cybergate | 2a66875949a99ff2c6fd337be439630c9af204e8a9257977848433d1012cffa6

General

Target

JaffaCakes118_f8625dd337a4a94c6b10200267f370d4
Size

488KB
Sample

250120-zdx8ysxqar
MD5

f8625dd337a4a94c6b10200267f370d4
SHA1

8336479c274c8614bec3d1075927d39b5b6babb4
SHA256

2a66875949a99ff2c6fd337be439630c9af204e8a9257977848433d1012cffa6
SHA512

0b6e50df266b88d4abca96b65117afe1860cba88d267833aaaecf0bd7aaa8bbc4ee2e20b99b8bb1a0f1bb6dc9ca270e3b4e89d1b6a2ecf9d5bd740887e1e9f7c
SSDEEP

12288:biAWMV3JsBblnBAzZk59Ng9iV5jxNEn2BT3Py3mlr:3J3Wln2z09NgIVO+L

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

pwnd

C2

lolohme.no-ip.biz:9979

Mutex

G606BB1VG2LMA1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Java
install_file
java.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
The file ocxa32.dll can not be found!
message_box_title
Error!
password
shaolin1

Targets

- Target
  
  JaffaCakes118_f8625dd337a4a94c6b10200267f370d4
- Size
  
  488KB
- MD5
  
  f8625dd337a4a94c6b10200267f370d4
- SHA1
  
  8336479c274c8614bec3d1075927d39b5b6babb4
- SHA256
  
  2a66875949a99ff2c6fd337be439630c9af204e8a9257977848433d1012cffa6
- SHA512
  
  0b6e50df266b88d4abca96b65117afe1860cba88d267833aaaecf0bd7aaa8bbc4ee2e20b99b8bb1a0f1bb6dc9ca270e3b4e89d1b6a2ecf9d5bd740887e1e9f7c
- SSDEEP
  
  12288:biAWMV3JsBblnBAzZk59Ng9iV5jxNEn2BT3Py3mlr:3J3Wln2z09NgIVO+L
Score

10^/10

cybergate pwnd discovery stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Cybergate family

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2