cybergate | af39d3812e9318a6bfcf531cfe5fb6aedabe15d5debc5ed0b6f458171046544a | Triage

Sharing

General

Target

JaffaCakes118_048e10ce47bbe8ec17c36f93d0d09e70
Size

1012KB
Sample

250112-cvlj6a1qgs
MD5

048e10ce47bbe8ec17c36f93d0d09e70
SHA1

c524074996a00cad03782818de1ef58c36fe6338
SHA256

af39d3812e9318a6bfcf531cfe5fb6aedabe15d5debc5ed0b6f458171046544a
SHA512

23ba5bd884567e3c8e19b5dbabb9c27b068ee1f8d2731962a1d2b1a9a0903a33a335efb0d0d0f33241b13e27f94bc638c5077ca6fbd6199ab29e0f26f510e0ad
SSDEEP

12288:ybAAptoyA7uIL380r981ok5igF4FXMYuKXc0wkoTHI5R0VnTkTbX0+J2gDvhIxHQ:ybA2toT7uIKKNNDTT0YhreHF+Hl

Score

10^/10

cybergate owned discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.01.12

Botnet

owned

C2

lokolokiyo.no-ip.biz:81

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1234567
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_048e10ce47bbe8ec17c36f93d0d09e70
- Size
  
  1012KB
- MD5
  
  048e10ce47bbe8ec17c36f93d0d09e70
- SHA1
  
  c524074996a00cad03782818de1ef58c36fe6338
- SHA256
  
  af39d3812e9318a6bfcf531cfe5fb6aedabe15d5debc5ed0b6f458171046544a
- SHA512
  
  23ba5bd884567e3c8e19b5dbabb9c27b068ee1f8d2731962a1d2b1a9a0903a33a335efb0d0d0f33241b13e27f94bc638c5077ca6fbd6199ab29e0f26f510e0ad
- SSDEEP
  
  12288:ybAAptoyA7uIL380r981ok5igF4FXMYuKXc0wkoTHI5R0VnTkTbX0+J2gDvhIxHQ:ybA2toT7uIKKNNDTT0YhreHF+Hl
Score

10^/10

cybergate owned discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateowneddiscoverypersistencestealertrojan

behavioral2

cybergateowneddiscoverypersistencestealertrojanupx