General

  • Target

    8f6c7f30b8d94814dacc568912ed3e52_JaffaCakes118

  • Size

    609KB

  • Sample

    240812-ttg9satbmc

  • MD5

    8f6c7f30b8d94814dacc568912ed3e52

  • SHA1

    005c5779a4dba184591ffbcbfacd3aca63fe9c36

  • SHA256

    1c93611aef1fea7c143f43b896daf01cf2a2199883028b2a02c1bacffd475eb0

  • SHA512

    4b0cb67f05d824568fd9700046f01556dbff7b877c9a7d756170952b80c5485a9a7b71fe63b65a5bbfdcfdd24b2d568c029048ffb2e2a0b7ab29d814428ae60f

  • SSDEEP

    12288:kUVy5eQigCxkjPdOaayowrhvRV89RO44qEycvlCX:kUVkegCi1OZyNrhXgRO4nE1C

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

vítima

C2

127.0.0.1:90

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      8f6c7f30b8d94814dacc568912ed3e52_JaffaCakes118

    • Size

      609KB

    • MD5

      8f6c7f30b8d94814dacc568912ed3e52

    • SHA1

      005c5779a4dba184591ffbcbfacd3aca63fe9c36

    • SHA256

      1c93611aef1fea7c143f43b896daf01cf2a2199883028b2a02c1bacffd475eb0

    • SHA512

      4b0cb67f05d824568fd9700046f01556dbff7b877c9a7d756170952b80c5485a9a7b71fe63b65a5bbfdcfdd24b2d568c029048ffb2e2a0b7ab29d814428ae60f

    • SSDEEP

      12288:kUVy5eQigCxkjPdOaayowrhvRV89RO44qEycvlCX:kUVkegCi1OZyNrhXgRO4nE1C

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks