General

  • Target

    JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf

  • Size

    460KB

  • Sample

    250120-s4dtnswqat

  • MD5

    ee75c900a53c9f6fc2f20d3fcf3d7dbf

  • SHA1

    0b6c81e3fa50f65576fd61bfa0184c0009fe7cc7

  • SHA256

    15719cbcea92389bc979dbd679015c5c5c90b9d2c056dd66a6298eeb7820adf4

  • SHA512

    8bd8dab60c0f71f5565148e7ad10ef8cf76c49a2439f6f781fa88431d4caea3b7417df557895eae81c9c6dbb42c81a3c4da8d03b489e16ad54db7a1beaf6136e

  • SSDEEP

    6144:E6Mmkxv1C/EAU0tUKjLIxdIqWI7yFH5VCYhFN/BIbinx/0OyZuS4r3c/SyYPpr4f:Bav1C/EA/mjO0Z6/0LZV43ypCns

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

Cyber

C2

testingman123.zapto.org:400

Mutex

66342XR86Q27N5

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    csrss.exe

  • install_dir

    Java

  • install_file

    java.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    hahaha

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf

    • Size

      460KB

    • MD5

      ee75c900a53c9f6fc2f20d3fcf3d7dbf

    • SHA1

      0b6c81e3fa50f65576fd61bfa0184c0009fe7cc7

    • SHA256

      15719cbcea92389bc979dbd679015c5c5c90b9d2c056dd66a6298eeb7820adf4

    • SHA512

      8bd8dab60c0f71f5565148e7ad10ef8cf76c49a2439f6f781fa88431d4caea3b7417df557895eae81c9c6dbb42c81a3c4da8d03b489e16ad54db7a1beaf6136e

    • SSDEEP

      6144:E6Mmkxv1C/EAU0tUKjLIxdIqWI7yFH5VCYhFN/BIbinx/0OyZuS4r3c/SyYPpr4f:Bav1C/EA/mjO0Z6/0LZV43ypCns

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks