General

  • Target

    ccdace1d03a5ebe8f6ac0ef02ff26e25_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240831-qbngasvdph

  • MD5

    ccdace1d03a5ebe8f6ac0ef02ff26e25

  • SHA1

    f5acac7945b001fefd8702b31520e3e4889956bd

  • SHA256

    e303bdfc10b4e37032bc49c3e18906b4dd925e7e1337713ff4bc646731a2e9bd

  • SHA512

    53afd028b67277d1aa68b150d17febd3ddc3be49f44ce565f9a99966597ad3d8316ddd5e3fce9ea5786751ba29a520bfcce1d501874f4abc72b5107d0ead6fac

  • SSDEEP

    24576:v/Efv73w6/h0F05G3wjkkLZKerAF9m1tFcQRu+2SK:vcfjvp+uqy5serEcNnb

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

C2

deathbythousands.sytes.net:81

hackedbybob.no-ip.org:1337

Mutex

TTV3ETU845R654

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Targets

    • Target

      ccdace1d03a5ebe8f6ac0ef02ff26e25_JaffaCakes118

    • Size

      1.2MB

    • MD5

      ccdace1d03a5ebe8f6ac0ef02ff26e25

    • SHA1

      f5acac7945b001fefd8702b31520e3e4889956bd

    • SHA256

      e303bdfc10b4e37032bc49c3e18906b4dd925e7e1337713ff4bc646731a2e9bd

    • SHA512

      53afd028b67277d1aa68b150d17febd3ddc3be49f44ce565f9a99966597ad3d8316ddd5e3fce9ea5786751ba29a520bfcce1d501874f4abc72b5107d0ead6fac

    • SSDEEP

      24576:v/Efv73w6/h0F05G3wjkkLZKerAF9m1tFcQRu+2SK:vcfjvp+uqy5serEcNnb

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks