General

  • Target

    e0996f5ff321831d32742ef878e28c80_JaffaCakes118

  • Size

    4.0MB

  • Sample

    241211-j8sc7ayraq

  • MD5

    e0996f5ff321831d32742ef878e28c80

  • SHA1

    f9de745d71fb8bfbd484a8092948c4d5be3d18ff

  • SHA256

    bb84737653220c802bd8d519f9ec92562520849599eca4bc945e55dab4b75d0b

  • SHA512

    99e132f36b9847ba62756d35bb67fd279111e44532bc23b5cbb3540b17e59ec9fb813092d683970dc3b2a89ab5396c04f06b6bdbcc758075593d5d22d20c4283

  • SSDEEP

    98304:0YmI23qGEQK7uxhO5hz/XvQB/SmkJeOjxWd:iI2ap7uDO5hz//QB/SmUljxWd

Malware Config

Extracted

Family

cybergate

Version

v1.13.1

Botnet

remote

C2

darkman2010.dyndns.org:50077

Mutex

21D3A34V26XD16

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    system32

  • install_file

    wmplay.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    berlin

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      e0996f5ff321831d32742ef878e28c80_JaffaCakes118

    • Size

      4.0MB

    • MD5

      e0996f5ff321831d32742ef878e28c80

    • SHA1

      f9de745d71fb8bfbd484a8092948c4d5be3d18ff

    • SHA256

      bb84737653220c802bd8d519f9ec92562520849599eca4bc945e55dab4b75d0b

    • SHA512

      99e132f36b9847ba62756d35bb67fd279111e44532bc23b5cbb3540b17e59ec9fb813092d683970dc3b2a89ab5396c04f06b6bdbcc758075593d5d22d20c4283

    • SSDEEP

      98304:0YmI23qGEQK7uxhO5hz/XvQB/SmkJeOjxWd:iI2ap7uDO5hz//QB/SmUljxWd

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.