General

  • Target

    e5c7f3ce866497de13eaeb1e84999487_JaffaCakes118

  • Size

    856KB

  • Sample

    240916-3r3blswcne

  • MD5

    e5c7f3ce866497de13eaeb1e84999487

  • SHA1

    e3b39b22be601cb59c5fdffafa8c63599e764639

  • SHA256

    f0d676acd0cb5e75046b6ced57e341ab9189260f8238ab0ab0512003f7fd2d67

  • SHA512

    e55879d077f36ec1bf3835427f75210e7635c5e3e2cf4575c5e447a5ab42c0c56b2c4c24374042e156bcc789c20b97d0f8c44970420d76c4720e9a6e882142b4

  • SSDEEP

    24576:ufbLZXzsEMH8HnC2yP+XXRthQLzrP2Z3GI:j8igXbCLzz28I

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

12hoster.servepics.com:7773

Mutex

K36X00J186YVSH

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    jjb

  • install_file

    iexplore.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      e5c7f3ce866497de13eaeb1e84999487_JaffaCakes118

    • Size

      856KB

    • MD5

      e5c7f3ce866497de13eaeb1e84999487

    • SHA1

      e3b39b22be601cb59c5fdffafa8c63599e764639

    • SHA256

      f0d676acd0cb5e75046b6ced57e341ab9189260f8238ab0ab0512003f7fd2d67

    • SHA512

      e55879d077f36ec1bf3835427f75210e7635c5e3e2cf4575c5e447a5ab42c0c56b2c4c24374042e156bcc789c20b97d0f8c44970420d76c4720e9a6e882142b4

    • SSDEEP

      24576:ufbLZXzsEMH8HnC2yP+XXRthQLzrP2Z3GI:j8igXbCLzz28I

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks