General
-
Target
JaffaCakes118_7a981ecc0c69c3f6cf74b58d32eb6097
-
Size
545KB
-
Sample
250104-tlkd6swpez
-
MD5
7a981ecc0c69c3f6cf74b58d32eb6097
-
SHA1
19a19e046523ef980250c828c4679267c3e46bd2
-
SHA256
c6fe9e76af5ecf62ca0c220fa94e53d8e9c18ee4a585849148668f4e303cf45e
-
SHA512
45f5deb78a4cbe5b08bbdbed4848ed186d5ee53c3880d0dab115dacf9bca1e0a643ba8d8c00cd8056155b75b6c6cbbe5982f59b7b91006f09747831e51e7d269
-
SSDEEP
12288:Rp77UL8TQin9XRc2F0sq9eL3YM6+qwIg1MVwlGuyQmsu6qV8Rg0:XHUQTQ09XRud9eL3YOqwIguV4GLQPUaj
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
cybergate
2.7 Final
vítima
netto.zapto.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
Targets
-
-
Target
JaffaCakes118_7a981ecc0c69c3f6cf74b58d32eb6097
-
Size
545KB
-
MD5
7a981ecc0c69c3f6cf74b58d32eb6097
-
SHA1
19a19e046523ef980250c828c4679267c3e46bd2
-
SHA256
c6fe9e76af5ecf62ca0c220fa94e53d8e9c18ee4a585849148668f4e303cf45e
-
SHA512
45f5deb78a4cbe5b08bbdbed4848ed186d5ee53c3880d0dab115dacf9bca1e0a643ba8d8c00cd8056155b75b6c6cbbe5982f59b7b91006f09747831e51e7d269
-
SSDEEP
12288:Rp77UL8TQin9XRc2F0sq9eL3YM6+qwIg1MVwlGuyQmsu6qV8Rg0:XHUQTQ09XRud9eL3YOqwIguV4GLQPUaj
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7