cybergate | 49fec817d58b519754260fdae3a5e09d1574003c8c06e02d0f7a18209dfa1c4b | Triage

Sharing

General

Target

JaffaCakes118_10febe63d2b69bff2d5580c217d288fb
Size

1.0MB
Sample

250122-zl81esvmc1
MD5

10febe63d2b69bff2d5580c217d288fb
SHA1

e06bbe328c9c575d36304fb98fc886bf0e17db40
SHA256

49fec817d58b519754260fdae3a5e09d1574003c8c06e02d0f7a18209dfa1c4b
SHA512

ea4e98d1e2c3efec5d9b01f665505abcbfbfba1c6514a8b3c4bfae26ee0e547ccb3e2c89d70c3ad202ffb03b31ff8d4091059cacd843ed2a951cbfe82070a706
SSDEEP

24576:OdV3pZNp5k+AAG6/g7AOlUTpiAbHJqc5GE7qW74OLHIos7/gB:OdV3pZD5DG6/mtwioqcf91TI9jgB

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

salesman2010.no-ip.info:82

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_10febe63d2b69bff2d5580c217d288fb
- Size
  
  1.0MB
- MD5
  
  10febe63d2b69bff2d5580c217d288fb
- SHA1
  
  e06bbe328c9c575d36304fb98fc886bf0e17db40
- SHA256
  
  49fec817d58b519754260fdae3a5e09d1574003c8c06e02d0f7a18209dfa1c4b
- SHA512
  
  ea4e98d1e2c3efec5d9b01f665505abcbfbfba1c6514a8b3c4bfae26ee0e547ccb3e2c89d70c3ad202ffb03b31ff8d4091059cacd843ed2a951cbfe82070a706
- SSDEEP
  
  24576:OdV3pZNp5k+AAG6/g7AOlUTpiAbHJqc5GE7qW74OLHIos7/gB:OdV3pZD5DG6/mtwioqcf91TI9jgB
Score

10^/10

cybergate vítima discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatevítimadiscoverypersistencestealertrojan

behavioral2

cybergatevítimadiscoverypersistencestealertrojanupx