Overview

overview

10

Static

static

3

JaffaCakes...e6.exe

windows7-x64

10

JaffaCakes...e6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_7b6319a3f462ae37948c1f62b6094de6

  • Size

    324KB

  • Sample

    250104-x7vc2stlc1

  • MD5

    7b6319a3f462ae37948c1f62b6094de6

  • SHA1

    213da0f810ebffdbf1a03c37bbda19fb7ea8a3d9

  • SHA256

    5385945607f74ebba6ba580d87a036a8a6c3a43c50aa42e6499a3c15b1f7e463

  • SHA512

    ab5bfe9c34527b96a49afad4038b43311728df2d2dbe0e0e12c9b98295745e4e83eb4bb0a0db49aebba9554d983fd2e8a4272d3dac0cfbfcb667ac7dcd916384

  • SSDEEP

    6144:4z/BVQ0Uwe4QPurZKe2GRuXry5PBt/7Mtu2Ijz7gXcv0ms:sJVzUREwe2GEbyPiCf7ka0ms

Score
10/10
cybergateremotediscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

aelgen.sytes.net:80

Mutex

0DINBD5WDLN3P5

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Installing 29% done

  • message_box_title

    Norman Malware Cleaner

  • password

    lol

Targets

    • Target

      JaffaCakes118_7b6319a3f462ae37948c1f62b6094de6

    • Size

      324KB

    • MD5

      7b6319a3f462ae37948c1f62b6094de6

    • SHA1

      213da0f810ebffdbf1a03c37bbda19fb7ea8a3d9

    • SHA256

      5385945607f74ebba6ba580d87a036a8a6c3a43c50aa42e6499a3c15b1f7e463

    • SHA512

      ab5bfe9c34527b96a49afad4038b43311728df2d2dbe0e0e12c9b98295745e4e83eb4bb0a0db49aebba9554d983fd2e8a4272d3dac0cfbfcb667ac7dcd916384

    • SSDEEP

      6144:4z/BVQ0Uwe4QPurZKe2GRuXry5PBt/7Mtu2Ijz7gXcv0ms:sJVzUREwe2GEbyPiCf7ka0ms

    Score
    10/10
    cybergateremotediscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks