General
-
Target
ef7aaabc1eb9e4a86af47dd17f0a5bfb_JaffaCakes118
-
Size
310KB
-
Sample
241214-s2zclawpgx
-
MD5
ef7aaabc1eb9e4a86af47dd17f0a5bfb
-
SHA1
f2e771aad0ae7ddee8c1ca66ebbe424d18dae4cf
-
SHA256
dbe803e3d626744f312b79420dd9cb14ba88b540ae7e046f35a5b4f8c742f036
-
SHA512
9204e88daa3cfc5ee59f5faad85c905cff668ba2d99e273009e2b4cebe1723774ba9f66c85286006d5bbc8a949ebb65ecd1fc4d70f32d36c5029e9072d539f83
-
SSDEEP
6144:FwjZgcuINqN1nhRPOJhfEqjXImW5aR1DWxlL11VfrjEBytDE25M5w:FwlgesPnhJoBj25aR1DWxthrjEBWE25L
Malware Config
Extracted
cybergate
v1.07.5
tnwrestler360
tnwrestler.no-ip.info:82
J72Q34UT3QK5SC
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
4494td
Targets
-
-
Target
ef7aaabc1eb9e4a86af47dd17f0a5bfb_JaffaCakes118
-
Size
310KB
-
MD5
ef7aaabc1eb9e4a86af47dd17f0a5bfb
-
SHA1
f2e771aad0ae7ddee8c1ca66ebbe424d18dae4cf
-
SHA256
dbe803e3d626744f312b79420dd9cb14ba88b540ae7e046f35a5b4f8c742f036
-
SHA512
9204e88daa3cfc5ee59f5faad85c905cff668ba2d99e273009e2b4cebe1723774ba9f66c85286006d5bbc8a949ebb65ecd1fc4d70f32d36c5029e9072d539f83
-
SSDEEP
6144:FwjZgcuINqN1nhRPOJhfEqjXImW5aR1DWxlL11VfrjEBytDE25M5w:FwlgesPnhJoBj25aR1DWxthrjEBWE25L
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-