Overview

overview

10

Static

static

3

a1e7af63b0...18.exe

windows7-x64

10

a1e7af63b0...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a1e7af63b03608ec178587c28dc03e68_JaffaCakes118

  • Size

    897KB

  • Sample

    241126-pj49caxldq

  • MD5

    a1e7af63b03608ec178587c28dc03e68

  • SHA1

    23cfb8228d6c0becf0ae7f6daace83365c4ecca7

  • SHA256

    f512e018ce0cb5fbaf449d3961512d45e5a0dfe10963a7b2e2708c0e2f54df89

  • SHA512

    3affe4182ee641a83ee86a17d1240b19a1e9b991c894d630dbb779b5095af7b726fa1aed46cb2b7b4f8ed7e00f4e373e14bbbcd829e29b52864563a5d2a57a3f

  • SSDEEP

    24576:CWwQMN2K3yWds0JkKyVANF6kPx9wR/jNwtKnslQvcZ:CWlhadsLGfD3ajKK9c

Score
10/10
cybergateserverdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

gedayeni.zapto.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    spynet

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      a1e7af63b03608ec178587c28dc03e68_JaffaCakes118

    • Size

      897KB

    • MD5

      a1e7af63b03608ec178587c28dc03e68

    • SHA1

      23cfb8228d6c0becf0ae7f6daace83365c4ecca7

    • SHA256

      f512e018ce0cb5fbaf449d3961512d45e5a0dfe10963a7b2e2708c0e2f54df89

    • SHA512

      3affe4182ee641a83ee86a17d1240b19a1e9b991c894d630dbb779b5095af7b726fa1aed46cb2b7b4f8ed7e00f4e373e14bbbcd829e29b52864563a5d2a57a3f

    • SSDEEP

      24576:CWwQMN2K3yWds0JkKyVANF6kPx9wR/jNwtKnslQvcZ:CWlhadsLGfD3ajKK9c

    Score
    10/10
    cybergateserverdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks