cybergate | cd7004e0ed404982625de4f3a6dd23fcedd1c482c9bbb096f529a8da434dc3f1 | Triage

Sharing

General

Target

fd2bf73d27fef2825365a9b4b1a2f684_JaffaCakes118
Size

404KB
Sample

241218-z8r1essjhz
MD5

fd2bf73d27fef2825365a9b4b1a2f684
SHA1

f96308665d32fa44f3157e0ef3a0e84b21cd5b76
SHA256

cd7004e0ed404982625de4f3a6dd23fcedd1c482c9bbb096f529a8da434dc3f1
SHA512

0b8c540dfd207836fb7b042711a1141a74c1fa28ae4e3a79482ab25c26af146105f0f207bd4800cb06f59f1cacb6ce98553a833170c6012c31257c77b716552f
SSDEEP

12288:UiSC/HRY+iLb0Be5Wqp7ssBlRwWW6o6daV:jiJJ7zBlRwSo6dm

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

lolwut1337.zapto.org:11770

Mutex

BRDN2U0QL8HS1F

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  Registry.First.Aid.Platinum.v8.0.1.Multilingual.Incl.Keymaker-CORE.exe
- Size
  
  404KB
- MD5
  
  20bdc6ad8b56c5929d2441e3c01c87bd
- SHA1
  
  ba37195e7313dbaa7a1bccfd8223abdcf6a50c0c
- SHA256
  
  d4dc29f750032d5ec86024fbfac73f6ab64c9e1504d5f3e4f120737634cfdbea
- SHA512
  
  ec374d84a8c0f02051269841cc72d8875924c2fcdb76925be95e367a46f9386585e57b19f4f6649b8e6127d66e4c9191556c703c521d8ed02f2ed4e610d834e2
- SSDEEP
  
  12288:+iSC/HRY+iLb0Be5Wqp7ssBlRwWW6o6da:ZiJJ7zBlRwSo6d
Score

10^/10

cybergate remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotediscoverypersistencestealertrojanupx

behavioral2