Overview

overview

10

Static

static

7

JaffaCakes...f0.exe

windows7-x64

10

JaffaCakes...f0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_614cd1414c7b7d48972dfa8cedb1def0

  • Size

    617KB

  • Sample

    250101-3hjg5s1jcv

  • MD5

    614cd1414c7b7d48972dfa8cedb1def0

  • SHA1

    347800cc562e9ff0e0a2a7b12687049855472898

  • SHA256

    7f239b7a053165e92047106ac5893f2d9e0b763fd565b2d95e1dc97c458f0c1a

  • SHA512

    d4e77c0fcf81e16aa75762cbc5182aaa315f86ffb797cf332ac25d006839b2452258901e5da4e71f82db9549e113763a6727ac97f35b9b483a13d86568df281b

  • SSDEEP

    12288:y/UOmLdhpC/yUPrjLBTvmMoTx0E30+RARkhb7DIiDzs5AyFcVkw:83mh7C/7P5BE306fFQic5AyFc

Score
10/10
cybergatemodiloader30-5-13aspackv2discoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

30-5-13

C2

gerdab.gotgeeks.com:14000

gerd.sytes.net:14000
Mutex

FT44VK4V180476

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    SuperSoft

  • install_file

    Builder.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    aqwzsx33

  • regkey_hkcu

    Builder

Targets

    • Target

      JaffaCakes118_614cd1414c7b7d48972dfa8cedb1def0

    • Size

      617KB

    • MD5

      614cd1414c7b7d48972dfa8cedb1def0

    • SHA1

      347800cc562e9ff0e0a2a7b12687049855472898

    • SHA256

      7f239b7a053165e92047106ac5893f2d9e0b763fd565b2d95e1dc97c458f0c1a

    • SHA512

      d4e77c0fcf81e16aa75762cbc5182aaa315f86ffb797cf332ac25d006839b2452258901e5da4e71f82db9549e113763a6727ac97f35b9b483a13d86568df281b

    • SSDEEP

      12288:y/UOmLdhpC/yUPrjLBTvmMoTx0E30+RARkhb7DIiDzs5AyFcVkw:83mh7C/7P5BE306fFQic5AyFc

    Score
    10/10
    cybergatemodiloader30-5-13aspackv2discoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • ModiLoader Second Stage

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks