General

  • Target

    JaffaCakes118_62d7fc7b0464d5711e9e5e716cd71f5b

  • Size

    784KB

  • Sample

    250102-fsc2savmbt

  • MD5

    62d7fc7b0464d5711e9e5e716cd71f5b

  • SHA1

    1b41a64468cfb35ad20a5dead88537a427fe12ae

  • SHA256

    bdfd89a5ece14b779d983cda4c0caed3b9e479ea1208262e4493d6584d3af1f5

  • SHA512

    98c5ee6fab30c4c54d6e59b8042df291ede4789f730b13b5ac6f63ee1f51c967d545ce2faa25ef179fbdcfc9b63986307e263e122ea65a3673c3896c5fdac0d0

  • SSDEEP

    24576:0So0W5K3Y+WBROj2Xf2cryYjQpbPEyXubbvTIB:o5K3+BRg2P2cVMPEbbvkB

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

C2

hackmohamed1.zapto.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

Extracted

Family

latentbot

C2

hackmohamed1.zapto.org

Targets

    • Target

      JaffaCakes118_62d7fc7b0464d5711e9e5e716cd71f5b

    • Size

      784KB

    • MD5

      62d7fc7b0464d5711e9e5e716cd71f5b

    • SHA1

      1b41a64468cfb35ad20a5dead88537a427fe12ae

    • SHA256

      bdfd89a5ece14b779d983cda4c0caed3b9e479ea1208262e4493d6584d3af1f5

    • SHA512

      98c5ee6fab30c4c54d6e59b8042df291ede4789f730b13b5ac6f63ee1f51c967d545ce2faa25ef179fbdcfc9b63986307e263e122ea65a3673c3896c5fdac0d0

    • SSDEEP

      24576:0So0W5K3Y+WBROj2Xf2cryYjQpbPEyXubbvTIB:o5K3+BRg2P2cVMPEbbvkB

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Latentbot family

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks