cybergate | 4f758437cc8f65251a3c2dd6ec7262331c982306719ea61a3f052c8af3176dde | Triage

Sharing

General

Target

JaffaCakes118_8750be508970606a5ba3a3aa5d4839e2
Size

931KB
Sample

250117-k8g3wszqdv
MD5

8750be508970606a5ba3a3aa5d4839e2
SHA1

d9783ee0a40aa386e9cfa13d087a0ccf34772e00
SHA256

4f758437cc8f65251a3c2dd6ec7262331c982306719ea61a3f052c8af3176dde
SHA512

1ec85bc051153775c8722ec383fe0fc46d77d194923cb4f3dee1d944cbc5d8ab4a7d9c7af4507c4dd3d7a5a31608751babf2eecbf5d31fc653caa27cc582b7ab
SSDEEP

12288:0rdhdquHXYEa0P+1dhJN/IibSHFxUxTYUu:mC7N/ilxwQ

Score

10^/10

cybergate server discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

silvarizla.zapto.org:2114

silvarizla.zapto.org:2115

silvarizla.zapto.org:2116

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
60
ftp_password
elelegido
ftp_port
21
ftp_server
silvarizla.zapto.org
ftp_username
elelegido
injected_process
explorer.exe
install_dir
Microsoft Update
install_file
ms08-067.exe
install_flag
false
keylogger_enable_ftp
true
message_box_caption
The application failed to initialize. Click OK to terminate.
message_box_title
Failed to initialize
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_8750be508970606a5ba3a3aa5d4839e2
- Size
  
  931KB
- MD5
  
  8750be508970606a5ba3a3aa5d4839e2
- SHA1
  
  d9783ee0a40aa386e9cfa13d087a0ccf34772e00
- SHA256
  
  4f758437cc8f65251a3c2dd6ec7262331c982306719ea61a3f052c8af3176dde
- SHA512
  
  1ec85bc051153775c8722ec383fe0fc46d77d194923cb4f3dee1d944cbc5d8ab4a7d9c7af4507c4dd3d7a5a31608751babf2eecbf5d31fc653caa27cc582b7ab
- SSDEEP
  
  12288:0rdhdquHXYEa0P+1dhJN/IibSHFxUxTYUu:mC7N/ilxwQ
Score

10^/10

cybergate server discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateserverdiscoverypersistencestealertrojanupx

behavioral2

cybergateserverdiscoverypersistencestealertrojanupx