General

  • Target

    a19bfe2604d6514d94fceb7cfd535673_JaffaCakes118

  • Size

    355KB

  • Sample

    240817-hw5x3swfml

  • MD5

    a19bfe2604d6514d94fceb7cfd535673

  • SHA1

    16092ffa44a53d3facdccc5f656e8c5f52454c8c

  • SHA256

    0011c677d5cf3dcf5d396875c0a931547d5f601c752f8f4648d73da92bad2c38

  • SHA512

    b1bf780b178633ac619129ce1d289cfd6c0357e6bbd64e06e499868209aa377555b31536f9e076de5f816a8499e908c447009fe912485bd3fdb13d66f414e032

  • SSDEEP

    6144:F0IxaVEoLrZVOi/8QZzR+nt/SM9hqULsK1iWb5az1ardmJHVOq4rbgSM:F0IxaVEovZVOvQZzR+nt/ZIUQYocrdIV

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

h4zazi.no-ip.biz:82

yemene.no-ip.org:299

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      a19bfe2604d6514d94fceb7cfd535673_JaffaCakes118

    • Size

      355KB

    • MD5

      a19bfe2604d6514d94fceb7cfd535673

    • SHA1

      16092ffa44a53d3facdccc5f656e8c5f52454c8c

    • SHA256

      0011c677d5cf3dcf5d396875c0a931547d5f601c752f8f4648d73da92bad2c38

    • SHA512

      b1bf780b178633ac619129ce1d289cfd6c0357e6bbd64e06e499868209aa377555b31536f9e076de5f816a8499e908c447009fe912485bd3fdb13d66f414e032

    • SSDEEP

      6144:F0IxaVEoLrZVOi/8QZzR+nt/SM9hqULsK1iWb5az1ardmJHVOq4rbgSM:F0IxaVEovZVOvQZzR+nt/ZIUQYocrdIV

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks