General
-
Target
cd73eebd5745ffadd9db2c4590d15e06_JaffaCakes118
-
Size
376KB
-
Sample
241206-rnns9sxmap
-
MD5
cd73eebd5745ffadd9db2c4590d15e06
-
SHA1
e95f94633cb7262e44ede4c3cffaef8a21023c57
-
SHA256
f4ab3d58f8a3b82bdfc5b6247a050b06986bcec1581687e0e7446411030c4b4a
-
SHA512
716ffdc25672c271bef1ba507baa2e1f8467edccd899ea45809122bc5b4f70aa71d63ff9643b637dfed45c69565be7af12cd7d14d8030380aa45c5a0eeed6975
-
SSDEEP
6144:PqoG+dG/BkLN6OKhCjeRu5AxIocEbwRfM+ZyMTVf9CNJ8KPAvQePihp00o:PhG+wJkB6bRuSIocywnpz6Xu
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Extracted
cybergate
2.6
vítima
aysemis.no-ip.info:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
spynet
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
cd73eebd5745ffadd9db2c4590d15e06_JaffaCakes118
-
Size
376KB
-
MD5
cd73eebd5745ffadd9db2c4590d15e06
-
SHA1
e95f94633cb7262e44ede4c3cffaef8a21023c57
-
SHA256
f4ab3d58f8a3b82bdfc5b6247a050b06986bcec1581687e0e7446411030c4b4a
-
SHA512
716ffdc25672c271bef1ba507baa2e1f8467edccd899ea45809122bc5b4f70aa71d63ff9643b637dfed45c69565be7af12cd7d14d8030380aa45c5a0eeed6975
-
SSDEEP
6144:PqoG+dG/BkLN6OKhCjeRu5AxIocEbwRfM+ZyMTVf9CNJ8KPAvQePihp00o:PhG+wJkB6bRuSIocywnpz6Xu
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1