General

  • Target

    e2ab1db63f5687515fe299e10cccaa0a_JaffaCakes118

  • Size

    407KB

  • Sample

    240915-rhq2faxgpr

  • MD5

    e2ab1db63f5687515fe299e10cccaa0a

  • SHA1

    cac742f61b1bd65826230ce6dff6df4640af0a96

  • SHA256

    1c072f68b3f2b6c3148d98f94766bb8b80b4b0601c6f4c3dc6de07a342ba4da6

  • SHA512

    c001f1d894646df6d8685a62248c084ab92ac175e5892972abf9bb442b412161f7a664cc750a1a0fa2b30c7cf72cffdf53b2bd6ade80740cd7b17fff37583c4d

  • SSDEEP

    12288:ImNI7be0p/3xz8uuU65vU9cgJ4P2KQc9e:ImNI7hpcDltgJ4+Kg

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

jir.zapto.org:3333

Mutex

71XIBX41MC403J

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Targets

    • Target

      e2ab1db63f5687515fe299e10cccaa0a_JaffaCakes118

    • Size

      407KB

    • MD5

      e2ab1db63f5687515fe299e10cccaa0a

    • SHA1

      cac742f61b1bd65826230ce6dff6df4640af0a96

    • SHA256

      1c072f68b3f2b6c3148d98f94766bb8b80b4b0601c6f4c3dc6de07a342ba4da6

    • SHA512

      c001f1d894646df6d8685a62248c084ab92ac175e5892972abf9bb442b412161f7a664cc750a1a0fa2b30c7cf72cffdf53b2bd6ade80740cd7b17fff37583c4d

    • SSDEEP

      12288:ImNI7be0p/3xz8uuU65vU9cgJ4P2KQc9e:ImNI7hpcDltgJ4+Kg

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks