Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_06bade9512735e9d3779be5d907b441e

  • Size

    588KB

  • Sample

    250121-xhamcawrfz

  • MD5

    06bade9512735e9d3779be5d907b441e

  • SHA1

    054a171802022aa6dee5e1b8a151f8c7456ca01d

  • SHA256

    42b5f9fc2f82f20123eb7ed90fe1ba9a5f92aad85c24c811fb3473f9fe8bc276

  • SHA512

    6a3d1b79a1046ea7a96ba7be4e2d442e6dc84d9c58b2d48051a0d35dcea40c2f2a12ec4b03565397dd9ff60b5796a3c24b2aa4e67eed111b4b7b2c36be3a0e63

  • SSDEEP

    12288:gblsK+q5Fa1FLK1v2VbwASZqB9d3oNeG:gWLa2VbwF9T

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

abbas2.no-ip.biz:5555

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    1234

Targets

    • Target

      JaffaCakes118_06bade9512735e9d3779be5d907b441e

    • Size

      588KB

    • MD5

      06bade9512735e9d3779be5d907b441e

    • SHA1

      054a171802022aa6dee5e1b8a151f8c7456ca01d

    • SHA256

      42b5f9fc2f82f20123eb7ed90fe1ba9a5f92aad85c24c811fb3473f9fe8bc276

    • SHA512

      6a3d1b79a1046ea7a96ba7be4e2d442e6dc84d9c58b2d48051a0d35dcea40c2f2a12ec4b03565397dd9ff60b5796a3c24b2aa4e67eed111b4b7b2c36be3a0e63

    • SSDEEP

      12288:gblsK+q5Fa1FLK1v2VbwASZqB9d3oNeG:gWLa2VbwF9T

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks