General

  • Target

    JaffaCakes118_04e69403f47234faa8d52cd203f8776c

  • Size

    621KB

  • Sample

    250121-qxcxpawqhk

  • MD5

    04e69403f47234faa8d52cd203f8776c

  • SHA1

    42140e4fcc5d1b12151134f008c38bedbca24176

  • SHA256

    c0c8830aca766ecc3ddc83cca5aa068e8cf60f95eb7df7a9ccf3c0a4be26070c

  • SHA512

    bcd1724296cc6b439a989f50fdadc3c5a0a697a86ff1ca72624950441a84b43c403af028619fca6cc226f6ba4a0c0b63712998930aa6b9b1a2042203fd282859

  • SSDEEP

    12288:3c2WObuO+9fZw4NSJLEu2GaO0W2Sdw9dxsq6+a0Vav+:3cNO+8LMGb0/iSdi8w

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

C2

127.0.0.1:999

Mutex

2254RAQT814I66

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    355300

Targets

    • Target

      JaffaCakes118_04e69403f47234faa8d52cd203f8776c

    • Size

      621KB

    • MD5

      04e69403f47234faa8d52cd203f8776c

    • SHA1

      42140e4fcc5d1b12151134f008c38bedbca24176

    • SHA256

      c0c8830aca766ecc3ddc83cca5aa068e8cf60f95eb7df7a9ccf3c0a4be26070c

    • SHA512

      bcd1724296cc6b439a989f50fdadc3c5a0a697a86ff1ca72624950441a84b43c403af028619fca6cc226f6ba4a0c0b63712998930aa6b9b1a2042203fd282859

    • SSDEEP

      12288:3c2WObuO+9fZw4NSJLEu2GaO0W2Sdw9dxsq6+a0Vav+:3cNO+8LMGb0/iSdi8w

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.