c3f17ad67cdaebe2801febfb78cdfc36fa42

  • SSDEEP

    6144:i/XmzzWETFHTNpqvt+BGAZTk0pqupf1TKOV4ZJPU9rH0lwJRcf:GXmOETFzct+QWTJd3Kw4bPUdUlwJRe

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

bahaege.no-ip.biz:8181

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Can't open file

  • message_box_title

    hata

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      90bbf01146714f2829fdb9a115cfb864_JaffaCakes118

    • Size

      292KB

    • MD5

      90bbf01146714f2829fdb9a115cfb864

    • SHA1

      72aefeaca973ae017927980c1d3af1cbc3753a67

    • SHA256

      8e8aa7b8f76ed9a34dc21405e3b64d2d7d3183474c03eaa23a4e1a31dbf8c3ec

    • SHA512

      64a19c3440c597d20c2f1f5c925824ac73073499c56bfc5248d26ba9ad8d2052d894b622f8b700a9a60fbec4ecd8c3f17ad67cdaebe2801febfb78cdfc36fa42

    • SSDEEP

      6144:i/XmzzWETFHTNpqvt+BGAZTk0pqupf1TKOV4ZJPU9rH0lwJRcf:GXmOETFzct+QWTJd3Kw4bPUdUlwJRe

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks