General

  • Target

    cc6906cd3c6257087da2d2908ca7e286_JaffaCakes118

  • Size

    436KB

  • Sample

    240831-h7ev2asarc

  • MD5

    cc6906cd3c6257087da2d2908ca7e286

  • SHA1

    541a858154d7f8fcdcef002398e44ee9705f53d9

  • SHA256

    fc57d32e024fe168ff6a09852c047f1d985ad82f65b6a6d321a6d201a325673b

  • SHA512

    69d3d6fb80b3d458d5517518880c3385d4ca0e8834f3596eed2bc710d1da7381ccd7e88e2bcddaeb8230889d4d2c89b1d85e9d970c84311fec9de219a85a851e

  • SSDEEP

    12288:4iSC/HjfMOwm6QR2Q+Nv9XPI872LX7pzF/qH/BWp6j1wtbcdnSxEuNPUcjKos3wF:fEm6aNmA/9zF/qZWjh4SSqPg

Malware Config

Extracted

Family

cybergate

Version

v1.07.0

Botnet

remote

C2

freshsimon-hack.dyndns.tv:8303

maxekinge.no-ip.org:8303

maxekinge-hack.dyndns.tv:8303

Mutex

86X646G3VX38C4

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    dll_runner.exe

  • install_dir

    install

  • install_file

    rundll32_x86.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    FatalError: 0x576692d4pp0 Error in line '27': '0' is none a Variable

  • message_box_title

    ERROR - iSpam

  • password

    lol123

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      cc6906cd3c6257087da2d2908ca7e286_JaffaCakes118

    • Size

      436KB

    • MD5

      cc6906cd3c6257087da2d2908ca7e286

    • SHA1

      541a858154d7f8fcdcef002398e44ee9705f53d9

    • SHA256

      fc57d32e024fe168ff6a09852c047f1d985ad82f65b6a6d321a6d201a325673b

    • SHA512

      69d3d6fb80b3d458d5517518880c3385d4ca0e8834f3596eed2bc710d1da7381ccd7e88e2bcddaeb8230889d4d2c89b1d85e9d970c84311fec9de219a85a851e

    • SSDEEP

      12288:4iSC/HjfMOwm6QR2Q+Nv9XPI872LX7pzF/qH/BWp6j1wtbcdnSxEuNPUcjKos3wF:fEm6aNmA/9zF/qZWjh4SSqPg

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks