General

  • Target

    ba2b408e06eff8c04f29188285b4d154_JaffaCakes118

  • Size

    360KB

  • Sample

    241202-zwk2caylfj

  • MD5

    ba2b408e06eff8c04f29188285b4d154

  • SHA1

    4ea5944b8af2d56df3867f94b0f9fd80db34920d

  • SHA256

    b7b86fc84d193857aa1fc8cbcebd25b18468c68ca24ceacee3e80622af995587

  • SHA512

    a4bba0f5589b1c7a2f17fcae3ebf271cabbd345e4f6679fcb65faea3695e67f2b40a19ad90ae6c20fa852f0f6bd6a919bdf9eccb7e716301790dd7d5fccbce8b

  • SSDEEP

    6144:9Lk0KTMdQXyf21G9X/6ChoS5wIzViYmQQfEDroGQABOZyy:9KTMdQilR6yokfBnLQfEDrorQO4y

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

remote

C2

ignaceous.zapto.org:5150

Mutex

6TI4DW3AOB10K7

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    csrss.exe

  • install_dir

    Winbooterr

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Targets

    • Target

      ba2b408e06eff8c04f29188285b4d154_JaffaCakes118

    • Size

      360KB

    • MD5

      ba2b408e06eff8c04f29188285b4d154

    • SHA1

      4ea5944b8af2d56df3867f94b0f9fd80db34920d

    • SHA256

      b7b86fc84d193857aa1fc8cbcebd25b18468c68ca24ceacee3e80622af995587

    • SHA512

      a4bba0f5589b1c7a2f17fcae3ebf271cabbd345e4f6679fcb65faea3695e67f2b40a19ad90ae6c20fa852f0f6bd6a919bdf9eccb7e716301790dd7d5fccbce8b

    • SSDEEP

      6144:9Lk0KTMdQXyf21G9X/6ChoS5wIzViYmQQfEDroGQABOZyy:9KTMdQilR6yokfBnLQfEDrorQO4y

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.