Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_e70cc662a450e904830d68f18e3c6bb7

  • Size

    757KB

  • Sample

    250120-pkw95ayncy

  • MD5

    e70cc662a450e904830d68f18e3c6bb7

  • SHA1

    93d6bdb1f4def28756fd9f828bdf87e651fd3007

  • SHA256

    1c6b1713a4ed328261ec5fc711d837f7f4f463fed7229c583f994c273c919bc1

  • SHA512

    0c592e2470e8f6f2a2d87257faadd7ed39c6fd3b5e1983a38bf4187dde9e350e1a74a1bf77a84c708b764bb6f14770c384897b35e916754ef630355e05da6a3b

  • SSDEEP

    12288:52YLSal/iPX0lUkjhvdRqL8xn6eztJ28GcJJFWXWrP0P9M8OKnQ9BTGxGx:jSal/HNvdsaltJYuJFWXWrPWBnQ3TGxE

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

gmail.no-ip.org

C2

127.0.0.1:81

gmail.no-ip.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    salsabil

  • regkey_hklm

    HKLM

Targets

    • Target

      JaffaCakes118_e70cc662a450e904830d68f18e3c6bb7

    • Size

      757KB

    • MD5

      e70cc662a450e904830d68f18e3c6bb7

    • SHA1

      93d6bdb1f4def28756fd9f828bdf87e651fd3007

    • SHA256

      1c6b1713a4ed328261ec5fc711d837f7f4f463fed7229c583f994c273c919bc1

    • SHA512

      0c592e2470e8f6f2a2d87257faadd7ed39c6fd3b5e1983a38bf4187dde9e350e1a74a1bf77a84c708b764bb6f14770c384897b35e916754ef630355e05da6a3b

    • SSDEEP

      12288:52YLSal/iPX0lUkjhvdRqL8xn6eztJ28GcJJFWXWrP0P9M8OKnQ9BTGxGx:jSal/HNvdsaltJYuJFWXWrPWBnQ3TGxE

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks