General

  • Target

    ce03005692a838ea9ec9d8c1c6a075f4_JaffaCakes118

  • Size

    334KB

  • Sample

    240905-1m2s6s1cqb

  • MD5

    ce03005692a838ea9ec9d8c1c6a075f4

  • SHA1

    ec54211887245cba6c468d5a12d11a07a392b749

  • SHA256

    2ddac1a095349a73c167b98cfc540ab4f85ea7c6e761be283d513c8744ec3e44

  • SHA512

    7e4e9df8d9ee1d670381939e397f2c3a0421e2d22ce4544e771101c57fd9f5dbd13bd6d90e7c04c3d1dd02ca8f8e764f943e2928a475f1ee3ab318396a9f3c6f

  • SSDEEP

    6144:qjru9byBf+Q4oOVkU/v76E39nHSwrovzFFxFVrNC98nUwFS2dsoXQ:3wf+DoOP+E30wr6FJVrNC93wFxsog

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

scate2.no-ip.info:81

Mutex

MC66KX3IDCUM2H

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Su sistema operativo todavia no es compatible con Tuenti Vision

  • message_box_title

    Tuenti Visor v5

  • password

    2cacas

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      ce03005692a838ea9ec9d8c1c6a075f4_JaffaCakes118

    • Size

      334KB

    • MD5

      ce03005692a838ea9ec9d8c1c6a075f4

    • SHA1

      ec54211887245cba6c468d5a12d11a07a392b749

    • SHA256

      2ddac1a095349a73c167b98cfc540ab4f85ea7c6e761be283d513c8744ec3e44

    • SHA512

      7e4e9df8d9ee1d670381939e397f2c3a0421e2d22ce4544e771101c57fd9f5dbd13bd6d90e7c04c3d1dd02ca8f8e764f943e2928a475f1ee3ab318396a9f3c6f

    • SSDEEP

      6144:qjru9byBf+Q4oOVkU/v76E39nHSwrovzFFxFVrNC98nUwFS2dsoXQ:3wf+DoOP+E30wr6FJVrNC93wFxsog

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks