General
-
Target
JaffaCakes118_7761860d062d0ebb2fe81bf903b86e04
-
Size
412KB
-
Sample
250104-d4zc2s1qgq
-
MD5
7761860d062d0ebb2fe81bf903b86e04
-
SHA1
4bb57ef31f1df0af7464c8f71288da9ca789c379
-
SHA256
a227db457c8000ea5c0085a218dc7bd4e511f210b98dd939ca4c7dccfdf9b35b
-
SHA512
307d4462d502c1af6c85fd7100a2fff1aecb4d03bf4644e68595369c1f71926f1ff8ce62b59c12c7b0aeb3b211f9a711788122cffb318e252b6dc2b81fb2f7be
-
SSDEEP
6144:20Bf9ZAu5Vfc0qv2hUpAh8Yt+2ESeunKE7Vh7ghHNOqYSUiCqXrXPiCqiKJ2ANp:TOu5Jc0El2ESelEEVXUi3rXqCqjJ2ANp
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
cybergate
2.6
vítima
muhammed999.no-ip.org:81
xcvxcvxcvcxgfdgfdgfdga
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_file
lsrss.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
Targets
-
-
Target
JaffaCakes118_7761860d062d0ebb2fe81bf903b86e04
-
Size
412KB
-
MD5
7761860d062d0ebb2fe81bf903b86e04
-
SHA1
4bb57ef31f1df0af7464c8f71288da9ca789c379
-
SHA256
a227db457c8000ea5c0085a218dc7bd4e511f210b98dd939ca4c7dccfdf9b35b
-
SHA512
307d4462d502c1af6c85fd7100a2fff1aecb4d03bf4644e68595369c1f71926f1ff8ce62b59c12c7b0aeb3b211f9a711788122cffb318e252b6dc2b81fb2f7be
-
SSDEEP
6144:20Bf9ZAu5Vfc0qv2hUpAh8Yt+2ESeunKE7Vh7ghHNOqYSUiCqXrXPiCqiKJ2ANp:TOu5Jc0El2ESelEEVXUi3rXqCqjJ2ANp
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7