General
-
Target
JaffaCakes118_e764f4e553dfea624cf4aaf324094501
-
Size
2.5MB
-
Sample
250120-psqgjsyrc1
-
MD5
e764f4e553dfea624cf4aaf324094501
-
SHA1
27c69c1f72b6daf04c1b0a1907cf55bd661fcedc
-
SHA256
7c0b1102eec67f396bb393dfde722139891e45d61d3fc826d2e39d8683f56a5f
-
SHA512
78c7cbc2d1cb4493428a8f1ab6d31709621a33e756856245e40ee19fb2eb172c0e608b078042a16d99a99a9045ebb0a8c2afb40c4360698bf4a62b8efe6e831a
-
SSDEEP
24576:AvYq9YMxyP+fEjE7CIf8vO8V27IhtSY5DA4nATm+REXqc6D7410XkXKwzl1xuVu1:rRcjei8G8HDX317KwzbZd1euQabfQCC
Malware Config
Extracted
cybergate
v1.07.5
ynl
ynl1.no-ip.biz:82
84OJ6227677457
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
Windows_Update
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Contact Admin...
-
message_box_title
Error
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
JaffaCakes118_e764f4e553dfea624cf4aaf324094501
-
Size
2.5MB
-
MD5
e764f4e553dfea624cf4aaf324094501
-
SHA1
27c69c1f72b6daf04c1b0a1907cf55bd661fcedc
-
SHA256
7c0b1102eec67f396bb393dfde722139891e45d61d3fc826d2e39d8683f56a5f
-
SHA512
78c7cbc2d1cb4493428a8f1ab6d31709621a33e756856245e40ee19fb2eb172c0e608b078042a16d99a99a9045ebb0a8c2afb40c4360698bf4a62b8efe6e831a
-
SSDEEP
24576:AvYq9YMxyP+fEjE7CIf8vO8V27IhtSY5DA4nATm+REXqc6D7410XkXKwzl1xuVu1:rRcjei8G8HDX317KwzbZd1euQabfQCC
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
UAC bypass
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4