cybergate | 1aa19e20dad67b550927beb340c55233050b3888257263906e77c449873fdce4 | Triage

Sharing

General

Target

a7543e84c21db6529145253995a64527_JaffaCakes118
Size

709KB
Sample

241127-l8seaswlaq
MD5

a7543e84c21db6529145253995a64527
SHA1

5c87008a0d943be8791ed819b9d6a47a753b1fad
SHA256

1aa19e20dad67b550927beb340c55233050b3888257263906e77c449873fdce4
SHA512

deab65cd53aa8970b7f4514236f9ebea0e5e642ebb300742f837ae2e5eef3b2d67dcf11d6dbeab66e3634012530a4280015bd974b7c7f88d5c14195ca3a7ad15
SSDEEP

12288:hakQj0HvcoAE0HabQDTr4O79fKzkipo4iPkkqeaSJHubSJYCb/VK8o:haT0H0oAEQWQ7t9fW/piknJSQTe/Vs

Score

10^/10

cybergate victima discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

Victima

C2

the-diego.no-ip.org:200

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  a7543e84c21db6529145253995a64527_JaffaCakes118
- Size
  
  709KB
- MD5
  
  a7543e84c21db6529145253995a64527
- SHA1
  
  5c87008a0d943be8791ed819b9d6a47a753b1fad
- SHA256
  
  1aa19e20dad67b550927beb340c55233050b3888257263906e77c449873fdce4
- SHA512
  
  deab65cd53aa8970b7f4514236f9ebea0e5e642ebb300742f837ae2e5eef3b2d67dcf11d6dbeab66e3634012530a4280015bd974b7c7f88d5c14195ca3a7ad15
- SSDEEP
  
  12288:hakQj0HvcoAE0HabQDTr4O79fKzkipo4iPkkqeaSJHubSJYCb/VK8o:haT0H0oAEQWQ7t9fW/piknJSQTe/Vs
Score

10^/10

cybergate victima discovery persistence stealer trojan
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatevictimadiscoverypersistencestealertrojan

behavioral2

cybergatevictimadiscoverypersistencestealertrojan