Overview

overview

10

Static

static

10

76f9f629db...18.exe

windows7-x64

10

76f9f629db...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    76f9f629db85e48a27f9b10e062b9253_JaffaCakes118

  • Size

    324KB

  • Sample

    241028-bwyensxbpe

  • MD5

    76f9f629db85e48a27f9b10e062b9253

  • SHA1

    3f4939373199911ee01754ca6da4c466bb07b89c

  • SHA256

    460fb7698044db8d82fc0bac7a910c80ee2e3dbda4386fb7657606909390e84d

  • SHA512

    19d31af5da35624f58af12c868747f15bf8ecc734b423115095e909ccc67d02fd89b86504e8141a985729eeb3514c9c774bffc18047d4962e55a3daeceafed9f

  • SSDEEP

    6144:QmcD66RRX5JGmrpQsK3RD2u270jupCJsCxCYAYFwk:ZcD66iZ2zkPaCxXwk

Score
10/10
cybergatelatentbotvítimadiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

abdelhadi-touaf.zapto.org:81

abdelhadi12.zapto.org:81

aziza12.zapto.org:81
Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Extracted

Family

latentbot

C2

abdelhadi12.zapto.org

Targets

    • Target

      76f9f629db85e48a27f9b10e062b9253_JaffaCakes118

    • Size

      324KB

    • MD5

      76f9f629db85e48a27f9b10e062b9253

    • SHA1

      3f4939373199911ee01754ca6da4c466bb07b89c

    • SHA256

      460fb7698044db8d82fc0bac7a910c80ee2e3dbda4386fb7657606909390e84d

    • SHA512

      19d31af5da35624f58af12c868747f15bf8ecc734b423115095e909ccc67d02fd89b86504e8141a985729eeb3514c9c774bffc18047d4962e55a3daeceafed9f

    • SSDEEP

      6144:QmcD66RRX5JGmrpQsK3RD2u270jupCJsCxCYAYFwk:ZcD66iZ2zkPaCxXwk

    Score
    10/10
    cybergatelatentbotvítimadiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

      trojanlatentbot

    • Latentbot family

      latentbot

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks