cybergate | c209623657913116ac75fc40e420a71c7320b74ae205d4b9f231a74399f668d8 | Triage

Sharing

General

Target

JaffaCakes118_14c5e8c66914e9dfcf318a75a95924f7
Size

448KB
Sample

250123-hs1tyszjek
MD5

14c5e8c66914e9dfcf318a75a95924f7
SHA1

1458d78133025ce914168e0bc93dfdedb78aac35
SHA256

c209623657913116ac75fc40e420a71c7320b74ae205d4b9f231a74399f668d8
SHA512

1c7fa9cfe2d573294fc215e1e03c4849129972843e40cd8acb83f1cdaadc887c883b20b1a33cc9ad032dce49f405d1b020c7ed88af7a4bdcd5a0c5916056fc19
SSDEEP

12288:+7wd1o5zI6ZJqZo4haL7yO6EZWE8vIfZ:+7w/WzI6CZDY6EgE8vIfZ

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

127.0.0.1:999

pwndu.no-ip.org:999

Mutex

FPT8P60ME321TM

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
system32
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Application has generated an exception that could not be handled. Process ID=0xd3c (3388), Thread ID=0x12f4 (4852). Click OK to terminate the application. Cick CANCEL to debug the application.
message_box_title
Application Error
password
lolz
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_14c5e8c66914e9dfcf318a75a95924f7
- Size
  
  448KB
- MD5
  
  14c5e8c66914e9dfcf318a75a95924f7
- SHA1
  
  1458d78133025ce914168e0bc93dfdedb78aac35
- SHA256
  
  c209623657913116ac75fc40e420a71c7320b74ae205d4b9f231a74399f668d8
- SHA512
  
  1c7fa9cfe2d573294fc215e1e03c4849129972843e40cd8acb83f1cdaadc887c883b20b1a33cc9ad032dce49f405d1b020c7ed88af7a4bdcd5a0c5916056fc19
- SSDEEP
  
  12288:+7wd1o5zI6ZJqZo4haL7yO6EZWE8vIfZ:+7w/WzI6CZDY6EgE8vIfZ
Score

10^/10

cybergate remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotediscoverypersistencestealertrojanupx

behavioral2

cybergateremotediscoverypersistencestealertrojanupx