Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    bf3f2215dd6e53a9b5ee3522e2fe3121_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240824-x4r4hsvemd

  • MD5

    bf3f2215dd6e53a9b5ee3522e2fe3121

  • SHA1

    cebc14da4c2d9087047ee323bc34852fc2e73360

  • SHA256

    cc3c69f92b5b1bdd604f68b17f19c237df1296853cc1feb501133d8f482210bf

  • SHA512

    09646384cd58e4c8f81d36f84c62e22bea4baaa59d4db9a682ac06e90217130408d487008103e47f7d03ca3f7d845a255d7e4ad161c530929280f9967907fd38

  • SSDEEP

    49152:EDv2JMTIKPwtskKWbzV1lkjI+hPCNmwPBlPt/Bok9:ERj41lkjRjwPBlpek

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

sdsf1123.no-ip.biz:1338

Mutex

YU8MD1VU023H08

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Engine

  • install_file

    iexplore.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      bf3f2215dd6e53a9b5ee3522e2fe3121_JaffaCakes118

    • Size

      2.2MB

    • MD5

      bf3f2215dd6e53a9b5ee3522e2fe3121

    • SHA1

      cebc14da4c2d9087047ee323bc34852fc2e73360

    • SHA256

      cc3c69f92b5b1bdd604f68b17f19c237df1296853cc1feb501133d8f482210bf

    • SHA512

      09646384cd58e4c8f81d36f84c62e22bea4baaa59d4db9a682ac06e90217130408d487008103e47f7d03ca3f7d845a255d7e4ad161c530929280f9967907fd38

    • SSDEEP

      49152:EDv2JMTIKPwtskKWbzV1lkjI+hPCNmwPBlPt/Bok9:ERj41lkjRjwPBlpek

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks