General
-
Target
b6f4f38e3571ea4b8d75b5e07b55d146_JaffaCakes118
-
Size
291KB
-
Sample
241202-fthzeswnhl
-
MD5
b6f4f38e3571ea4b8d75b5e07b55d146
-
SHA1
df89ba848134900aeddadf8d8ff0e474f44fb952
-
SHA256
76d87962b339aaf8e76c27fbade6fc9e18693d975003ebfb582fabb8d4ef5fec
-
SHA512
e8fe34f4f1b08d6ab4d0b8a8767606d9aa58bc6be44f8c0285c1b58d4294b98fe30674c1b8eda43dc0d63d0e796cb9d6ddb63aa94d977fab801bedafd5e8f1ec
-
SSDEEP
6144:AOpslFlqnhdBCkWYxuukP1pjSKSNVkq/MVJb:AwslwTBd47GLRMTb
Malware Config
Extracted
cybergate
v1.07.5
2209
220918032012.no-ip.org:8020
RII5YFF05LCP1C
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Windows Defender
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
2209
-
regkey_hkcu
Windows Defender
-
regkey_hklm
Windows Defender
Targets
-
-
Target
b6f4f38e3571ea4b8d75b5e07b55d146_JaffaCakes118
-
Size
291KB
-
MD5
b6f4f38e3571ea4b8d75b5e07b55d146
-
SHA1
df89ba848134900aeddadf8d8ff0e474f44fb952
-
SHA256
76d87962b339aaf8e76c27fbade6fc9e18693d975003ebfb582fabb8d4ef5fec
-
SHA512
e8fe34f4f1b08d6ab4d0b8a8767606d9aa58bc6be44f8c0285c1b58d4294b98fe30674c1b8eda43dc0d63d0e796cb9d6ddb63aa94d977fab801bedafd5e8f1ec
-
SSDEEP
6144:AOpslFlqnhdBCkWYxuukP1pjSKSNVkq/MVJb:AwslwTBd47GLRMTb
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-