Overview

overview

10

Static

static

3

ee091f6775...18.exe

windows7-x64

10

ee091f6775...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ee091f677598e979e0e9b8c5c00fb6a2_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240920-vhbtasxaqc

  • MD5

    ee091f677598e979e0e9b8c5c00fb6a2

  • SHA1

    9ed8a6bb610bb596d920307b9d9bcc6b093ce34f

  • SHA256

    f0d920110c89190c000d5f2a7d51e391aa26bf392dbbeb7d8498c3abd290f7fd

  • SHA512

    623edaafabb0b3ee8d487c4e5fae9cbd4e495f0c07c2c36b4207e03459e57e1f63b39a847315ff5a83883487a4d1bad5304755b85e268bfda9e80c287a76dae2

  • SSDEEP

    24576:Bxl3w0jF9fCejWmQFpJpcGs9MRNK8dkqwgWyiq8:6jpvGVOkH/tv

Score
10/10
cybergateserverdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

aktifdns.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    spynet

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

Targets

    • Target

      ee091f677598e979e0e9b8c5c00fb6a2_JaffaCakes118

    • Size

      1.1MB

    • MD5

      ee091f677598e979e0e9b8c5c00fb6a2

    • SHA1

      9ed8a6bb610bb596d920307b9d9bcc6b093ce34f

    • SHA256

      f0d920110c89190c000d5f2a7d51e391aa26bf392dbbeb7d8498c3abd290f7fd

    • SHA512

      623edaafabb0b3ee8d487c4e5fae9cbd4e495f0c07c2c36b4207e03459e57e1f63b39a847315ff5a83883487a4d1bad5304755b85e268bfda9e80c287a76dae2

    • SSDEEP

      24576:Bxl3w0jF9fCejWmQFpJpcGs9MRNK8dkqwgWyiq8:6jpvGVOkH/tv

    Score
    10/10
    cybergateserverdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks