General

  • Target

    c133aa02ec26e17b6fd191b87ff44465_JaffaCakes118

  • Size

    295KB

  • Sample

    240825-vra85avdpe

  • MD5

    c133aa02ec26e17b6fd191b87ff44465

  • SHA1

    bb9a9a16c975e29430ff516752a54b1c14711025

  • SHA256

    e04c22e514c2e0672b63edc94699931492bdb9edb5a5e50cb282fe0eb114ce03

  • SHA512

    167bae06c0905373d7c1121553a0218dea88feb3c2d8c3799199517f0a94166c5c9f9bb596576a695963def2c3f2e80b17de1488ac321e9d2c56ffceef3912b4

  • SSDEEP

    6144:OrL5172hCsSVbv0Z1+xXMZQ9JvwfYjgPe9fo/sL/qJ7Nh:OrL51ShCh5WoHgPe9fzM7L

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

spynethoste.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Windows3d

  • install_file

    WindowsNT.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    "0x00000014". A memória não pôde ser "read".

  • message_box_title

    windows vista not running.

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      c133aa02ec26e17b6fd191b87ff44465_JaffaCakes118

    • Size

      295KB

    • MD5

      c133aa02ec26e17b6fd191b87ff44465

    • SHA1

      bb9a9a16c975e29430ff516752a54b1c14711025

    • SHA256

      e04c22e514c2e0672b63edc94699931492bdb9edb5a5e50cb282fe0eb114ce03

    • SHA512

      167bae06c0905373d7c1121553a0218dea88feb3c2d8c3799199517f0a94166c5c9f9bb596576a695963def2c3f2e80b17de1488ac321e9d2c56ffceef3912b4

    • SSDEEP

      6144:OrL5172hCsSVbv0Z1+xXMZQ9JvwfYjgPe9fo/sL/qJ7Nh:OrL51ShCh5WoHgPe9fzM7L

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks