cybergate | b7fb68f69d12d113ece53b10fb0dd16eef4cfa17b28330ccfa41888852567d47 | Triage

Sharing

General

Target

JaffaCakes118_12bcd77da15f145d39045fc37d5267bf
Size

736KB
Sample

250123-b8z42axlcl
MD5

12bcd77da15f145d39045fc37d5267bf
SHA1

600a83474770c19f6e71128640b6ca490c047f69
SHA256

b7fb68f69d12d113ece53b10fb0dd16eef4cfa17b28330ccfa41888852567d47
SHA512

18b9f46faf81037f8d9f5cf1e7a7f4e80796124f1bf1826422f7ec1ae569f15537b5424a620a89ddde494e2166f10309053777b20cf94661dacfd415ddf6a24b
SSDEEP

12288:lAlcHFXc8ZsGvb22NbeNaOqK2QXjd4g2uDXZ9HrD20CCf34Of:WlkXc8yGi2FeQNQzu7KDRzvf

Score

10^/10

cybergate remote bootkit discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

kirschbom.no-ip.org:100

Mutex

KD7YQN67PUJS72

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Windir
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_12bcd77da15f145d39045fc37d5267bf
- Size
  
  736KB
- MD5
  
  12bcd77da15f145d39045fc37d5267bf
- SHA1
  
  600a83474770c19f6e71128640b6ca490c047f69
- SHA256
  
  b7fb68f69d12d113ece53b10fb0dd16eef4cfa17b28330ccfa41888852567d47
- SHA512
  
  18b9f46faf81037f8d9f5cf1e7a7f4e80796124f1bf1826422f7ec1ae569f15537b5424a620a89ddde494e2166f10309053777b20cf94661dacfd415ddf6a24b
- SSDEEP
  
  12288:lAlcHFXc8ZsGvb22NbeNaOqK2QXjd4g2uDXZ9HrD20CCf34Of:WlkXc8yGi2FeQNQzu7KDRzvf
Score

10^/10

cybergate remote bootkit discovery persistence stealer trojan
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotebootkitdiscoverypersistencestealertrojan

behavioral2

cybergateremotebootkitdiscoverypersistencestealertrojan