General

  • Target

    bc83197c2992aea3626c7852f4e5b161_JaffaCakes118

  • Size

    447KB

  • Sample

    240823-t6cj3awaqd

  • MD5

    bc83197c2992aea3626c7852f4e5b161

  • SHA1

    68d9f5de234571efbabefd0ff5e970fa3f12c242

  • SHA256

    09d8dab18c14cba38ac36ed267af1e8f58f3f0b6d2d5d622028dab68c72d6aa5

  • SHA512

    10a7000237cedd9330cff5c89e812af1c59ccbb7bcaa07e18ac69ea2c4d7069ba57b6e23b8febcbf26576490895ef08cfd97876e44d77bd7dcaeed52d73f4caf

  • SSDEEP

    6144:8wsEwsj2WEVIldtQKVKWmHlKVf7ND3zVhR+xOl6xYJXzZPtCI/K:8wisjaelKmzNL3gIwY1zZFZ/K

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

cannotseeme.zapto.org:3460

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

latentbot

C2

cannotseeme.zapto.org

Targets

    • Target

      bc83197c2992aea3626c7852f4e5b161_JaffaCakes118

    • Size

      447KB

    • MD5

      bc83197c2992aea3626c7852f4e5b161

    • SHA1

      68d9f5de234571efbabefd0ff5e970fa3f12c242

    • SHA256

      09d8dab18c14cba38ac36ed267af1e8f58f3f0b6d2d5d622028dab68c72d6aa5

    • SHA512

      10a7000237cedd9330cff5c89e812af1c59ccbb7bcaa07e18ac69ea2c4d7069ba57b6e23b8febcbf26576490895ef08cfd97876e44d77bd7dcaeed52d73f4caf

    • SSDEEP

      6144:8wsEwsj2WEVIldtQKVKWmHlKVf7ND3zVhR+xOl6xYJXzZPtCI/K:8wisjaelKmzNL3gIwY1zZFZ/K

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.