cybergate | eceaffa7b59a06af28226bc8ba6dcc3e2316ead865d06326192bb72e501920f5 | Triage

Sharing

General

Target

77a6b84864c6d4eb2b3ad1a229dbc542_JaffaCakes118
Size

588KB
Sample

241028-eyxgya1cqm
MD5

77a6b84864c6d4eb2b3ad1a229dbc542
SHA1

bae41360034e01ad0db606d6e728d2cb2986f709
SHA256

eceaffa7b59a06af28226bc8ba6dcc3e2316ead865d06326192bb72e501920f5
SHA512

7ae83c4aff59cf05e80e67c68e6f1a96e4c846f4f35f3be7a138b9fdaa70c9a8149eb67c5a2f609dedd6736fe1198c84c763600665a04c03d60bf40aca1c194e
SSDEEP

12288:Ll0zqh5bOzh3MbJ5NlGKbB6Pu9NYRzjquHWs9fR5KjtP:Gz1q5NlGKbb0fq6rP5ot

Score

10^/10

cybergate server discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

420.no-ip.org:4200

Mutex

dvERQ#$R%@#$R.;ef.weR:{)__+y5tg

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
letmein
regkey_hkcu
HKCU

Targets

- Target
  
  77a6b84864c6d4eb2b3ad1a229dbc542_JaffaCakes118
- Size
  
  588KB
- MD5
  
  77a6b84864c6d4eb2b3ad1a229dbc542
- SHA1
  
  bae41360034e01ad0db606d6e728d2cb2986f709
- SHA256
  
  eceaffa7b59a06af28226bc8ba6dcc3e2316ead865d06326192bb72e501920f5
- SHA512
  
  7ae83c4aff59cf05e80e67c68e6f1a96e4c846f4f35f3be7a138b9fdaa70c9a8149eb67c5a2f609dedd6736fe1198c84c763600665a04c03d60bf40aca1c194e
- SSDEEP
  
  12288:Ll0zqh5bOzh3MbJ5NlGKbB6Pu9NYRzjquHWs9fR5KjtP:Gz1q5NlGKbb0fq6rP5ot
Score

10^/10

cybergate server discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateserverdiscoverypersistencestealertrojan

behavioral2

cybergateserverdiscoverypersistencestealertrojanupx