cybergate | 75643e31dc8e898bdd2e7640f64d358571ca7a65b2f5ccce29d7c7e7a3f952a8 | Triage

Sharing

General

Target

JaffaCakes118_bfcf3ab1f8580d01f39f88cd252f63b3
Size

425KB
Sample

250119-g51t2syjgv
MD5

bfcf3ab1f8580d01f39f88cd252f63b3
SHA1

65e81916ac4c3377f1bd445857a5c15f6c98c455
SHA256

75643e31dc8e898bdd2e7640f64d358571ca7a65b2f5ccce29d7c7e7a3f952a8
SHA512

2ca38dc8d9143f9c13af055ab822254bac1d7449e61725fbfdb80dd6d21b71edb4405b557676f8aa0afac6af637ff0f51c194954278fb260f135dc422b6d13dc
SSDEEP

6144:x1vuMey/YGOIRKw6Vc+7TDlrdsrDcd29bv2fno6P0jx1cKo6RfchUvFWYf:3e46lciBd+cMJx6P0/cOchuWC

Score

10^/10

cybergate j discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

J

C2

127.0.0.1:3080

jayrat.no-ip.org:3080

Mutex

48534K65LM52CB

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
ftp_password
lolipop0
ftp_port
21
ftp_server
ftp.drivehq.com
ftp_username
JayDC
injected_process
explorer.exe
install_dir
svchost
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Please update .Net framework then run file again.
message_box_title
Windows Error
password
lolipop0
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_bfcf3ab1f8580d01f39f88cd252f63b3
- Size
  
  425KB
- MD5
  
  bfcf3ab1f8580d01f39f88cd252f63b3
- SHA1
  
  65e81916ac4c3377f1bd445857a5c15f6c98c455
- SHA256
  
  75643e31dc8e898bdd2e7640f64d358571ca7a65b2f5ccce29d7c7e7a3f952a8
- SHA512
  
  2ca38dc8d9143f9c13af055ab822254bac1d7449e61725fbfdb80dd6d21b71edb4405b557676f8aa0afac6af637ff0f51c194954278fb260f135dc422b6d13dc
- SSDEEP
  
  6144:x1vuMey/YGOIRKw6Vc+7TDlrdsrDcd29bv2fno6P0jx1cKo6RfchUvFWYf:3e46lciBd+cMJx6P0/cOchuWC
Score

10^/10

cybergate j discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatejdiscoverypersistencestealertrojan

behavioral2

cybergatejdiscoverypersistencestealertrojanupx