Overview

overview

10

Static

static

3

ADOBEC~1.exe

windows7-x64

3

ADOBEC~1.exe

windows10-2004-x64

3

CYBERG~1.exe

windows7-x64

10

CYBERG~1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e111bb375e65329a04bf526b246ec5b6_JaffaCakes118

  • Size

    349KB

  • Sample

    241211-mpf3latlfl

  • MD5

    e111bb375e65329a04bf526b246ec5b6

  • SHA1

    aa56ee66fde549b3e0ad3775a82516761175dfd7

  • SHA256

    237fcdd89b6a0f8ae80f803d6586f680c1985eecbc4bed2af10836dea1f114c4

  • SHA512

    0eb69f39bca4af062df297cd6881feb38898aa1ddd68ec82a76bc1a83e088308c38149b198f41fb4ae5ead2222867529e69588d145d2659f0982835101057864

  • SSDEEP

    6144:DnES1EAeV7RwrQyBz4s6NS4DQdRaK+IBfke5Dh+UsJF3XG5fpFu8ABv:DE9wMWzqNwuKZkeX+UsL3W5fq8Al

Score
10/10
cybergatejonahdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Jonah

C2

jonahjameson.no-ip.biz:100

Mutex

L7Y726M8KC7VN5

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      ADOBEC~1.EXE

    • Size

      77KB

    • MD5

      df9f6bfca92822cc878eac8faeecdf50

    • SHA1

      6c46a78251ad638984d38c4d19165e1d8f94a844

    • SHA256

      629096ab8962c6a37c1a10217e4250bebae2cbe08d5d25a17fa78283388036da

    • SHA512

      470af66ecbe9411a4b19e55c21531eca4e5daf5fa1c9aebf638425a93e9064b62b19c639ad34b932783a8bafc670bb953caab7a1107d65abf3be27345548004a

    • SSDEEP

      768:BV2/8i+nNW2IUkU7U+hPoGzspZjN4rvVf2htP+z3elrREf6rDtO+5mZxZnQFp5JO:jc8v+SBPw4rVatP+LeQeDP5IxG/xc

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      CYBERG~1.EXE

    • Size

      324KB

    • MD5

      66a881c43f39821a1b0549b5f14a8d66

    • SHA1

      c8928788664acab21d64872ffa6e36374f406adf

    • SHA256

      8cdf60f38753481c688f6a12e26e6edeae19e2a781313bd01d802e53c66a6c31

    • SHA512

      8ffe3e90ff53b978ab840dd043014ddf75f014fa2e0b6aa57b36c01ad39a6306934d09a86aad7209adfd2c033833c30d4cf0819fea3f43cb1ba3ccc0796cc4b2

    • SSDEEP

      6144:XGWhtZitMYUH/abBAMMU6NStDQdRa1+IBfkeSDh+UsJA3XQyja/GqkrJOoXY:V9tzH/MKlXN5u1Zkeg+Usq3AyjaGqklz

    Score
    10/10
    cybergatejonahdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks