Overview

overview

10

Static

static

10

fb98f54694...18.exe

windows7-x64

10

fb98f54694...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fb98f546947bfee8e6427ef7869b7f20_JaffaCakes118

  • Size

    540KB

  • Sample

    240928-f5tv3ayhln

  • MD5

    fb98f546947bfee8e6427ef7869b7f20

  • SHA1

    663512833f0e588b7fc827c4d3227c64f6565df9

  • SHA256

    b0298cc0ad1209199a11c7087f906f9731faac6284d232ce1a8dbc3dcef192a5

  • SHA512

    5cc7193d94323f32113a88818f6cb419a52f3d06bcce21200052b0b9719860e027c3556dcb2f9fc21ad0ee0d0922518a73255140ac5cf1accfe17a49f3529f79

  • SSDEEP

    12288:d3DMSvuBkfA3VJE4uLNd8VU2b5FCTDFPJiJxvQl:hmBz3zE4zU+FWDT+4

Score
10/10
cybergatemodiloaderserverdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

nawaf123456.no-ip.biz:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    asfas.exe

  • install_dir

    asf

  • install_file

    asf.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    asf

Targets

    • Target

      fb98f546947bfee8e6427ef7869b7f20_JaffaCakes118

    • Size

      540KB

    • MD5

      fb98f546947bfee8e6427ef7869b7f20

    • SHA1

      663512833f0e588b7fc827c4d3227c64f6565df9

    • SHA256

      b0298cc0ad1209199a11c7087f906f9731faac6284d232ce1a8dbc3dcef192a5

    • SHA512

      5cc7193d94323f32113a88818f6cb419a52f3d06bcce21200052b0b9719860e027c3556dcb2f9fc21ad0ee0d0922518a73255140ac5cf1accfe17a49f3529f79

    • SSDEEP

      12288:d3DMSvuBkfA3VJE4uLNd8VU2b5FCTDFPJiJxvQl:hmBz3zE4zU+FWDT+4

    Score
    10/10
    cybergatemodiloaderserverdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • ModiLoader Second Stage

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks