Overview

overview

10

Static

static

3

4966aa63b7...18.exe

windows7-x64

10

4966aa63b7...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4966aa63b7a8cb639f5127b62c4d5143_JaffaCakes118

  • Size

    1.3MB

  • Sample

    241015-xa85yazgmf

  • MD5

    4966aa63b7a8cb639f5127b62c4d5143

  • SHA1

    9cdfb798518d987ad59eb60ef76a13aa2d77a891

  • SHA256

    0ba9cb3648a86fbc377f319029dff00892adc4fda2a2082e5064aeea2ca26884

  • SHA512

    17bdc1f3b758b32d02f71e93cd99e5b880864db37d68ed8864c0de47649a719c49180c70777636931e6f009f8d4bb3ebffac98215099aa4ba6dae0c8f751868d

  • SSDEEP

    24576:1HFpO4xxmzs2Mk178Ud9dWVRXETpF2WAWQ9WB3WBnz4QZRxyv76BbLP:5JmztR78yUFEj2WZAaWFzzY6x

Score
10/10
cybergatelatentbotremotediscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

helloworld2.zapto.org:1604

Mutex

GECO0O12B2GGJW

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    KeyGen.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Do you wish to run the keygen?

  • message_box_title

    NEED FOR SPEED SHIFT KEYGEN

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

latentbot

C2

helloworld2.zapto.org

Targets

    • Target

      4966aa63b7a8cb639f5127b62c4d5143_JaffaCakes118

    • Size

      1.3MB

    • MD5

      4966aa63b7a8cb639f5127b62c4d5143

    • SHA1

      9cdfb798518d987ad59eb60ef76a13aa2d77a891

    • SHA256

      0ba9cb3648a86fbc377f319029dff00892adc4fda2a2082e5064aeea2ca26884

    • SHA512

      17bdc1f3b758b32d02f71e93cd99e5b880864db37d68ed8864c0de47649a719c49180c70777636931e6f009f8d4bb3ebffac98215099aa4ba6dae0c8f751868d

    • SSDEEP

      24576:1HFpO4xxmzs2Mk178Ud9dWVRXETpF2WAWQ9WB3WBnz4QZRxyv76BbLP:5JmztR78yUFEj2WZAaWFzzY6x

    Score
    10/10
    cybergatelatentbotremotediscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

      trojanlatentbot

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks