General

  • Target

    JaffaCakes118_c317dcf97f11248b04549f27365c6113

  • Size

    368KB

  • Sample

    250119-kt2tra1qfy

  • MD5

    c317dcf97f11248b04549f27365c6113

  • SHA1

    094cbb628f1d10ca2f9f2947649c330ea39b1941

  • SHA256

    4f1eadda063d20680ad18494969f79d2159afa5e58b37c206a94d4a820127a1c

  • SHA512

    2656e8dc9b460b446a53d04a368d7c6134d087ca1491ff6e49f1de74d4b59c47f65f2b4484b3669008f6a2dcbf14e10bdfb17665e68cdbc85e964273d4b28f1d

  • SSDEEP

    6144:+M7r9+6aRrkXpSP7s6uswSO/XEYsA+JKe3RzoN8Rq+6b/ITQG+9oqrqBX6UZ4TC+:ls8Xp+7s6NMUYDmH39oGRObaQGGz2t6N

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

127.0.0.1:1338

eistee1337.ath.cx:1338

Mutex

AMLX0T86J60XQA

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    update

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      JaffaCakes118_c317dcf97f11248b04549f27365c6113

    • Size

      368KB

    • MD5

      c317dcf97f11248b04549f27365c6113

    • SHA1

      094cbb628f1d10ca2f9f2947649c330ea39b1941

    • SHA256

      4f1eadda063d20680ad18494969f79d2159afa5e58b37c206a94d4a820127a1c

    • SHA512

      2656e8dc9b460b446a53d04a368d7c6134d087ca1491ff6e49f1de74d4b59c47f65f2b4484b3669008f6a2dcbf14e10bdfb17665e68cdbc85e964273d4b28f1d

    • SSDEEP

      6144:+M7r9+6aRrkXpSP7s6uswSO/XEYsA+JKe3RzoN8Rq+6b/ITQG+9oqrqBX6UZ4TC+:ls8Xp+7s6NMUYDmH39oGRObaQGGz2t6N

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks