General

  • Target

    d1bbc7d1b8cd54e7ff5b757028d570b4_JaffaCakes118

  • Size

    615KB

  • Sample

    240907-mmzf6azbqq

  • MD5

    d1bbc7d1b8cd54e7ff5b757028d570b4

  • SHA1

    393e5ed857603520f05aad8c92099a444e442447

  • SHA256

    6dab6ac827b439f070293c0046bff0721b6202b23de7c9de4f10d4aa9f4a2eb3

  • SHA512

    de1ac01850faf0029421df581579d3095b1ee76acf09acedc64c337436e258547fb77998ac56c95db848716bcde8012ef437b60189e0bb5b58b8ecd84c814939

  • SSDEEP

    12288:0D8/a5/jeGq6D0Ts9n5fET8t/FhmXgIucnxl9+KIuzzS6bSxDnbm91:xy5etTsTRtdhmXgKnr9QuzFuDnbm

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Dr West

C2

Dr187.ddns.net:4444

Mutex

Pluguin

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    Pluguin.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Sorry

  • message_box_title

    Erro

  • password

    root

Targets

    • Target

      d1bbc7d1b8cd54e7ff5b757028d570b4_JaffaCakes118

    • Size

      615KB

    • MD5

      d1bbc7d1b8cd54e7ff5b757028d570b4

    • SHA1

      393e5ed857603520f05aad8c92099a444e442447

    • SHA256

      6dab6ac827b439f070293c0046bff0721b6202b23de7c9de4f10d4aa9f4a2eb3

    • SHA512

      de1ac01850faf0029421df581579d3095b1ee76acf09acedc64c337436e258547fb77998ac56c95db848716bcde8012ef437b60189e0bb5b58b8ecd84c814939

    • SSDEEP

      12288:0D8/a5/jeGq6D0Ts9n5fET8t/FhmXgIucnxl9+KIuzzS6bSxDnbm91:xy5etTsTRtdhmXgKnr9QuzFuDnbm

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks