cybergate | 29160b37a585a564bf6fce2f4f045ab7885d0cada3873383a410290dd2918210 | Triage

Sharing

General

Target

JaffaCakes118_08dd7021d08e70a2cebd255ecc142cfc
Size

432KB
Sample

250112-h7g1dssmat
MD5

08dd7021d08e70a2cebd255ecc142cfc
SHA1

5ca72a7468c8230fd5ec435f0d2dbd85812b2463
SHA256

29160b37a585a564bf6fce2f4f045ab7885d0cada3873383a410290dd2918210
SHA512

d1969bca6956df511cf6204b608f3b50cd6a1b7e9d4703a727ba1df1ecc4671cafeb301c01e5186897ebe8ca6c865fb3bbbde97088ab6171d794a0ce7f358fa9
SSDEEP

6144:zHuHBE3Ig+KAGQyGcR0hT4VACpzL4qUFZHDS1TijqNj2cYfmomTCEMLXfu:zHRNlGcR0hT8A/ZHG1ej6j2cGmT

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

123idiot12322393.no-ip.biz:1604

Mutex

E5F25G3SUN471J

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_08dd7021d08e70a2cebd255ecc142cfc
- Size
  
  432KB
- MD5
  
  08dd7021d08e70a2cebd255ecc142cfc
- SHA1
  
  5ca72a7468c8230fd5ec435f0d2dbd85812b2463
- SHA256
  
  29160b37a585a564bf6fce2f4f045ab7885d0cada3873383a410290dd2918210
- SHA512
  
  d1969bca6956df511cf6204b608f3b50cd6a1b7e9d4703a727ba1df1ecc4671cafeb301c01e5186897ebe8ca6c865fb3bbbde97088ab6171d794a0ce7f358fa9
- SSDEEP
  
  6144:zHuHBE3Ig+KAGQyGcR0hT4VACpzL4qUFZHDS1TijqNj2cYfmomTCEMLXfu:zHRNlGcR0hT8A/ZHG1ej6j2cGmT
Score

10^/10

cybergate cyber discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatecyberdiscoverypersistencestealertrojanupx

behavioral2

cybergatecyberdiscoverypersistencestealertrojanupx