cybergate | d0b535742410c1751e2cc07c250c0813f9a1f04e26a6e6b8a83589fd2a0bb4f9 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

e9cb3a1d4a9a488cd0edc8ceaecb1e5a_JaffaCakes118
Size

481KB
Sample

240918-xtargsydqj
MD5

e9cb3a1d4a9a488cd0edc8ceaecb1e5a
SHA1

e955da0fb65d51227247e40d214151fec3aec421
SHA256

d0b535742410c1751e2cc07c250c0813f9a1f04e26a6e6b8a83589fd2a0bb4f9
SHA512

2dad4b846778a00eb603f8e29ee2233d1d5d4586007091f72cec5ca14698f94c638339c7c5096457e871094c5904de6746a4217db6b0280e6a59f75e42a1ae8f
SSDEEP

6144:+XV9lfQ9Fn2KP6+w2DKw1+zIvTXkXb5UUqDgYYCGLWeai0PHOmDaPLagWccKJnjM:+XV9l2evcAew5McCDUY5xiC4uNnMmrd

Score

10^/10

cybergate user discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

user

C2

hackhond.no-ip.biz:3000

Mutex

4R8TO8000UV220

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
flish.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1234567
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  e9cb3a1d4a9a488cd0edc8ceaecb1e5a_JaffaCakes118
- Size
  
  481KB
- MD5
  
  e9cb3a1d4a9a488cd0edc8ceaecb1e5a
- SHA1
  
  e955da0fb65d51227247e40d214151fec3aec421
- SHA256
  
  d0b535742410c1751e2cc07c250c0813f9a1f04e26a6e6b8a83589fd2a0bb4f9
- SHA512
  
  2dad4b846778a00eb603f8e29ee2233d1d5d4586007091f72cec5ca14698f94c638339c7c5096457e871094c5904de6746a4217db6b0280e6a59f75e42a1ae8f
- SSDEEP
  
  6144:+XV9lfQ9Fn2KP6+w2DKw1+zIvTXkXb5UUqDgYYCGLWeai0PHOmDaPLagWccKJnjM:+XV9l2evcAew5McCDUY5xiC4uNnMmrd
Score

10^/10

cybergate user discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateuserdiscoverypersistencestealertrojanupx

behavioral2