General

  • Target

    9117aa52629c9abae45b3dd752bee183_JaffaCakes118

  • Size

    1.0MB

  • Sample

    240813-bxtswaxcpb

  • MD5

    9117aa52629c9abae45b3dd752bee183

  • SHA1

    f1bbd1d768d29147c1fddfb7e79d30dc4f6a4925

  • SHA256

    1cf0395ee51019616840b54ddce5a95b4e6a06039dfeb3da5ccc3de93b5c4772

  • SHA512

    26933b94eaab4ec9112b45228367293ca159313a8c57d6ca80a65d6b852b5df7d5d0d63da15bd2ca7e0a84f24836bd8ce70cc1dbea250dc185a82a23846d43b5

  • SSDEEP

    24576:WRLHvmycC31BtR+fnizCU3UL6Iy3NN3FIzKDdy/hpYOJTLf4i4:KZz2fnKCaULaN9FIeD0/0eTj/4

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

vítima

C2

tarek777.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      9117aa52629c9abae45b3dd752bee183_JaffaCakes118

    • Size

      1.0MB

    • MD5

      9117aa52629c9abae45b3dd752bee183

    • SHA1

      f1bbd1d768d29147c1fddfb7e79d30dc4f6a4925

    • SHA256

      1cf0395ee51019616840b54ddce5a95b4e6a06039dfeb3da5ccc3de93b5c4772

    • SHA512

      26933b94eaab4ec9112b45228367293ca159313a8c57d6ca80a65d6b852b5df7d5d0d63da15bd2ca7e0a84f24836bd8ce70cc1dbea250dc185a82a23846d43b5

    • SSDEEP

      24576:WRLHvmycC31BtR+fnizCU3UL6Iy3NN3FIzKDdy/hpYOJTLf4i4:KZz2fnKCaULaN9FIeD0/0eTj/4

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks