Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240913-x1xvlavare

  • MD5

    debe64957d3c8bb73b2f8f6d0809ce2c

  • SHA1

    f95c34e95d29dbd66c1cf8a1b6d55d7a96aa104e

  • SHA256

    2558eccb07cf148d31f2dabfb740f551e9107fac6287338b075f30e4530f4337

  • SHA512

    be2cdc15b15335d92edd7f85881602b744c694a047b33e70b2e739f281c4c3092fb1ae5ea053612dc5bd7975c6f5d922b6842d7b1128fcfe90e4b7d89f4b7a38

  • SSDEEP

    12288:YcZxYULthiYyS6MgHajxUM8GmXoxPl54pQ1QTvHz6yYEcUl6oKhG+xS6Y9Dg1DFW:7ZthioTxmTfzlovxHSU2othioTxE

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

HoN

C2

lugntoklingar.no-ip.biz:1992

lugntoklingar.no-ip.biz:3128

lugntoklingar.no-ip.biz:6721

lugntoklingar.no-ip.biz:6722

lugntoklingar.no-ip.biz:27015

lugntoklingar.no-ip.biz:2000

Mutex

JKQRE8IUL10FA6

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118

    • Size

      1.2MB

    • MD5

      debe64957d3c8bb73b2f8f6d0809ce2c

    • SHA1

      f95c34e95d29dbd66c1cf8a1b6d55d7a96aa104e

    • SHA256

      2558eccb07cf148d31f2dabfb740f551e9107fac6287338b075f30e4530f4337

    • SHA512

      be2cdc15b15335d92edd7f85881602b744c694a047b33e70b2e739f281c4c3092fb1ae5ea053612dc5bd7975c6f5d922b6842d7b1128fcfe90e4b7d89f4b7a38

    • SSDEEP

      12288:YcZxYULthiYyS6MgHajxUM8GmXoxPl54pQ1QTvHz6yYEcUl6oKhG+xS6Y9Dg1DFW:7ZthioTxmTfzlovxHSU2othioTxE

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks