cybergate | 73216646ff38316277fedff287dca2a595b1ce7f954dd2ab6b5d599401f84cb8 | Triage

Sharing

General

Target

a0bcafb5a0114b3b354a46f1409466d1_JaffaCakes118
Size

1.1MB
Sample

240817-b28slatbjk
MD5

a0bcafb5a0114b3b354a46f1409466d1
SHA1

083ef6a2ecaffb8df511f17c9077e3ca87b1c18a
SHA256

73216646ff38316277fedff287dca2a595b1ce7f954dd2ab6b5d599401f84cb8
SHA512

dad437efc48d0103603bd8dd42958f8779c9a551e1d30d931e124f94b44ee06b74b343f0d1fe8510b411b0f1984fb4211b02427a38c944b00e529bc82d2f92d7
SSDEEP

24576:EVLcWBPmEBiTT4hJs1FYjqoRYalhBWx+UHj:EpamJz1

Score

10^/10

cybergate sheik discovery evasion persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

sheik

C2

darksc.zapto.org:615

Mutex

8TVRYTKKH5DV7V

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
SearchIndexer.exe
install_dir
WindDir
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Update Successful. Movie should start shortly
message_box_title
Quicktime
password
bigdaddy

Targets

- Target
  
  a0bcafb5a0114b3b354a46f1409466d1_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  a0bcafb5a0114b3b354a46f1409466d1
- SHA1
  
  083ef6a2ecaffb8df511f17c9077e3ca87b1c18a
- SHA256
  
  73216646ff38316277fedff287dca2a595b1ce7f954dd2ab6b5d599401f84cb8
- SHA512
  
  dad437efc48d0103603bd8dd42958f8779c9a551e1d30d931e124f94b44ee06b74b343f0d1fe8510b411b0f1984fb4211b02427a38c944b00e529bc82d2f92d7
- SSDEEP
  
  24576:EVLcWBPmEBiTT4hJs1FYjqoRYalhBWx+UHj:EpamJz1
Score

10^/10

cybergate sheik discovery evasion persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Modifies firewall policy service
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatesheikdiscoveryevasionpersistencestealertrojanupx

behavioral2

cybergatesheikdiscoveryevasionpersistencestealertrojanupx