cybergate | b9c31ce42ecd4d04e533eba07a851d7648b3bf93df4fc64f803a9ab573aa5b81 | Triage

Sharing

General

Target

dd25f5bc6a6de05bad25ea23bbae41f0_JaffaCakes118
Size

306KB
Sample

241210-fs459szkar
MD5

dd25f5bc6a6de05bad25ea23bbae41f0
SHA1

3de3dc70859935b7cab47cde81b22c9c07ad014d
SHA256

b9c31ce42ecd4d04e533eba07a851d7648b3bf93df4fc64f803a9ab573aa5b81
SHA512

7b9915677bfaeb74b7786cc7097d7c55d32e5773950804649f74784e6285b4867599845b5a28dea992c424c21e5a4a3b894a40e6611957765bcbd6e749c7ff5e
SSDEEP

6144:myyqz0E9iXLN7AnmlXnzP8vwug5ME8CNiwccIpSZVuPmx9PL6w7nqqDG:Oq1i7N0Yj8vwug5M1+ZIpSiPSP2/qS

Score

10^/10

cybergate cyper discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.13.3

Botnet

cyper

C2

sweeteyes.myftp.org:100

Mutex

40GRBL4J8ACLFV

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
kjrethjrejf
install_file
jerrefbb.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
12345
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  dd25f5bc6a6de05bad25ea23bbae41f0_JaffaCakes118
- Size
  
  306KB
- MD5
  
  dd25f5bc6a6de05bad25ea23bbae41f0
- SHA1
  
  3de3dc70859935b7cab47cde81b22c9c07ad014d
- SHA256
  
  b9c31ce42ecd4d04e533eba07a851d7648b3bf93df4fc64f803a9ab573aa5b81
- SHA512
  
  7b9915677bfaeb74b7786cc7097d7c55d32e5773950804649f74784e6285b4867599845b5a28dea992c424c21e5a4a3b894a40e6611957765bcbd6e749c7ff5e
- SSDEEP
  
  6144:myyqz0E9iXLN7AnmlXnzP8vwug5ME8CNiwccIpSZVuPmx9PL6w7nqqDG:Oq1i7N0Yj8vwug5M1+ZIpSiPSP2/qS
Score

10^/10

cybergate cyper discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatecyperdiscoverypersistencestealertrojanupx

behavioral2