cybergate | adf9338738e2acf89e5694081415581234f5a5e1dac2fd6497144d722b06351a | Triage

Sharing

General

Target

e0eb733217842b290a145ed012d9b24b_JaffaCakes118
Size

389KB
Sample

240914-yl5sbsshmc
MD5

e0eb733217842b290a145ed012d9b24b
SHA1

efe0175f9ede848e68c6c5eafa2ff7e888aebf42
SHA256

adf9338738e2acf89e5694081415581234f5a5e1dac2fd6497144d722b06351a
SHA512

80575da34f540166306cebbbd1ccbb910dfc4b3383d1ea329cd363c8b38cf4da3264b2c473746b00b17bb262f689487e8432568d16e3c40b33f6989bb7f398d7
SSDEEP

6144:lsSdAFQDwYo5x64X0Rh2f7gcQ93v5e2+8EM/2eLHsREB4zCtMuIdLBPtdzWIsbEM:lsSeFW4Gh2f7e3Y62WMXzaRIhfpWFbEM

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Trial version

Botnet

remote

C2

aline.myvnc.com:2012

Mutex

6K3P7IVE0D86OM

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
542306

Targets

- Target
  
  e0eb733217842b290a145ed012d9b24b_JaffaCakes118
- Size
  
  389KB
- MD5
  
  e0eb733217842b290a145ed012d9b24b
- SHA1
  
  efe0175f9ede848e68c6c5eafa2ff7e888aebf42
- SHA256
  
  adf9338738e2acf89e5694081415581234f5a5e1dac2fd6497144d722b06351a
- SHA512
  
  80575da34f540166306cebbbd1ccbb910dfc4b3383d1ea329cd363c8b38cf4da3264b2c473746b00b17bb262f689487e8432568d16e3c40b33f6989bb7f398d7
- SSDEEP
  
  6144:lsSdAFQDwYo5x64X0Rh2f7gcQ93v5e2+8EM/2eLHsREB4zCtMuIdLBPtdzWIsbEM:lsSeFW4Gh2f7e3Y62WMXzaRIhfpWFbEM
Score

10^/10

cybergate remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotediscoverypersistencestealertrojanupx

behavioral2

cybergateremotediscoverypersistencestealertrojanupx