General

  • Target

    e90d4e4f9ea5ce52d76b3453cd182277_JaffaCakes118

  • Size

    946KB

  • Sample

    240918-nzqkfsygje

  • MD5

    e90d4e4f9ea5ce52d76b3453cd182277

  • SHA1

    e3710f3f462e0afc2270f1d8270cc60e92127829

  • SHA256

    8afe5593b55253603343ac34c2869f7e1f687e31a531ae878cb9e0ff5c1e9f79

  • SHA512

    d3460a86eb9a7bc14e4d0b95f451dca227f82092d2c421b4cb5d1dfdd7cb0d5831b9f5a6e2de95efd02a899d74ec6c56f332900a1d69ae76094c2333ac30f032

  • SSDEEP

    24576:3h5sHIZKRanOOOxDOlSoOOOOOOOOOqMLEsOOOOOOOOOOOOOCwqpLOWbaNhOOOOOH:3hCHIbnOOOxDOlSoOOOOOOOOOjLEsOOe

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

cgseb.no-ip.biz:333

Mutex

KT05FP0YID6PL2

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    TestTestTest.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cool

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      e90d4e4f9ea5ce52d76b3453cd182277_JaffaCakes118

    • Size

      946KB

    • MD5

      e90d4e4f9ea5ce52d76b3453cd182277

    • SHA1

      e3710f3f462e0afc2270f1d8270cc60e92127829

    • SHA256

      8afe5593b55253603343ac34c2869f7e1f687e31a531ae878cb9e0ff5c1e9f79

    • SHA512

      d3460a86eb9a7bc14e4d0b95f451dca227f82092d2c421b4cb5d1dfdd7cb0d5831b9f5a6e2de95efd02a899d74ec6c56f332900a1d69ae76094c2333ac30f032

    • SSDEEP

      24576:3h5sHIZKRanOOOxDOlSoOOOOOOOOOqMLEsOOOOOOOOOOOOOCwqpLOWbaNhOOOOOH:3hCHIbnOOOxDOlSoOOOOOOOOOjLEsOOe

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks