General

  • Target

    c0365d7223d9b82c3fe41f639376eb6a_JaffaCakes118

  • Size

    281KB

  • Sample

    240825-hy44katbnp

  • MD5

    c0365d7223d9b82c3fe41f639376eb6a

  • SHA1

    405a25b3c3803fb58ca63af905374812ddaac6ba

  • SHA256

    71cf6e73376020bd2585b4d6742daac29e6085b31864e04fbff7b7a0909dd300

  • SHA512

    b7dc5619fb25866d96d04919afeb87aeb1254acc198ae6eafb470e3b3f4d97da2db1416098e6590faef6c65ecdcbe5015e58d9b4e901d9e8a2d8c5bcf452f35c

  • SSDEEP

    6144:pS72GikLRA5kDXjcMreuARPaYSZ7ksZEp:0lScjcMyuOQksCp

Malware Config

Extracted

Family

cybergate

Version

v1.21.1

Botnet

ICRNER11_2701

C2

tranoglaros13.zapto.org:3781

192.168.0.10:81

Mutex

48W463LGV221NU

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    WinDef.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    27042704

  • regkey_hkcu

    Windows Defender

  • regkey_hklm

    Windows Defender

Extracted

Family

latentbot

C2

tranoglaros13.zapto.org

Targets

    • Target

      c0365d7223d9b82c3fe41f639376eb6a_JaffaCakes118

    • Size

      281KB

    • MD5

      c0365d7223d9b82c3fe41f639376eb6a

    • SHA1

      405a25b3c3803fb58ca63af905374812ddaac6ba

    • SHA256

      71cf6e73376020bd2585b4d6742daac29e6085b31864e04fbff7b7a0909dd300

    • SHA512

      b7dc5619fb25866d96d04919afeb87aeb1254acc198ae6eafb470e3b3f4d97da2db1416098e6590faef6c65ecdcbe5015e58d9b4e901d9e8a2d8c5bcf452f35c

    • SSDEEP

      6144:pS72GikLRA5kDXjcMreuARPaYSZ7ksZEp:0lScjcMyuOQksCp

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.