General

  • Target

    d554369e5387c32325624baef73c5e15_JaffaCakes118

  • Size

    293KB

  • Sample

    240909-aabhcavane

  • MD5

    d554369e5387c32325624baef73c5e15

  • SHA1

    94dca3f3758a1693e7c7831070ded5079794d3ed

  • SHA256

    f155f5f37997e49fc37c860fe52b59b15579a47aa0a03a611530dc643ce94d2a

  • SHA512

    1401a66b024741a57936b8f910adc877a29d6b78b889e12961148d1655f4c8b53b26c448587afc725b2a160ba523d0f9faed395c451c9aa74bdacc2e249186f3

  • SSDEEP

    6144:6A4udNbQfF/dQ29u4jMgdaGkjn1XNOF4+HKGjKopqV7Q7P+wqAz:f4uXQfF1l9NjMgdo1+4T76E7Q7l

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

vítima

C2

dasdasdas.zapto.org:8080

mierda.no-ip.org:8080

asdd.zapto.org:8080

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    dir8558.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Ha ocurrido un error al intentar abrir el archivo, esto puede ser debido a un problema de compatibilidad. Pruebe ejecutando el archivo en modo compatible con su sistema operativo.

  • message_box_title

    Error 4x223

  • password

    1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      d554369e5387c32325624baef73c5e15_JaffaCakes118

    • Size

      293KB

    • MD5

      d554369e5387c32325624baef73c5e15

    • SHA1

      94dca3f3758a1693e7c7831070ded5079794d3ed

    • SHA256

      f155f5f37997e49fc37c860fe52b59b15579a47aa0a03a611530dc643ce94d2a

    • SHA512

      1401a66b024741a57936b8f910adc877a29d6b78b889e12961148d1655f4c8b53b26c448587afc725b2a160ba523d0f9faed395c451c9aa74bdacc2e249186f3

    • SSDEEP

      6144:6A4udNbQfF/dQ29u4jMgdaGkjn1XNOF4+HKGjKopqV7Q7P+wqAz:f4uXQfF1l9NjMgdo1+4T76E7Q7l

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks