cybergate | dca2f3102d93ac34ff4e7c05ff230369_JaffaCakes118 | Triage

Sharing

General

Target

dca2f3102d93ac34ff4e7c05ff230369_JaffaCakes118
Size

425KB
MD5

dca2f3102d93ac34ff4e7c05ff230369
SHA1

92d757aa9aa48b35fe0e816f37e110521b251fac
SHA256

46cc921ccfa72cd4ba72250d772f224c44d8df905fd7cd18dd3bded468d8e8e8
SHA512

f418a0d55f2022d753ca7346405791ecb4e008e8819dc79a51127acd43f71e93815d590996d1d7d14cccc1c9289d3d3df8766663fd961ece8bacb3a6b6653c0c
SSDEEP

6144:x6BsG/zrxuWBmiiByRFluBW69c0GtUFLtzPDcsEkSmh8Stw+E8PrIrM+NW6o2SW5:IBsG/As6m8Pr4/xS2hdEbA6

Score

10^/10

upx vítima cybergate

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

vítima

C2

127.0.0.1:81

cynic25.zapto.org:80

Mutex

***MUTEX***

Attributes

enable_keylogger
false
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Windl
install_file
win32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Congrats trojan connects to remote pc
message_box_title
yay
password
abcd1234

Signatures

Cybergate family
cybergate

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
sample	upx

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
dca2f3102d93ac34ff4e7c05ff230369_JaffaCakes118

Files

dca2f3102d93ac34ff4e7c05ff230369_JaffaCakes118
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

UPX0
Size: 136KB - Virtual size: 136KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 284KB - Virtual size: 284KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE