Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f350e3c3768789f30caede8dfc289e42_JaffaCakes118

  • Size

    590KB

  • Sample

    241215-k793aazlex

  • MD5

    f350e3c3768789f30caede8dfc289e42

  • SHA1

    ac1e522b126a68eae8fa1ccb89badfa43df7c2ea

  • SHA256

    b02feb84defc5b85ffd780fc406ba5ee3077aac3855c7224e022185eb25f756b

  • SHA512

    28ad0c372a75ccdc1b4a8bda6f9358adafe3c0cc61ff78fce3f99d722a3f4b437b3cad0e50d014c3ed5497f481ccda19bd7da002d9536f687930f2e01cb37f6a

  • SSDEEP

    12288:eMvf/KAYAtUWVtc+dErtU3vFj7cTVvOaZgFfCINyud023vx/sboxvTV5n:7HbVGMgk6jeHyu22KETV5n

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Scr3w

C2

1337cybergate6077.no-ip.biz:1337

Mutex

6G34WX02OPKHYL

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    Microupdate.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    error 562463. Please contact your local Administrator to acess this file

  • message_box_title

    ERROR

  • password

    123456

  • regkey_hkcu

    MICROSOFT

  • regkey_hklm

    MICROSOFT

Targets

    • Target

      f350e3c3768789f30caede8dfc289e42_JaffaCakes118

    • Size

      590KB

    • MD5

      f350e3c3768789f30caede8dfc289e42

    • SHA1

      ac1e522b126a68eae8fa1ccb89badfa43df7c2ea

    • SHA256

      b02feb84defc5b85ffd780fc406ba5ee3077aac3855c7224e022185eb25f756b

    • SHA512

      28ad0c372a75ccdc1b4a8bda6f9358adafe3c0cc61ff78fce3f99d722a3f4b437b3cad0e50d014c3ed5497f481ccda19bd7da002d9536f687930f2e01cb37f6a

    • SSDEEP

      12288:eMvf/KAYAtUWVtc+dErtU3vFj7cTVvOaZgFfCINyud023vx/sboxvTV5n:7HbVGMgk6jeHyu22KETV5n

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks