General

  • Target

    d7afae01e7897d0108c3c6aa01e5134e_JaffaCakes118

  • Size

    2.4MB

  • Sample

    240910-gsqhjszblr

  • MD5

    d7afae01e7897d0108c3c6aa01e5134e

  • SHA1

    5773b101ac958612194eb056aaf2b46101b176cc

  • SHA256

    759f53e783c0d3c786a415d65cd1b0d15e16457734cecf89faedeb7baf67ccb7

  • SHA512

    87959b464dd0b0d6cc252d5d1ebcb1cb3023f51bc9fcbbd8c13eda194a6a1208d72855cff7c24955ef44dc7c9363096b6d4eb3f7ef58d7cda33e3c10d66c4f32

  • SSDEEP

    49152:hvq4lE27+q/Z44n/TiN4xLX0nC32IZj0oNaSnXynWfUnPB:eq/K+/TiGhj0oNa4Up

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

vítima

C2

mortality.myftp.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    system32

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Schwerer Ausnahmefehler

  • message_box_title

    Fehler

  • password

    abcd1234

  • regkey_hkcu

    svchost

  • regkey_hklm

    svchost

Targets

    • Target

      d7afae01e7897d0108c3c6aa01e5134e_JaffaCakes118

    • Size

      2.4MB

    • MD5

      d7afae01e7897d0108c3c6aa01e5134e

    • SHA1

      5773b101ac958612194eb056aaf2b46101b176cc

    • SHA256

      759f53e783c0d3c786a415d65cd1b0d15e16457734cecf89faedeb7baf67ccb7

    • SHA512

      87959b464dd0b0d6cc252d5d1ebcb1cb3023f51bc9fcbbd8c13eda194a6a1208d72855cff7c24955ef44dc7c9363096b6d4eb3f7ef58d7cda33e3c10d66c4f32

    • SSDEEP

      49152:hvq4lE27+q/Z44n/TiN4xLX0nC32IZj0oNaSnXynWfUnPB:eq/K+/TiGhj0oNa4Up

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks