General
-
Target
c9421e77df17cdd6ebd637aaa32b2e4f_JaffaCakes118
-
Size
404KB
-
Sample
240829-vrsheathrl
-
MD5
c9421e77df17cdd6ebd637aaa32b2e4f
-
SHA1
44360f7937f50e87f3efaf22e3f0abbeb78d85cf
-
SHA256
6d58a420dede321f638ac8b4c182c2e2df83585b7658a15d6f5d6c4f2314f78a
-
SHA512
f627f74a794efd90aae9098a8a1cd49bd6fdfd74a3092bc697a32232a01e4fe66d006902a3cb1c3a2e396855f75d35750b724e684a1dbc7e2ee39cbd1553fbab
-
SSDEEP
6144:HDkJP9YgVZsKxNCTxAZMKoYTk8b4Y97Oi2B8thHtEriULonNF0srj8Gyu:HgJ2yZs4c+qGThb4svthNcvUnNB8f
Malware Config
Extracted
cybergate
v1.04.8
me
alexalextwo.zapto.org:2222
46OUKW2TI68JAM
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
svchost
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
112233445566
Extracted
latentbot
alexalextwo.zapto.org
Targets
-
-
Target
c9421e77df17cdd6ebd637aaa32b2e4f_JaffaCakes118
-
Size
404KB
-
MD5
c9421e77df17cdd6ebd637aaa32b2e4f
-
SHA1
44360f7937f50e87f3efaf22e3f0abbeb78d85cf
-
SHA256
6d58a420dede321f638ac8b4c182c2e2df83585b7658a15d6f5d6c4f2314f78a
-
SHA512
f627f74a794efd90aae9098a8a1cd49bd6fdfd74a3092bc697a32232a01e4fe66d006902a3cb1c3a2e396855f75d35750b724e684a1dbc7e2ee39cbd1553fbab
-
SSDEEP
6144:HDkJP9YgVZsKxNCTxAZMKoYTk8b4Y97Oi2B8thHtEriULonNF0srj8Gyu:HgJ2yZs4c+qGThb4svthNcvUnNB8f
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of SetThreadContext
-