General

  • Target

    c6594d13734462e327a75eb803c1e583_JaffaCakes118

  • Size

    1.4MB

  • Sample

    241205-g8fy2symal

  • MD5

    c6594d13734462e327a75eb803c1e583

  • SHA1

    a37788d357fe854b4862338e43f2468e80ca216e

  • SHA256

    6b67f7c1bfe6dc5060a40c534ed1aaf0c4a39690ef28347b004c777bb5f48263

  • SHA512

    5060fc6a29baa20964fc9460a6d2a3b89de430150ec3cbf088d9a253df99f9a131f20cea7652fe2a1d1430a29ead679e65f4b7446e3633d4e244dec04c0f0316

  • SSDEEP

    24576:B+qCQdxc25pNzyLXxNDumIbcEsWXy9d0FAv1s:zCQdS25Lyr1uc5WC9d0FAS

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Novo

C2

lostbox.mine.nu:587

alivecard.no-ip.org:587

Mutex

***windows***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Update Microsoft

  • install_file

    windows update.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      c6594d13734462e327a75eb803c1e583_JaffaCakes118

    • Size

      1.4MB

    • MD5

      c6594d13734462e327a75eb803c1e583

    • SHA1

      a37788d357fe854b4862338e43f2468e80ca216e

    • SHA256

      6b67f7c1bfe6dc5060a40c534ed1aaf0c4a39690ef28347b004c777bb5f48263

    • SHA512

      5060fc6a29baa20964fc9460a6d2a3b89de430150ec3cbf088d9a253df99f9a131f20cea7652fe2a1d1430a29ead679e65f4b7446e3633d4e244dec04c0f0316

    • SSDEEP

      24576:B+qCQdxc25pNzyLXxNDumIbcEsWXy9d0FAv1s:zCQdS25Lyr1uc5WC9d0FAS

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • UAC bypass

    • Windows security bypass

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks