General

  • Target

    c5e5e6224d33e54532f7feb156385d88_JaffaCakes118

  • Size

    939KB

  • Sample

    240827-21a32sxerp

  • MD5

    c5e5e6224d33e54532f7feb156385d88

  • SHA1

    ff10b3180d0db0a194d04d85eca11bd9fbf407a3

  • SHA256

    15fe624181b33de328180d52bda2e5cfb717d49fd99ba480feba99d40eb6894f

  • SHA512

    14f5889a1bdbfff7aae24f4b7208001f7405b3d24b3d41eb1b838992c94e66dfdbf78a1678684b223d73b8353aefbfa19a60f5bc255719485b853fc929e84099

  • SSDEEP

    12288:ZsYlUUbJGisK9qJsH4bQRkOSUXnxdv90Jk244x0S9EM8eoANlsPVpIBM9L4LpQSr:Vq6cdoAZ0gOl4iGhxgOrIo

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

cr4ck-spynet.no-ip.org:96

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    svchost

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Error System 32

  • message_box_title

    Error System 32

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      c5e5e6224d33e54532f7feb156385d88_JaffaCakes118

    • Size

      939KB

    • MD5

      c5e5e6224d33e54532f7feb156385d88

    • SHA1

      ff10b3180d0db0a194d04d85eca11bd9fbf407a3

    • SHA256

      15fe624181b33de328180d52bda2e5cfb717d49fd99ba480feba99d40eb6894f

    • SHA512

      14f5889a1bdbfff7aae24f4b7208001f7405b3d24b3d41eb1b838992c94e66dfdbf78a1678684b223d73b8353aefbfa19a60f5bc255719485b853fc929e84099

    • SSDEEP

      12288:ZsYlUUbJGisK9qJsH4bQRkOSUXnxdv90Jk244x0S9EM8eoANlsPVpIBM9L4LpQSr:Vq6cdoAZ0gOl4iGhxgOrIo

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks