cybergate | 21549d86404cb281532857810e11f421e380deb5c2cd3389b894e67cb2891467 | Triage

Sharing

General

Target

JaffaCakes118_1860e579083883b2d764df595ff182be
Size

297KB
Sample

250112-z1zqaszjbt
MD5

1860e579083883b2d764df595ff182be
SHA1

571bc6fc566584a9e05eed68bd37d8345612f6af
SHA256

21549d86404cb281532857810e11f421e380deb5c2cd3389b894e67cb2891467
SHA512

5799accd59f9dc97e7328e15fd07542bc490cb513534c16238ce9ae5d8329c1e8172a5329d762c8e147f5c479df373bd7f0328b7ea779930c3f1067d46cb870a
SSDEEP

6144:QmHRZqFsHdBNk9BpaLqaqGFo0g8Zl9+l311nCVjBMV5Oy:R2q69BQqOu04v+05Oy

Score

10^/10

cybergate ata discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ata

C2

dz03dzteam.no-ip.biz:3462

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Intel
install_file
sservice.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
ATALOL1515
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_1860e579083883b2d764df595ff182be
- Size
  
  297KB
- MD5
  
  1860e579083883b2d764df595ff182be
- SHA1
  
  571bc6fc566584a9e05eed68bd37d8345612f6af
- SHA256
  
  21549d86404cb281532857810e11f421e380deb5c2cd3389b894e67cb2891467
- SHA512
  
  5799accd59f9dc97e7328e15fd07542bc490cb513534c16238ce9ae5d8329c1e8172a5329d762c8e147f5c479df373bd7f0328b7ea779930c3f1067d46cb870a
- SSDEEP
  
  6144:QmHRZqFsHdBNk9BpaLqaqGFo0g8Zl9+l311nCVjBMV5Oy:R2q69BQqOu04v+05Oy
Score

10^/10

cybergate ata discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateatadiscoverypersistencestealertrojanupx

behavioral2