Overview

overview

10

Static

static

3

dd2f44b2e8...18.exe

windows7-x64

10

dd2f44b2e8...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dd2f44b2e85b6a3ec6886009a5facc69_JaffaCakes118

  • Size

    327KB

  • Sample

    240912-2q8xbszfke

  • MD5

    dd2f44b2e85b6a3ec6886009a5facc69

  • SHA1

    45652b54456ffc385ffef8d3f69e89889d5557d6

  • SHA256

    fe2a15560ef0e6297a07e173d5c4188a7ca1816e1e4c81e846f369c0b0c35ea8

  • SHA512

    e093577ad57fe977e0cd12444e454ad808a9599471a4850ac3b3d43a8f676d3c848fc2daa5abad4d724ae2922aa8d998f0b78b9721930d37939628b6037d589e

  • SSDEEP

    6144:VvbwlMo34/XCe0LnEhlecHjLMdoVjtDPKrKrlH/t5BlP/dFZFgaAHhz3i6:qlMs4gnEzegwoLjKrKJ/7BlNFgaUhz3z

Score
10/10
cybergatehawkeye[email protected]discoverykeyloggerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

C2

truehack.no-ip.biz:82

Mutex

4UL5B1E360335P

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    carsten123

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      dd2f44b2e85b6a3ec6886009a5facc69_JaffaCakes118

    • Size

      327KB

    • MD5

      dd2f44b2e85b6a3ec6886009a5facc69

    • SHA1

      45652b54456ffc385ffef8d3f69e89889d5557d6

    • SHA256

      fe2a15560ef0e6297a07e173d5c4188a7ca1816e1e4c81e846f369c0b0c35ea8

    • SHA512

      e093577ad57fe977e0cd12444e454ad808a9599471a4850ac3b3d43a8f676d3c848fc2daa5abad4d724ae2922aa8d998f0b78b9721930d37939628b6037d589e

    • SSDEEP

      6144:VvbwlMo34/XCe0LnEhlecHjLMdoVjtDPKrKrlH/t5BlP/dFZFgaAHhz3i6:qlMs4gnEzegwoLjKrKJ/7BlNFgaUhz3z

    Score
    10/10
    cybergatehawkeye[email protected]discoverykeyloggerpersistencespywarestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks