cybergate | 2fb96ac84a771e9ef2c914742a5734171f92be53aa1a5ac1ae9ca67b1c9d8ed8

General

Target

aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe
Size

914KB
MD5

aef350405fa9f69654e5098268f33c09
SHA1

0b8c142cc1e3802b5f5411cf285457bf045c822d
SHA256

2fb96ac84a771e9ef2c914742a5734171f92be53aa1a5ac1ae9ca67b1c9d8ed8
SHA512

ccaceb19163f68d9a98e6338f4478fda172039447fb34f56e5631fed57ed736a8042985feb2a707e3a634ba8f3aa36ae739909c086a1e8a5efca58cbb6f2ca5e
SSDEEP

24576:tfwVNThFOfRs1si73lLZnqfS60L8hMU0kwRjZNE:tfwXhFj1hufr0LO0k4Y

Score

10^/10

cybergate victime discovery evasion persistence stealer themida trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victime

C2

kabch.no-ip.org:333

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2412-0-0x0000000000400000-0x00000000005B8000-memory.dmp	themida
behavioral1/memory/2412-2-0x0000000000400000-0x00000000005B8000-memory.dmp	themida
behavioral1/memory/2412-8-0x0000000000400000-0x00000000005B8000-memory.dmp	themida
behavioral1/memory/2412-6-0x0000000000400000-0x00000000005B8000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2412	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2412-5-0x0000000024010000-0x0000000024072000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2412	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe
2412	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2940	2412	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2940	2412	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2940	2412	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2940	2412	aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aef350405fa9f69654e5098268f33c09_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2412-0-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2412-1-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2412-2-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2412-8-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2412-6-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2412-5-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads