Overview

overview

10

Static

static

3

a1eee904ab...18.exe

windows7-x64

10

a1eee904ab...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a1eee904abb3c639915572bec0dc29fe_JaffaCakes118

  • Size

    816KB

  • Sample

    241126-pnhwxaxmgm

  • MD5

    a1eee904abb3c639915572bec0dc29fe

  • SHA1

    1d61e03327d1d2826afa57f1b134bab18095494a

  • SHA256

    f5a962180342c44e0aa8bef3a9b608e41f55bb5a8dc9360e9b8d1510705304fd

  • SHA512

    b8493a6c8869ed1c7f41d39ada905c4453ea4bdeb63885224450e09d5f97ae77c01b356eb0af1ec2503e6e6b047494676f10be7daff76e6366ef6ee261662f1a

  • SSDEEP

    24576:IZ3+tZM+EF/UB1QquZgEhvScDc02AlIJlEFgv0G:kyt1P5eZc05IJqgvF

Score
10/10
cybergatecyberdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

strikeagain.no-ip.biz:100

Mutex

RM5P17J07A1207

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    "Map2.bin" could not be found.

  • message_box_title

    ERROR

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      a1eee904abb3c639915572bec0dc29fe_JaffaCakes118

    • Size

      816KB

    • MD5

      a1eee904abb3c639915572bec0dc29fe

    • SHA1

      1d61e03327d1d2826afa57f1b134bab18095494a

    • SHA256

      f5a962180342c44e0aa8bef3a9b608e41f55bb5a8dc9360e9b8d1510705304fd

    • SHA512

      b8493a6c8869ed1c7f41d39ada905c4453ea4bdeb63885224450e09d5f97ae77c01b356eb0af1ec2503e6e6b047494676f10be7daff76e6366ef6ee261662f1a

    • SSDEEP

      24576:IZ3+tZM+EF/UB1QquZgEhvScDc02AlIJlEFgv0G:kyt1P5eZc05IJqgvF

    Score
    10/10
    cybergatecyberdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks