General

  • Target

    9f19a6773c8c676d9f7780a62f82f771_JaffaCakes118

  • Size

    290KB

  • Sample

    240816-tv2d2svara

  • MD5

    9f19a6773c8c676d9f7780a62f82f771

  • SHA1

    417e287f45f89625fa8fb21f9d92e04719030ff7

  • SHA256

    bcbac7a4393e2199d93856d70778fe356820236401cb848433c07acb296b4633

  • SHA512

    68853bb0d82c80df81c1572b2150ed26518b9c8f8701948a30aa32a6d6dd4d62fed566875da1e9fb038ec6e9a13ad52070a6a04f6d29d0c48a4b413b85def3a8

  • SSDEEP

    6144:EmcD66RRjJ5JGmrpQsK3FD2u270jupCJsCxCu:lcD663U92zkPaCx9

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./\310312/

  • ftp_interval

    5

  • ftp_password

    monic_35

  • ftp_port

    21

  • ftp_server

    ftp.drivehq.com

  • ftp_username

    servercrw

  • injected_process

    explorer.exe

  • install_dir

    System32

  • install_file

    drivsql.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    Archivo dañado

  • message_box_title

    Error

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      9f19a6773c8c676d9f7780a62f82f771_JaffaCakes118

    • Size

      290KB

    • MD5

      9f19a6773c8c676d9f7780a62f82f771

    • SHA1

      417e287f45f89625fa8fb21f9d92e04719030ff7

    • SHA256

      bcbac7a4393e2199d93856d70778fe356820236401cb848433c07acb296b4633

    • SHA512

      68853bb0d82c80df81c1572b2150ed26518b9c8f8701948a30aa32a6d6dd4d62fed566875da1e9fb038ec6e9a13ad52070a6a04f6d29d0c48a4b413b85def3a8

    • SSDEEP

      6144:EmcD66RRjJ5JGmrpQsK3FD2u270jupCJsCxCu:lcD663U92zkPaCx9

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks