cybergate | f29ab36f7c3387e7ad4615d5427ddc14c2bfdb427ef7ad6b579cda272b7b61de

General

Target

JaffaCakes118_78935c66e2ecd70a8a5c1fd3d9d9d9d2
Size

288KB
Sample

250104-jwn51azrbz
MD5

78935c66e2ecd70a8a5c1fd3d9d9d9d2
SHA1

934243513fbc4078b4389f0a68365398f1350838
SHA256

f29ab36f7c3387e7ad4615d5427ddc14c2bfdb427ef7ad6b579cda272b7b61de
SHA512

adbaff0e2efed5fe1d75ce4d5ed1a63220da12f73f0df438ee6de6f3dbf5a57cb9b73f7692d125e8b82ccd87f1a061fae2d7c9b3bbe62a2d00e934c34b5d32a9
SSDEEP

6144:bNjzntMXVUoPVSQ+5j8q2LWwX/g8se+8FrJG6O1mxiP:bBWUo9SQ+5j8uwvg3YO6O1X

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Lammer

C2

127.0.0.1:81

Mutex

Pluguin

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
Pluguin.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
message_box_title
LAMMER
password
fd

Targets

- Target
  
  JaffaCakes118_78935c66e2ecd70a8a5c1fd3d9d9d9d2
- Size
  
  288KB
- MD5
  
  78935c66e2ecd70a8a5c1fd3d9d9d9d2
- SHA1
  
  934243513fbc4078b4389f0a68365398f1350838
- SHA256
  
  f29ab36f7c3387e7ad4615d5427ddc14c2bfdb427ef7ad6b579cda272b7b61de
- SHA512
  
  adbaff0e2efed5fe1d75ce4d5ed1a63220da12f73f0df438ee6de6f3dbf5a57cb9b73f7692d125e8b82ccd87f1a061fae2d7c9b3bbe62a2d00e934c34b5d32a9
- SSDEEP
  
  6144:bNjzntMXVUoPVSQ+5j8q2LWwX/g8se+8FrJG6O1mxiP:bBWUo9SQ+5j8uwvg3YO6O1X
Score

10^/10

cybergate lammer discovery stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Cybergate family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2