General

  • Target

    a27d292def78f5b139552d33d2116640_JaffaCakes118

  • Size

    276KB

  • Sample

    240817-pew26sxgmr

  • MD5

    a27d292def78f5b139552d33d2116640

  • SHA1

    c1f6522e3996fe203a4564fcc245a32021eeff26

  • SHA256

    73d1c5d3605ed6540c5300b9981f474e55c78d49615d0aaaf81e6398f104fecb

  • SHA512

    8e16cb3829dcba8ef72d3d298b19e35d45df61e42c951956321cbcf1330204a5b990c59716be54a1fd0dabf9953ee5dde57451df33897b90b1fbcf811efff61c

  • SSDEEP

    6144:9k4qmHgLa/Vd06+5U5fXUTg2m5U9+RNHocQfl:q9406Azg2IUU

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

jemre.zapto.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      a27d292def78f5b139552d33d2116640_JaffaCakes118

    • Size

      276KB

    • MD5

      a27d292def78f5b139552d33d2116640

    • SHA1

      c1f6522e3996fe203a4564fcc245a32021eeff26

    • SHA256

      73d1c5d3605ed6540c5300b9981f474e55c78d49615d0aaaf81e6398f104fecb

    • SHA512

      8e16cb3829dcba8ef72d3d298b19e35d45df61e42c951956321cbcf1330204a5b990c59716be54a1fd0dabf9953ee5dde57451df33897b90b1fbcf811efff61c

    • SSDEEP

      6144:9k4qmHgLa/Vd06+5U5fXUTg2m5U9+RNHocQfl:q9406Azg2IUU

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks