cybergate | 03a8b4453295b704d28577c4e879cd0a2f607f4d47a7e4f1f43609b815446329 | Triage

Sharing

General

Target

d633586fbf00b9bceea1084cbc17d91a_JaffaCakes118
Size

388KB
Sample

241208-kq1saatmcm
MD5

d633586fbf00b9bceea1084cbc17d91a
SHA1

76d0adf915d253dbb1ebd66165fa34706214f593
SHA256

03a8b4453295b704d28577c4e879cd0a2f607f4d47a7e4f1f43609b815446329
SHA512

a44846c18a58f59a06b584c60ff08d3c6d0a655194f8a306e76453435384424be107d2a2e91a42fa9846b51d5c521d5c2187dfec3fd859d8268a82f54f6e18e4
SSDEEP

6144:XHxw8+24fIfMLAXW3fUECXurS415a+9pExsk5xhP/j9phNYyk3plZKaFPECdf:XHp4fN0EaQS41Exsk5/Bphi/tFFf

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

127.0.0.1:81

mrrochdi.no-ip.info:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Targets

- Target
  
  d633586fbf00b9bceea1084cbc17d91a_JaffaCakes118
- Size
  
  388KB
- MD5
  
  d633586fbf00b9bceea1084cbc17d91a
- SHA1
  
  76d0adf915d253dbb1ebd66165fa34706214f593
- SHA256
  
  03a8b4453295b704d28577c4e879cd0a2f607f4d47a7e4f1f43609b815446329
- SHA512
  
  a44846c18a58f59a06b584c60ff08d3c6d0a655194f8a306e76453435384424be107d2a2e91a42fa9846b51d5c521d5c2187dfec3fd859d8268a82f54f6e18e4
- SSDEEP
  
  6144:XHxw8+24fIfMLAXW3fUECXurS415a+9pExsk5xhP/j9phNYyk3plZKaFPECdf:XHp4fN0EaQS41Exsk5/Bphi/tFFf
Score

10^/10

cybergate vítima discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatevítimadiscoverypersistencestealertrojanupx

behavioral2

cybergatevítimadiscoverypersistencestealertrojanupx