Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b808e1a4f671c7d6b8019b6fd3635a49_JaffaCakes118

  • Size

    829KB

  • Sample

    241202-lqytcsvrgl

  • MD5

    b808e1a4f671c7d6b8019b6fd3635a49

  • SHA1

    64f2e6701eeca000356704e3716641df7f6fbba1

  • SHA256

    94b229b07cffd7dc02f2875e38bfec1d4c4858a709d39afde8809d76318d32d0

  • SHA512

    182527b8b3b013f8ef7118a6f5c0143e36f6f3eb42a1b8c69c0f7d580812812aedefb0e4029fce02d8502d5d35de8bae6e0d35e15dd7c35f01a4782ebf106e53

  • SSDEEP

    12288:M5bzzJ4eJgd8I5cfWDE0GBoWcG/lKmJ0rJIQOlgsJBw/9fA7OHK4LK0acc:MVfJTJ28a+g4oYlqSQhsJypA8BLK/9

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Vitima

C2

127.0.0.1:81

chacalhacker.no-ip.org:15963

Mutex

Pluguin

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    Pluguin.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.

  • message_box_title

    LAMMER

  • password

    csbrasil1213

  • regkey_hkcu

    Avirnt

  • regkey_hklm

    Avgnt

Targets

    • Target

      b808e1a4f671c7d6b8019b6fd3635a49_JaffaCakes118

    • Size

      829KB

    • MD5

      b808e1a4f671c7d6b8019b6fd3635a49

    • SHA1

      64f2e6701eeca000356704e3716641df7f6fbba1

    • SHA256

      94b229b07cffd7dc02f2875e38bfec1d4c4858a709d39afde8809d76318d32d0

    • SHA512

      182527b8b3b013f8ef7118a6f5c0143e36f6f3eb42a1b8c69c0f7d580812812aedefb0e4029fce02d8502d5d35de8bae6e0d35e15dd7c35f01a4782ebf106e53

    • SSDEEP

      12288:M5bzzJ4eJgd8I5cfWDE0GBoWcG/lKmJ0rJIQOlgsJBw/9fA7OHK4LK0acc:MVfJTJ28a+g4oYlqSQhsJypA8BLK/9

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks