cybergate | 4d7cb0ffe2799f490613078c05064559ca1996e32fe1f3875df954147a4d8c16 | Triage

Sharing

General

Target

JaffaCakes118_72724b80e9c579c7c1efeb41e2c5263a
Size

380KB
Sample

250116-lpy3qstrey
MD5

72724b80e9c579c7c1efeb41e2c5263a
SHA1

d8ace2e21dceb34e9536fa7439506af48492dc29
SHA256

4d7cb0ffe2799f490613078c05064559ca1996e32fe1f3875df954147a4d8c16
SHA512

3456d0d870953e664741e30369abe09db61be5e1fa40b611f0e558cbb246197f018dcf4097eeb89239ee18a4162c1870478ab29696647c9643a3c3cd89889bae
SSDEEP

6144:sfTXbTgoTZyxqg9neO89qeS134PBCFiro2p0tfGzcG6WyW75Ku8DIoM1D0mMwq:wzzpG/8MQvE2p0tfOcX1OZQR

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

183.83.169.136:100

Mutex

W144565F34NP23

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Win
install_file
winlog.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Targets

- Target
  
  JaffaCakes118_72724b80e9c579c7c1efeb41e2c5263a
- Size
  
  380KB
- MD5
  
  72724b80e9c579c7c1efeb41e2c5263a
- SHA1
  
  d8ace2e21dceb34e9536fa7439506af48492dc29
- SHA256
  
  4d7cb0ffe2799f490613078c05064559ca1996e32fe1f3875df954147a4d8c16
- SHA512
  
  3456d0d870953e664741e30369abe09db61be5e1fa40b611f0e558cbb246197f018dcf4097eeb89239ee18a4162c1870478ab29696647c9643a3c3cd89889bae
- SSDEEP
  
  6144:sfTXbTgoTZyxqg9neO89qeS134PBCFiro2p0tfGzcG6WyW75Ku8DIoM1D0mMwq:wzzpG/8MQvE2p0tfOcX1OZQR
Score

10^/10

cybergate remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotediscoverypersistencestealertrojanupx

behavioral2

cybergateremotediscoverypersistencestealertrojanupx