General

  • Target

    d233a7ae761d4e51991b90524de4399a_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240907-sckg5szalj

  • MD5

    d233a7ae761d4e51991b90524de4399a

  • SHA1

    4186f0cdb04577c7e3d39661a8ff5de2554c6737

  • SHA256

    77452bf1543f74d592d8a5d5c426c70fdac64a6772221884b41dc06196a225d3

  • SHA512

    e22edc8e1fa678992820ba405c4f0d5344f2827a0e35fb5efb0989eab365b5c71efd244403889f17dad6722ddd7ad7facdf0c838f935e0a203f2c23cd1a65a30

  • SSDEEP

    24576:JHlIi6S9baGrDjLP/yelqJEATLQbzRuBqhPVA3nY7KkiE7ANmwla4:jIi6S9LX3KEELSRRPVAXg8yANra

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

C2

xcxz.no-ip.biz:1604

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    winupdate.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    229669

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      d233a7ae761d4e51991b90524de4399a_JaffaCakes118

    • Size

      1.1MB

    • MD5

      d233a7ae761d4e51991b90524de4399a

    • SHA1

      4186f0cdb04577c7e3d39661a8ff5de2554c6737

    • SHA256

      77452bf1543f74d592d8a5d5c426c70fdac64a6772221884b41dc06196a225d3

    • SHA512

      e22edc8e1fa678992820ba405c4f0d5344f2827a0e35fb5efb0989eab365b5c71efd244403889f17dad6722ddd7ad7facdf0c838f935e0a203f2c23cd1a65a30

    • SSDEEP

      24576:JHlIi6S9baGrDjLP/yelqJEATLQbzRuBqhPVA3nY7KkiE7ANmwla4:jIi6S9LX3KEELSRRPVAXg8yANra

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks