General

  • Target

    d593a5d6558a2ea2768d9862983c76c0_JaffaCakes118

  • Size

    901KB

  • Sample

    240909-dwwxysygnq

  • MD5

    d593a5d6558a2ea2768d9862983c76c0

  • SHA1

    826ea32d07eb0a54d0d1823b542c205cc270a2be

  • SHA256

    fbed47d48b5852f0e243ed1c5675a9baccd7a5a27e20454d53eddc8975667456

  • SHA512

    cd4b5d2900f121efd2670a2686d23354cb635ca9f51e33cdb5d1dd544bd3ddb59b5e71c829ee08a1217dd519cef7b9fc4d0248f7e1e6363818868b7e0ec4c232

  • SSDEEP

    24576:6zq+LtXVERKGMUT7ZaclhgV6x74YW6XR9WMdvXaPN:6zq+xXVyKGMc7MUQ6JXmM5YN

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

C2

78.243.80.47:80

78.243.80.47:81

78.243.80.47:82

78.243.80.47:83

geekattitude.dyndns-ip.com:80

geekattitude.dyndns-ip.com :81

geekattitude.dyndns-ip.com :82

geekattitude.dyndns-ip.com :83

192.168.0.16:80

192.168.0.16:81

192.168.0.16:82

192.168.0.16:83

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    Hack comptes Steam

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Nous sommes en train de vous séléctionner un compte Steam à partir de notre base de données. VEUILLEZ PATIENTEZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  • message_box_title

    Hack comptes Steam

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      Hack comptes Steam/Hack comptes Steam.exe

    • Size

      1.4MB

    • MD5

      b47184afa534f3e5e2662dc1d54f8fb0

    • SHA1

      1674177ce7d692bd5dcd3a12b997c6018e7cd315

    • SHA256

      f213877df37706aeb01c63715436ceb910d68a78a39cbbb02e1211a093118c26

    • SHA512

      a649d3c6bd0685359a57d76cbf4f86712acec035b7d4a3746b1d7d69fb43e64a590fccebd4cd16a1de8310e4b4e23ce65478b4c266d90cb0fdf77360e5695620

    • SSDEEP

      24576:PwQWJ4pctFUwAHQIwEjjiooq+WJ4pctFUwAHQIwEjjiooqsLtwCc26uGi2VCHXSF:2JsctFT8jiooq7JsctFT8jiooqsLWpYU

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      Hack comptes Steam/mozsqlite3.dll

    • Size

      171KB

    • MD5

      744dcc4cbbfbb18fe3878c4e769ec48f

    • SHA1

      c1f2c56ee2d91203a01d3465f185295477a1217d

    • SHA256

      33eb31a2a576e663474a895ff0190316c64a93d9ce05a55df0d53f9beeb61163

    • SHA512

      706630be2ca09e574a7794e32e515a0a3f993643d034647b8cb976c1e7045e87e30362757cc65fcdb95f4a4327f0dcda3edc82ba84e5ed9115870a037e13af21

    • SSDEEP

      3072:4yOtgCNPbAHuzueAlwsKmiiEHpmBt7tjBwHH1ELXvSsmB8teUOhKJz4ZKJNCT1xe:FOtRsOz2xKmGH8JBwn+2smB1Uf8Kurb

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks