General

  • Target

    92c4c92e49d0d5ab6385354f363868fa_JaffaCakes118

  • Size

    572KB

  • Sample

    240813-m117xathnm

  • MD5

    92c4c92e49d0d5ab6385354f363868fa

  • SHA1

    cf4cd9c0425503352b620fefd672e1cf5605d20d

  • SHA256

    1c1e7bf29ffc716b24868809c1f55fb22cee62038f36fcd3d305d1ca32ac089d

  • SHA512

    c36b75999ad6d3ae2dabe9b382f7c2cb90c1770973e7a6115cf641fb75e7195d9eb6dd73f2d473ab8a1e07d410e645a1188f04d960d298a9f15a38a386322e8a

  • SSDEEP

    12288:/0Eg5R61FfLqdVoQv1PH6kSQoFdK+ShFL0xWdjTm:cEvGHR6OoFsNrHdjq

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

breakdance.no-ip.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    driver.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    votre windows n'est pas compatible

  • message_box_title

    microsoft

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      92c4c92e49d0d5ab6385354f363868fa_JaffaCakes118

    • Size

      572KB

    • MD5

      92c4c92e49d0d5ab6385354f363868fa

    • SHA1

      cf4cd9c0425503352b620fefd672e1cf5605d20d

    • SHA256

      1c1e7bf29ffc716b24868809c1f55fb22cee62038f36fcd3d305d1ca32ac089d

    • SHA512

      c36b75999ad6d3ae2dabe9b382f7c2cb90c1770973e7a6115cf641fb75e7195d9eb6dd73f2d473ab8a1e07d410e645a1188f04d960d298a9f15a38a386322e8a

    • SSDEEP

      12288:/0Eg5R61FfLqdVoQv1PH6kSQoFdK+ShFL0xWdjTm:cEvGHR6OoFsNrHdjq

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks