General

  • Target

    c10420f94d5150434466beeccb74661a_JaffaCakes118

  • Size

    863KB

  • Sample

    240825-spwqyasemn

  • MD5

    c10420f94d5150434466beeccb74661a

  • SHA1

    b267cf40f0e87d3ac202f79c40e10c081728a4ac

  • SHA256

    b215f0e1e0c74806d79061af0be65588796c01bdbf0f5bbcfec93df495b6d7ac

  • SHA512

    01e69371e4e0f86b0f146ebdf00cebbe0872f62c3ac56930075b78d6e5bc019e84b02f47c69f8808b3a9510b379dedd7e396dbfa388f7988407e0ab2d888c496

  • SSDEEP

    24576:eQg6PtCDrCH+QLk02Na1zlH11C84FHMRv0IC7r:NgwtymHVk8zlH1V4FCv0hr

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      c10420f94d5150434466beeccb74661a_JaffaCakes118

    • Size

      863KB

    • MD5

      c10420f94d5150434466beeccb74661a

    • SHA1

      b267cf40f0e87d3ac202f79c40e10c081728a4ac

    • SHA256

      b215f0e1e0c74806d79061af0be65588796c01bdbf0f5bbcfec93df495b6d7ac

    • SHA512

      01e69371e4e0f86b0f146ebdf00cebbe0872f62c3ac56930075b78d6e5bc019e84b02f47c69f8808b3a9510b379dedd7e396dbfa388f7988407e0ab2d888c496

    • SSDEEP

      24576:eQg6PtCDrCH+QLk02Na1zlH11C84FHMRv0IC7r:NgwtymHVk8zlH1V4FCv0hr

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks