cybergate | 9d45efda05d29c5bdf0acb911d26f8c9f8f41ec0bff934db07ce6dd7c5ce613f | Triage

Sharing

General

Target

JaffaCakes118_7c7b72e8746c42bc1c5dc8790a75df7b
Size

538KB
Sample

250116-vekl2azrej
MD5

7c7b72e8746c42bc1c5dc8790a75df7b
SHA1

dc3819c8ac212d6e963c4f0f07717550c3de041f
SHA256

9d45efda05d29c5bdf0acb911d26f8c9f8f41ec0bff934db07ce6dd7c5ce613f
SHA512

c3ebe1201d42dfee658a9771c10d4386b6c6130565763a2280540d7b79d71cbeb0f19fde32dc6d513eac867a1f9f5dde960ae2c3f02618bee790d84d8393b9bb
SSDEEP

12288:ZVolkQ7D8EQVS0X/7Ggym92FOIkwLjQcvh6jUlJvSQGT:ZOlkkPQVr6gymDIkwLjQcvmU3X6

Score

10^/10

cybergate remote discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.11.0 - Public Version

Botnet

remote

C2

adnaninhoo.dyndns.biz:8888

Mutex

53BAHA150JFW7O

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
Windows
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
ekofresh1
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_7c7b72e8746c42bc1c5dc8790a75df7b
- Size
  
  538KB
- MD5
  
  7c7b72e8746c42bc1c5dc8790a75df7b
- SHA1
  
  dc3819c8ac212d6e963c4f0f07717550c3de041f
- SHA256
  
  9d45efda05d29c5bdf0acb911d26f8c9f8f41ec0bff934db07ce6dd7c5ce613f
- SHA512
  
  c3ebe1201d42dfee658a9771c10d4386b6c6130565763a2280540d7b79d71cbeb0f19fde32dc6d513eac867a1f9f5dde960ae2c3f02618bee790d84d8393b9bb
- SSDEEP
  
  12288:ZVolkQ7D8EQVS0X/7Ggym92FOIkwLjQcvh6jUlJvSQGT:ZOlkkPQVr6gymDIkwLjQcvmU3X6
Score

10^/10

cybergate remote discovery persistence stealer trojan
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotediscoverypersistencestealertrojan

behavioral2