Overview

overview

10

Static

static

10

JaffaCakes...33.exe

windows7-x64

10

JaffaCakes...33.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33

  • Size

    8.2MB

  • Sample

    250114-z7xvaasmep

  • MD5

    45cfd5b04853ee2519df5dbae83fea33

  • SHA1

    5ee4e1ebf2723cecbe13afcf4d6636eed0ee0e38

  • SHA256

    aacdf6bcb15afa56c07ffcd2e7f8fa9e26d920af1d4614c03edb24c6cb5cb6b8

  • SHA512

    5734dcb76f7cf892b03c8540339ccd3f35797d6a66ba76f6b8c34c3f07890a3c75a13b2a8c853cc153439e69b9544566e6d6da19a23fad34df0d0e10d5dde052

  • SSDEEP

    196608:QttvC0KNZskfwZ4r2W7Sx/I6Ohmq+j2GabhJv3WIp1i1TM7kV8EXT3bsi4u:QvClNtl2eMaAPohJvpwQ7kVRB

Score
10/10
cybergatevictimdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.2.2

Botnet

Victim

C2

f-15aaa.no-ip.biz:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    explore.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    ?? ??????? ?????? ?????? ???????

  • message_box_title

    ??? ?????

  • password

    123

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33

    • Size

      8.2MB

    • MD5

      45cfd5b04853ee2519df5dbae83fea33

    • SHA1

      5ee4e1ebf2723cecbe13afcf4d6636eed0ee0e38

    • SHA256

      aacdf6bcb15afa56c07ffcd2e7f8fa9e26d920af1d4614c03edb24c6cb5cb6b8

    • SHA512

      5734dcb76f7cf892b03c8540339ccd3f35797d6a66ba76f6b8c34c3f07890a3c75a13b2a8c853cc153439e69b9544566e6d6da19a23fad34df0d0e10d5dde052

    • SSDEEP

      196608:QttvC0KNZskfwZ4r2W7Sx/I6Ohmq+j2GabhJv3WIp1i1TM7kV8EXT3bsi4u:QvClNtl2eMaAPohJvpwQ7kVRB

    Score
    10/10
    cybergatevictimdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks