cybergate | 1e42ba88f244608295f944be371a8f30a06fad7d9772e017234daf5f0f8609be | Triage

Sharing

General

Target

JaffaCakes118_6941c9d7feda404189119e678225d490
Size

299KB
Sample

250103-a9ghmswjhm
MD5

6941c9d7feda404189119e678225d490
SHA1

71dffe6b8eb82eb344cea407bdd1b706411111c0
SHA256

1e42ba88f244608295f944be371a8f30a06fad7d9772e017234daf5f0f8609be
SHA512

9e2f60eeb86c6e1915a3af936d589986beb8f5e24b90d856049db5619ee421672edb57686da8cd6ecdf86851916b81465dbaabe1e7974c206040b3d5ce6ddd4c
SSDEEP

6144:Btco3IjYdFQsCcbGqQzi7vQvvnJ2r5uLlI2AC87OWVJ4PCCjkzI4ThcV:Btp3IjoFWcbZWi7vGvnJC5uLK2b87PJI

Score

10^/10

cybergate aa discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

aa

C2

zizi.no-ip.org:5000

aladinopippino.no-ip.org:5000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
%windir%
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
aladin
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_6941c9d7feda404189119e678225d490
- Size
  
  299KB
- MD5
  
  6941c9d7feda404189119e678225d490
- SHA1
  
  71dffe6b8eb82eb344cea407bdd1b706411111c0
- SHA256
  
  1e42ba88f244608295f944be371a8f30a06fad7d9772e017234daf5f0f8609be
- SHA512
  
  9e2f60eeb86c6e1915a3af936d589986beb8f5e24b90d856049db5619ee421672edb57686da8cd6ecdf86851916b81465dbaabe1e7974c206040b3d5ce6ddd4c
- SSDEEP
  
  6144:Btco3IjYdFQsCcbGqQzi7vQvvnJ2r5uLlI2AC87OWVJ4PCCjkzI4ThcV:Btp3IjoFWcbZWi7vGvnJC5uLK2b87PJI
Score

10^/10

cybergate aa discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateaadiscoverypersistencestealertrojanupx

behavioral2