General

  • Target

    a1a296b76be90dd04c3c671b670145a5_JaffaCakes118

  • Size

    3.4MB

  • Sample

    240817-h3s7vstcqf

  • MD5

    a1a296b76be90dd04c3c671b670145a5

  • SHA1

    92634cc255631c557dd8ac3b53f9d33de931a5a2

  • SHA256

    c977ad9044bb20f176f8ef1c1f0c311092be604fc985e3b579ad3c965ba4b76f

  • SHA512

    04cd1cc96ab1dbbfea0b9bf0d7b6d43b517b02b600017209af4333e0ae2e5aeafc4d200738b4691dd731918df8d80fbfd660a6506bf2a5c358d00506dd8b2a0e

  • SSDEEP

    49152:mcD5EcpDgsiwEY21Xn0uyoW3L2HOUARbMvl4ePASbANkrNDkyPgTrPvJxk7W+JiU:v20Q3ZQKNARgvllANkrNvPar5aaPc

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

fmsserver.dyndns.biz:81

fmsserver.dyndns.biz:999

fmsserver.dyndns.biz:1111

newnewnewdslnew.zapto.org:81

newnewnewdslnew.zapto.org:999

newnewnewdslnew.zapto.org:1111

newnewnewdslnew.zapto.org:80

127.0.0.1:81

Mutex

K305AR06NSGF4W

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    winlogon.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    nonono

  • message_box_title

    nonono

  • password

    cybergate

Extracted

Family

latentbot

C2

newnewnewdslnew.zapto.org

Targets

    • Target

      a1a296b76be90dd04c3c671b670145a5_JaffaCakes118

    • Size

      3.4MB

    • MD5

      a1a296b76be90dd04c3c671b670145a5

    • SHA1

      92634cc255631c557dd8ac3b53f9d33de931a5a2

    • SHA256

      c977ad9044bb20f176f8ef1c1f0c311092be604fc985e3b579ad3c965ba4b76f

    • SHA512

      04cd1cc96ab1dbbfea0b9bf0d7b6d43b517b02b600017209af4333e0ae2e5aeafc4d200738b4691dd731918df8d80fbfd660a6506bf2a5c358d00506dd8b2a0e

    • SSDEEP

      49152:mcD5EcpDgsiwEY21Xn0uyoW3L2HOUARbMvl4ePASbANkrNDkyPgTrPvJxk7W+JiU:v20Q3ZQKNARgvllANkrNvPar5aaPc

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks