General

  • Target

    d7adb7084749812aa9dc1505c3f742e6_JaffaCakes118

  • Size

    868KB

  • Sample

    240910-gn3mba1cjc

  • MD5

    d7adb7084749812aa9dc1505c3f742e6

  • SHA1

    34810109f195783522f574945d1729a21eeb1401

  • SHA256

    4d7847132174c21dfcfd330e399be580167bff4dd6b9caa93a6deca2f36389fb

  • SHA512

    6c3d5c77d55daf64690b7ffb6f60c4c0faf0f4a78e6312c952209d3b93034ba25ce7ff9de34edac4db17f3ca143bf869cd630a8d199a0b7fd52284355130c842

  • SSDEEP

    12288:tX7cNYJBQdHj4e9aM4Ab8Mjwzj0+kPkPH++g/pFpGGpTYiwE6l34pQ/aR8Dx3Xov:hoNYgdHcBowBs79aVT3na

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

127.0.0.1:100

Mutex

BOJE1L75U0W7XE

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    180125

Targets

    • Target

      d7adb7084749812aa9dc1505c3f742e6_JaffaCakes118

    • Size

      868KB

    • MD5

      d7adb7084749812aa9dc1505c3f742e6

    • SHA1

      34810109f195783522f574945d1729a21eeb1401

    • SHA256

      4d7847132174c21dfcfd330e399be580167bff4dd6b9caa93a6deca2f36389fb

    • SHA512

      6c3d5c77d55daf64690b7ffb6f60c4c0faf0f4a78e6312c952209d3b93034ba25ce7ff9de34edac4db17f3ca143bf869cd630a8d199a0b7fd52284355130c842

    • SSDEEP

      12288:tX7cNYJBQdHj4e9aM4Ab8Mjwzj0+kPkPH++g/pFpGGpTYiwE6l34pQ/aR8Dx3Xov:hoNYgdHcBowBs79aVT3na

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks