cybergate | 101c285300edf78e1a4222032c0295908257c28c868aba6f019358e14ca2fa12 | Triage

Sharing

General

Target

JaffaCakes118_a7c33bf6cbd0079e4d07d9ead4453ed6
Size

624KB
Sample

250118-mx52pa1max
MD5

a7c33bf6cbd0079e4d07d9ead4453ed6
SHA1

a1898b3115fa935369616ece9a1d2f45be4d13db
SHA256

101c285300edf78e1a4222032c0295908257c28c868aba6f019358e14ca2fa12
SHA512

e98f4d06c3243746966f956d77d6a4cc5e5233c01b15b09c67034641c120fd6a234aedcd0d77d159eae7036d7a08193517c5fa14d779af5dbc51e284c0d29b14
SSDEEP

12288:xMnBsAy90w3dP8CaGD0Dsi5IomCh41biNk1p4hzO0710cEjCb7:YsAylf0IHm41biNkP4pRicgCb

Score

10^/10

cybergate victim discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

Victim

C2

rustyshackleford.no-ip.biz:82

Mutex

NS34O73TIH076J

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Failed to Load Image!
message_box_title
Java
password
dusty6385577
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_a7c33bf6cbd0079e4d07d9ead4453ed6
- Size
  
  624KB
- MD5
  
  a7c33bf6cbd0079e4d07d9ead4453ed6
- SHA1
  
  a1898b3115fa935369616ece9a1d2f45be4d13db
- SHA256
  
  101c285300edf78e1a4222032c0295908257c28c868aba6f019358e14ca2fa12
- SHA512
  
  e98f4d06c3243746966f956d77d6a4cc5e5233c01b15b09c67034641c120fd6a234aedcd0d77d159eae7036d7a08193517c5fa14d779af5dbc51e284c0d29b14
- SSDEEP
  
  12288:xMnBsAy90w3dP8CaGD0Dsi5IomCh41biNk1p4hzO0710cEjCb7:YsAylf0IHm41biNkP4pRicgCb
Score

10^/10

cybergate victim discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatevictimdiscoverypersistencestealertrojanupx

behavioral2

cybergatevictimdiscoverypersistencestealertrojanupx