Overview

overview

10

Static

static

3

6c3a9ed6b4...18.exe

windows7-x64

10

6c3a9ed6b4...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6c3a9ed6b46572d3f5093574c9c34186_JaffaCakes118

  • Size

    916KB

  • Sample

    241022-2v44yazhrl

  • MD5

    6c3a9ed6b46572d3f5093574c9c34186

  • SHA1

    ebcf05f236e0d9a25153bf4079987861a9106188

  • SHA256

    b1981ec869c6bed6a200aff3588535ab4aa777311358e8de5d3c1a20987c02a1

  • SHA512

    27d83d24df82c557307143acbd86d9f65a33c8f37e2d10bffe29059869e488e12cf5e72444bc34cd2fffa6cbd057331dfdaacf700fec6ff070ff5a04a7b9502f

  • SSDEEP

    12288:02ie+ijqVB4z8HmxIqv8Ufa80ZwRctFyw8D:0nGxI88vwaWR

Score
10/10
cybergateserverdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

rat321.dyndns.info:1604

Mutex

Unkn0wnMUTEX

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    spynet

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    giants123

  • regkey_hkcu

    HKCU

Targets

    • Target

      6c3a9ed6b46572d3f5093574c9c34186_JaffaCakes118

    • Size

      916KB

    • MD5

      6c3a9ed6b46572d3f5093574c9c34186

    • SHA1

      ebcf05f236e0d9a25153bf4079987861a9106188

    • SHA256

      b1981ec869c6bed6a200aff3588535ab4aa777311358e8de5d3c1a20987c02a1

    • SHA512

      27d83d24df82c557307143acbd86d9f65a33c8f37e2d10bffe29059869e488e12cf5e72444bc34cd2fffa6cbd057331dfdaacf700fec6ff070ff5a04a7b9502f

    • SSDEEP

      12288:02ie+ijqVB4z8HmxIqv8Ufa80ZwRctFyw8D:0nGxI88vwaWR

    Score
    10/10
    cybergateserverdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks