Overview

overview

10

Static

static

5

4295f0be2f...18.exe

windows7-x64

10

4295f0be2f...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4295f0be2f0ecb23634b8744f90c8f5e_JaffaCakes118

  • Size

    79KB

  • Sample

    241014-qyg8ssscnk

  • MD5

    4295f0be2f0ecb23634b8744f90c8f5e

  • SHA1

    d700a218e7b0e824b1946c239e46c86c537a993b

  • SHA256

    7ec7da4d8eaf9454a112535db80f8e32b1b923f07c2885480dbf35527f8a84e0

  • SHA512

    2e27702dbec4ea05ba52c8fae00197b2690e0007bcfaf5eede367371217717b9600fba40a688f8c5bd3bdf26a3b1600b07cdcb1250c84d8b55f32d016a99f8a1

  • SSDEEP

    1536:VoKnYEu+R6krMP7Ph0QidFYEjPtE8Jo959Z/W8jkE0VrF5XSB89fdrszL:CKYEjprIvikErdJAVQrF5i+1m

Score
10/10
cybergatevítimadiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.0.3

Botnet

vítima

C2

spynet-rat3.dyndns.org:2520

Mutex

--xXx--xXx--

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    [email protected]

  • ftp_interval

    5

  • injected_process

    explorer.exe

  • install_dir

    dllcachesys

  • install_file

    win32backup.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    Windows Backup System

  • regkey_hklm

    Windows Backup System

Targets

    • Target

      4295f0be2f0ecb23634b8744f90c8f5e_JaffaCakes118

    • Size

      79KB

    • MD5

      4295f0be2f0ecb23634b8744f90c8f5e

    • SHA1

      d700a218e7b0e824b1946c239e46c86c537a993b

    • SHA256

      7ec7da4d8eaf9454a112535db80f8e32b1b923f07c2885480dbf35527f8a84e0

    • SHA512

      2e27702dbec4ea05ba52c8fae00197b2690e0007bcfaf5eede367371217717b9600fba40a688f8c5bd3bdf26a3b1600b07cdcb1250c84d8b55f32d016a99f8a1

    • SSDEEP

      1536:VoKnYEu+R6krMP7Ph0QidFYEjPtE8Jo959Z/W8jkE0VrF5XSB89fdrszL:CKYEjprIvikErdJAVQrF5i+1m

    Score
    10/10
    cybergatevítimadiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks