cybergate | a6a927f7f38235e0818b4c2f6d36c34117023b0f39d65a98262bc6c6e434ec4d | Triage

Sharing

Copy URL Twitter E-mail

General

Target

c86ad53c15bfa51b632e6a536cfb95a3_JaffaCakes118
Size

469KB
Sample

240829-h3saka1fqp
MD5

c86ad53c15bfa51b632e6a536cfb95a3
SHA1

d6e028e17aa07a9cf2b4c45af9dfe5684987330b
SHA256

a6a927f7f38235e0818b4c2f6d36c34117023b0f39d65a98262bc6c6e434ec4d
SHA512

9986b29636d5b8d8f98a92916aa157e276330e790a5f251f3cb6d85c8055783311f5837855ff2e538ea1f716ddf8d3245083651224d62f86e52c37fc16bacf97
SSDEEP

6144:dPhK1KtY4wGRT0mb3hVShyJAKhepJLqlKUY5EciQ6AU94QE2taz:y1K64wGRT0wxVIKhepFEJHQ6AUGL2sz

Score

10^/10

cybergate pwnd discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

pwnd

C2

ichbingay1.no-ip.biz:5151

Mutex

CDLU5163K48318

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Shell Extractor Services
install_file
Trace Update Services.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
samira
regkey_hkcu
Shell Extractor Services
regkey_hklm
Trace Update Services

Targets

- Target
  
  c86ad53c15bfa51b632e6a536cfb95a3_JaffaCakes118
- Size
  
  469KB
- MD5
  
  c86ad53c15bfa51b632e6a536cfb95a3
- SHA1
  
  d6e028e17aa07a9cf2b4c45af9dfe5684987330b
- SHA256
  
  a6a927f7f38235e0818b4c2f6d36c34117023b0f39d65a98262bc6c6e434ec4d
- SHA512
  
  9986b29636d5b8d8f98a92916aa157e276330e790a5f251f3cb6d85c8055783311f5837855ff2e538ea1f716ddf8d3245083651224d62f86e52c37fc16bacf97
- SSDEEP
  
  6144:dPhK1KtY4wGRT0mb3hVShyJAKhepJLqlKUY5EciQ6AU94QE2taz:y1K64wGRT0wxVIKhepFEJHQ6AUGL2sz
Score

10^/10

cybergate pwnd discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatepwnddiscoverypersistencestealertrojan

behavioral2

cybergatepwnddiscoverypersistencestealertrojanupx