General

  • Target

    e81935e057891c3896e528ecf79b8437_JaffaCakes118

  • Size

    821KB

  • Sample

    240918-b9n36axapq

  • MD5

    e81935e057891c3896e528ecf79b8437

  • SHA1

    ce72da1ee322162ee1d95e4c197c73c1de1b8c3a

  • SHA256

    2e8fd325c1ac7e2ecade99cc07756e8f3c24e8d7969c8b0a0cb7abbbcfbd0966

  • SHA512

    e84cd5f3be2417bb1cd1b317e2f5017f053a461679e9e73360ca21b0a7e3b33c05b71725ce506cfe6faba6ed309a3ea612e4b34a97da47c21cdfb3841bef0c2e

  • SSDEEP

    12288:nVNDXzVtLs3y3ViApgx4EK13hMXLcy1kLY8UB7IMBj2ZUeZYfQCYfxCgGhHrwNFp:V3tA3swI0uQxc

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

C2

frankrat.no-ip.org:43594

127.0.0.1:43594

Mutex

KOA5XW4GH52061

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    .//public_html/

  • ftp_interval

    5

  • ftp_password

    f0147258

  • ftp_port

    21

  • ftp_server

    dcfrank.comoj.com

  • ftp_username

    a9697134

  • injected_process

    explorer.exe

  • install_file

    winboot.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    frank123

Targets

    • Target

      e81935e057891c3896e528ecf79b8437_JaffaCakes118

    • Size

      821KB

    • MD5

      e81935e057891c3896e528ecf79b8437

    • SHA1

      ce72da1ee322162ee1d95e4c197c73c1de1b8c3a

    • SHA256

      2e8fd325c1ac7e2ecade99cc07756e8f3c24e8d7969c8b0a0cb7abbbcfbd0966

    • SHA512

      e84cd5f3be2417bb1cd1b317e2f5017f053a461679e9e73360ca21b0a7e3b33c05b71725ce506cfe6faba6ed309a3ea612e4b34a97da47c21cdfb3841bef0c2e

    • SSDEEP

      12288:nVNDXzVtLs3y3ViApgx4EK13hMXLcy1kLY8UB7IMBj2ZUeZYfQCYfxCgGhHrwNFp:V3tA3swI0uQxc

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks