General

  • Target

    e786c3f29a4452ae71753d5e201a993e_JaffaCakes118

  • Size

    610KB

  • Sample

    240917-xy6dyszfmp

  • MD5

    e786c3f29a4452ae71753d5e201a993e

  • SHA1

    ede49785fca030657aa5c2092cee8e1d3d75933a

  • SHA256

    7563e921a292297a51316ab61333906ce07aad17c11a7be0d8368a89690c396e

  • SHA512

    e6b80faf5eb400e6d34a2042fa8f330037c7cf5b6580950d16f09947ef87c14ee5bb240214abdef8ca3a92b7d9f8333e28c8a58415aeec090550d238b6ea2dfb

  • SSDEEP

    12288:AROGyXYk2KShNsrkzyo47oQN64moDtIj7+dcw7+S9fD39/cc:AQGS2Jyo7QNIoDMyd/CSNZ5

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

C2

massimoriva.no-ip.org:81

Mutex

1P3G25160PKFUB

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    hjghhy.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Targets

    • Target

      e786c3f29a4452ae71753d5e201a993e_JaffaCakes118

    • Size

      610KB

    • MD5

      e786c3f29a4452ae71753d5e201a993e

    • SHA1

      ede49785fca030657aa5c2092cee8e1d3d75933a

    • SHA256

      7563e921a292297a51316ab61333906ce07aad17c11a7be0d8368a89690c396e

    • SHA512

      e6b80faf5eb400e6d34a2042fa8f330037c7cf5b6580950d16f09947ef87c14ee5bb240214abdef8ca3a92b7d9f8333e28c8a58415aeec090550d238b6ea2dfb

    • SSDEEP

      12288:AROGyXYk2KShNsrkzyo47oQN64moDtIj7+dcw7+S9fD39/cc:AQGS2Jyo7QNIoDMyd/CSNZ5

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks