Overview

overview

10

Static

static

3

JaffaCakes...1c.exe

windows7-x64

10

JaffaCakes...1c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_161265a5a403c2e8b995133f72e4451c

  • Size

    531KB

  • Sample

    250123-lyarhawmfl

  • MD5

    161265a5a403c2e8b995133f72e4451c

  • SHA1

    155887abf79a88f7c14060fb1b8164828e96f046

  • SHA256

    1383e4aa30feb4f63b22963e9da74472f58030ae9d7ea1e6d96d60b34f2039f3

  • SHA512

    94aae102e3bb1a8634e0dcef3d4f9382ef7170eb2d6baca115a89162976f8e50fe27998e28a6467edbc1cec37fe58ee7fbde65bbc30467ed1ea4071923a61c5d

  • SSDEEP

    12288:K2yKELYNt3nq/sg10fSk+Qbp9/dL7cdt074q6y:JSLYvcR10fSsbrdGt07F

Score
10/10
cybergateserverdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

achrefarshavin.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    spynet

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Tzoom [00005*5] Tzmt.dll Not Found !

  • message_box_title

    Application Error !

  • password

    abcd1234

  • regkey_hkcu

    HKCU

Targets

    • Target

      JaffaCakes118_161265a5a403c2e8b995133f72e4451c

    • Size

      531KB

    • MD5

      161265a5a403c2e8b995133f72e4451c

    • SHA1

      155887abf79a88f7c14060fb1b8164828e96f046

    • SHA256

      1383e4aa30feb4f63b22963e9da74472f58030ae9d7ea1e6d96d60b34f2039f3

    • SHA512

      94aae102e3bb1a8634e0dcef3d4f9382ef7170eb2d6baca115a89162976f8e50fe27998e28a6467edbc1cec37fe58ee7fbde65bbc30467ed1ea4071923a61c5d

    • SSDEEP

      12288:K2yKELYNt3nq/sg10fSk+Qbp9/dL7cdt074q6y:JSLYvcR10fSsbrdGt07F

    Score
    10/10
    cybergateserverdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks