Overview

overview

10

Static

static

3

[UG]MultiH...rX.exe

windows7-x64

10

[UG]MultiH...rX.exe

windows10-2004-x64

10

[UG]MultiH... 1.dll

windows7-x64

3

[UG]MultiH... 1.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9a6b0786c8cb5b03737cd34601f95ca3_JaffaCakes118

  • Size

    2.9MB

  • Sample

    241125-kna4vavjbq

  • MD5

    9a6b0786c8cb5b03737cd34601f95ca3

  • SHA1

    03f9c9339538f1f008fe176259a7de852dece6a0

  • SHA256

    f71c1996a4b8d489c12b42ceb6acad09d309847400b0fd48e29569de4d2044c3

  • SHA512

    5acafab6250cba41b6cf70da255099f285552eb0ed892140c9c940c87008042619df0ccb479d420aeb7a7a81ba97f7c2e4e01fd3d1ccd575f2d4ca5b27b4c1c0

  • SSDEEP

    49152:6f1Z8aC8sFIifBy/R9uZ3+n4Fiw6WF8I0ro9wX/agtInYSUQHX3JcT7dSxACQ03T:6f7lClIifBMR9L4Uwn8Ihwv8nYSUQ3o0

Score
10/10
cybergateserverdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

tupcesmia.no-ip.info:600

Mutex

***MUssasaTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    winrar

  • install_file

    service.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      [UG]MultiHack - Bot BETA 1/[UG] Injector - PerX.exe

    • Size

      1.9MB

    • MD5

      c2ffae39e5c34f536236bb5091015a14

    • SHA1

      8b56c09ab59532be2fcbaad435aa29fe83dc06d4

    • SHA256

      4ae8c730814de15982b8a560bbb5d9bc77f0dab0d57c0599088f3a9951a4a42a

    • SHA512

      f366923c973664d0ffcc8538d081d2e431244ab290c5494f46f589e8cfcdbc980ce05f06f6759548c547536e36d952d355775d0e156396f937ec36b3208ebb3a

    • SSDEEP

      24576:riYAAsz0SYdmqLIUk3wfonMUb86jTbbdamcBHnJyk:L

    Score
    10/10
    cybergateserverdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      [UG]MultiHack - Bot BETA 1/[UG][DEMO] MultiHack - Bot BETA 1.dll

    • Size

      133KB

    • MD5

      647a69fedf52ad2a2483a4808eafbe10

    • SHA1

      c33427510364ee64612f388225c79c06451ce794

    • SHA256

      6591668f023450c726b6fa9f2caf534127173aa5a82d2e8386c60fc46133a050

    • SHA512

      7f7fa098b8b1e17f03fc55a4a90d5b561e3e937fd4cca1b70e371c1e8d3924ec8e050ba6e94a83df081a030db77c49c89dd9da384c4da18c9184f310b8df5ba0

    • SSDEEP

      1536:fqt8ORT7OYMn8Dow8ObQvBsIUdddddfHIWJhYE6jwdBgGLTJIbA8IKgRVAMve:fL8Dow8SIZsvYzjVOVIc8IKgRVAMve

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks