General
-
Target
96817ef88c34a6b60e4edba25337da1f_JaffaCakes118
-
Size
344KB
-
Sample
241124-xaqzcssrgw
-
MD5
96817ef88c34a6b60e4edba25337da1f
-
SHA1
ad444a7d2eb9c4be77b7c14de6e97a1c2c4d1d2d
-
SHA256
d947d57fa3aa32c330c1ba314871bf276a561779dd92ad371dedfa1a42ef2fc7
-
SHA512
dc56538d04e553b3375b863a55b9a7b59fa9e196f2006c05445b420c8dcff8d46c48376c117922cafa7369d7d3ffd085cae3e119421e95a06ea3c9c13c0e6541
-
SSDEEP
6144:9V7+/DKM/DzetXD5sueVhrhxI//P0Y7o3W4zMEg3JDxHkWO9RPmhFWhHx961:9VEDXHRueVhNxI3P0uXWJmhohR961
Malware Config
Extracted
cybergate
2.6
vítima
arrozmaionese.no-ip.biz:3000
kripsbox.zapto.org:614
127.0.0.1:614
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
drive.
-
install_file
tasksrc.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
arroz
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Extracted
cybergate
FALSE
ÝØðÕÞÎÝÎÅý¼¼ûÙÈìÎÓßýØØÎÙÏϼ¼êÕÎÈÉÝÐìÎÓÈÙßȼ¼êÕÎÈÉÝÐýÐÐÓß¼¼êÕÎÈÉÝÐúÎÙÙ¼¼¼ùÄÕÈìÎÓßÙÏϼ¼¼ðÏÝÿÐÓÏÙ¼¼ÿÎÅÌÈéÒÌÎÓÈÙßÈøÝÈݼ¼ÿÓèÝÏ×ñÙÑúÎÙÙ¼¼¼ïÅÏúÎÙÙïÈÎÕÒÛ¼¼¼ìïÈÓÎÙÿÎÙÝÈÙõÒÏÈÝÒßÙ¼¼îÝÏùÒÉÑùÒÈÎÕÙÏý¼¼¼ïôûÙÈïÌÙßÕÝÐúÓÐØÙÎìÝÈÔý¼¼¼èÓýÏßÕÕ¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼J4173WYX4}
HKLM
HKCU
FALSE
16
0
título da mensagem
texto da mensagem
TRUE
ftp.0fees.net
.//htdocs/adv/
fees0_6839145
ashman4u
21
30
-
enable_keylogger
false
-
enable_message_box
false
-
install_dir
FALSE
-
install_file
FALSE
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
TRUE
-
message_box_title
TRUE
-
password
FALSE
-
regkey_hkcu
FALSE
-
regkey_hklm
FALSE
Targets
-
-
Target
main.exe
-
Size
290KB
-
MD5
509c05659338dd7878266b3b3ef2d76e
-
SHA1
813dae2f52f3c84316f57f1a59bab562418874a1
-
SHA256
e4f0b6f55e7c1820e031decac47b87258a6e0dc84b53239a8ac70b5ac22c41ab
-
SHA512
2cdae44e78956c9b661e906e45d03d1752e66fca6708548021619cc141d66685e32f15049c137028753afca2b3c55cf689a693ac92a6104f0be3cb79cf8d1253
-
SSDEEP
6144:4mcD66RRj85JGmrpQsK3RD2u270jupCJsCxC9:RcD663ZZ2zkPaCxE
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
server2.exe
-
Size
272KB
-
MD5
2bb785106ce242b4966381dad1a8c26f
-
SHA1
7461fc8b3fce1e856ead1bcbb04ff1775925e864
-
SHA256
85f1189fee82311809a11c9d351acb4d6adcd49304f69ba86ff60a787b99de65
-
SHA512
e4f4e1436975447419254c48deb68119de5181e2ba92127d71d9f4765584bfdfd1f1a0aa5b7dcde4260e018f5ce25a4c84557e59c88e0361dd6866f9333b450f
-
SSDEEP
6144:Rk4qmEVr4xdH0QFW5dqtOlUwLfS49ydfCARPPVSRU/D5:G90mFnGOltDE6U/1
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2