cybergate | 1ed084d488af884f46e5340bbf0cae41a251466a236cdd230e4a206f4b7fe489 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

d295af045c01c92257b4070db5c25d46_JaffaCakes118
Size

479KB
Sample

241207-p9erdasrbv
MD5

d295af045c01c92257b4070db5c25d46
SHA1

bc88696d7d94b8c18f64b17b2a4041e89034591d
SHA256

1ed084d488af884f46e5340bbf0cae41a251466a236cdd230e4a206f4b7fe489
SHA512

76f705c8f577d05844b70745db9804595342a5608e4f2efab75177aefb1921bdfbb78107bcd4e0b7752b40b11b1da701be4d2f1314de2fe1744380ed8130bc13
SSDEEP

6144:ihGxjR0EdatlbulIY24kz3n6DJiM/oh+3AadFaGukNawKv5h9HV5/4HQeR7t1KG+:iKjR0gattLguaHbIkQ1hJ/E3Rx+EZ56H

Score

10^/10

cybergate new school discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

NEW SCHOOL

C2

wanted1.no-ip.org:1000

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Cyperlink32x
install_file
CyperIMG.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Can't open this file! press " Ok " and try again
message_box_title
Error!
password
aa

Targets

- Target
  
  d295af045c01c92257b4070db5c25d46_JaffaCakes118
- Size
  
  479KB
- MD5
  
  d295af045c01c92257b4070db5c25d46
- SHA1
  
  bc88696d7d94b8c18f64b17b2a4041e89034591d
- SHA256
  
  1ed084d488af884f46e5340bbf0cae41a251466a236cdd230e4a206f4b7fe489
- SHA512
  
  76f705c8f577d05844b70745db9804595342a5608e4f2efab75177aefb1921bdfbb78107bcd4e0b7752b40b11b1da701be4d2f1314de2fe1744380ed8130bc13
- SSDEEP
  
  6144:ihGxjR0EdatlbulIY24kz3n6DJiM/oh+3AadFaGukNawKv5h9HV5/4HQeR7t1KG+:iKjR0gattLguaHbIkQ1hJ/E3Rx+EZ56H
Score

10^/10

cybergate new school discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatenew schooldiscoverypersistencestealertrojanupx

behavioral2

cybergatenew schooldiscoverypersistencestealertrojanupx