General

  • Target

    d5d70a81365d1eefa7fa8808a11df978_JaffaCakes118

  • Size

    327KB

  • Sample

    240909-hyk1pawgjk

  • MD5

    d5d70a81365d1eefa7fa8808a11df978

  • SHA1

    4d79a486c1b876e6eabc6b6a1bba3d4867508ce0

  • SHA256

    f8bfda68d8ea4464d45cb842459ce621925a5b6168362c622d5439738677f861

  • SHA512

    e6e36731bed38cfd1d7d3c57dfead562548d7f43762a7bf915e46dba3f512f37bf31707fe3055dd0455d457bc11e6d0023c37eaee208e8e9c036cfb2483aef08

  • SSDEEP

    6144:wd9LSM4Ov8ecATQmsPAa3AfPLYK3N56nUtdfQHaMWl4Z:wTLT4OUehTQmAwTYK36Ut6HaMI4Z

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

orions666.no-ip.info:1338

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    jqsr.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Presione F4 Trade Sera Ativado

  • message_box_title

    "

  • password

    123456789

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      d5d70a81365d1eefa7fa8808a11df978_JaffaCakes118

    • Size

      327KB

    • MD5

      d5d70a81365d1eefa7fa8808a11df978

    • SHA1

      4d79a486c1b876e6eabc6b6a1bba3d4867508ce0

    • SHA256

      f8bfda68d8ea4464d45cb842459ce621925a5b6168362c622d5439738677f861

    • SHA512

      e6e36731bed38cfd1d7d3c57dfead562548d7f43762a7bf915e46dba3f512f37bf31707fe3055dd0455d457bc11e6d0023c37eaee208e8e9c036cfb2483aef08

    • SSDEEP

      6144:wd9LSM4Ov8ecATQmsPAa3AfPLYK3N56nUtdfQHaMWl4Z:wTLT4OUehTQmAwTYK36Ut6HaMI4Z

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks