General

  • Target

    c4883dd32803e7b4f08da5f1945f725c_JaffaCakes118

  • Size

    376KB

  • Sample

    240827-htvz4azflj

  • MD5

    c4883dd32803e7b4f08da5f1945f725c

  • SHA1

    bc318baf314b97e9f027c5050130bf9db1b5c223

  • SHA256

    a7129963af5db15777b393e33b6cff30c92ca5808f79290a7f4c02e3089b2ed4

  • SHA512

    10114cada0be7198b175cfa7c09f583444a86171820d22c6bcce9ae8b3833521ae6ef58658f56fa20a47afff6a38c3ebdb1cebba3dbf2501852d6887e4098681

  • SSDEEP

    6144:dC9pVUxmVXVzQcvhBGPaSEiYR0DIBz5dI7VzmEniaMWtDDSTUBxppnZA:dOraI7LGdEiYR0DozzKmwbMsDDSk1

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

microsoft.dyndns-ip.com:81

microsoft.dyndns-ip.com:110

microsoft.dyndns-ip.com:21

mlcrosoft.dyndns.biz:25

mlcrosoft.dyndns.biz:443

mlcrosoft.dyndns.biz:945

Mutex

eset

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    temp

  • install_file

    eset32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      c4883dd32803e7b4f08da5f1945f725c_JaffaCakes118

    • Size

      376KB

    • MD5

      c4883dd32803e7b4f08da5f1945f725c

    • SHA1

      bc318baf314b97e9f027c5050130bf9db1b5c223

    • SHA256

      a7129963af5db15777b393e33b6cff30c92ca5808f79290a7f4c02e3089b2ed4

    • SHA512

      10114cada0be7198b175cfa7c09f583444a86171820d22c6bcce9ae8b3833521ae6ef58658f56fa20a47afff6a38c3ebdb1cebba3dbf2501852d6887e4098681

    • SSDEEP

      6144:dC9pVUxmVXVzQcvhBGPaSEiYR0DIBz5dI7VzmEniaMWtDDSTUBxppnZA:dOraI7LGdEiYR0DozzKmwbMsDDSk1

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks