cybergate | hxxps://github[.]com/ThatSINEWAVE/Malware-Samples

General

Target

https://github.com/ThatSINEWAVE/Malware-Samples
Sample

241022-njq62svbpk

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

trok2008

C2

trok2008.no-ip.biz:81

trok2008.no-ip.biz:7245

trok2008.dyndns.org:81

trok2008.dyndns.org:7245

127.0.0.1:81

198.168.1.25:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
boot
install_file
mtldr32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123321
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Path

C:\Users\Admin\Desktop\LegionReadMe.txt

Ransom Note

Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $50. How do i pay? Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom of the sheet. Contact: 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) In case of no anwser in 72 hours write us to this email: [email protected] What if i already paid? Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software, it may cause pernament data loss. Our Bitcoin address: 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

Emails

[email protected]

Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Targets

- Target
  
  https://github.com/ThatSINEWAVE/Malware-Samples
Score

10^/10

cybergate jigsaw trok2008 defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware spyware stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Modifies WinLogon for persistence
  persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Renames multiple (3475) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1