General

  • Target

    d592c179744abe99ed55f926681fc0e3_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240909-dtsgra1hje

  • MD5

    d592c179744abe99ed55f926681fc0e3

  • SHA1

    a8b400221620b6757ffd6b5fc339effebce70718

  • SHA256

    90a6f633a0b6f006df18604401765d55c09378987383af7ac3fb55f74a4adf38

  • SHA512

    61e330a2d7058d82813ae1e87b2494342b500b43fb9d455d7e0d1a761f0ef9a925d1bfa19c5c8b285d54c0efaeb9ebb76157711f4974702348ffee1c5d87d6b6

  • SSDEEP

    24576:ls7/gSR0nRKfGwpbzlAM6rzqIbC17MW7dySkSViGSJZq/+co7pMBCnS5p9Bq:ls7/nwURAaVVKj+BCnE9Bq

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

jnvl2011.no-ip.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      d592c179744abe99ed55f926681fc0e3_JaffaCakes118

    • Size

      1.1MB

    • MD5

      d592c179744abe99ed55f926681fc0e3

    • SHA1

      a8b400221620b6757ffd6b5fc339effebce70718

    • SHA256

      90a6f633a0b6f006df18604401765d55c09378987383af7ac3fb55f74a4adf38

    • SHA512

      61e330a2d7058d82813ae1e87b2494342b500b43fb9d455d7e0d1a761f0ef9a925d1bfa19c5c8b285d54c0efaeb9ebb76157711f4974702348ffee1c5d87d6b6

    • SSDEEP

      24576:ls7/gSR0nRKfGwpbzlAM6rzqIbC17MW7dySkSViGSJZq/+co7pMBCnS5p9Bq:ls7/nwURAaVVKj+BCnE9Bq

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks