Overview

overview

10

Static

static

3

c8ebbc295f...18.exe

windows7-x64

10

c8ebbc295f...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c8ebbc295f3e60bfbe27eb142ed303cb_JaffaCakes118

  • Size

    305KB

  • Sample

    241205-w8gb5swpcv

  • MD5

    c8ebbc295f3e60bfbe27eb142ed303cb

  • SHA1

    7f9791e6805685643a67ba371dbf219cd84e11fb

  • SHA256

    a67826fef4706587f8cf6600a6a3e5d8159392ea024e751a227ed46c78746132

  • SHA512

    79cbeb86be89d90000bddef2f670045597ee963563fdc0c06008f4abf7fc1ff711863de826f76eaae0e7cb4c1f5e9e1d362edb3ad12956fd84c3b2617b62f2bd

  • SSDEEP

    6144:FxpyAqoeCJ+vxbcWcVAunzr9RK0gvYZOFHnzD2ejgtEb5aF7LCr9KhdDHEIcwh4t:FxG9V56zxR9OFHzK5Eb5adCUiIcwhxQ

Score
10/10
cybergatemsin555discoveryevasionpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

MSIN555

C2

ayarbaban.no-ip.biz:83

Mutex

G755LRX1688IIJ

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_title

    Error

  • password

    1234567

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      c8ebbc295f3e60bfbe27eb142ed303cb_JaffaCakes118

    • Size

      305KB

    • MD5

      c8ebbc295f3e60bfbe27eb142ed303cb

    • SHA1

      7f9791e6805685643a67ba371dbf219cd84e11fb

    • SHA256

      a67826fef4706587f8cf6600a6a3e5d8159392ea024e751a227ed46c78746132

    • SHA512

      79cbeb86be89d90000bddef2f670045597ee963563fdc0c06008f4abf7fc1ff711863de826f76eaae0e7cb4c1f5e9e1d362edb3ad12956fd84c3b2617b62f2bd

    • SSDEEP

      6144:FxpyAqoeCJ+vxbcWcVAunzr9RK0gvYZOFHnzD2ejgtEb5aF7LCr9KhdDHEIcwh4t:FxG9V56zxR9OFHzK5Eb5adCUiIcwhxQ

    Score
    10/10
    cybergatemsin555discoveryevasionpersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Modifies security service

      evasion

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks