cybergate | 1026c10182533e72080697cd804c7e3b2de7543d907c8206da0f563975f0b5eb | Triage

Sharing

General

Target

JaffaCakes118_1764dba8035cd7a1fca4fa66591d9452
Size

317KB
Sample

250123-p3txqasjcl
MD5

1764dba8035cd7a1fca4fa66591d9452
SHA1

60e7c3b6aec8fa63a474c92dce40a67c75cdaaa5
SHA256

1026c10182533e72080697cd804c7e3b2de7543d907c8206da0f563975f0b5eb
SHA512

983a64f280f8dd9e622f27db49abb4d97dbc58476a1a675f659319c1c865217bd425bf4f276e9fc6af6ac0f8ab47b51523c28d8d12433f5a8ddea01677cc1b4b
SSDEEP

6144:6Zv2WHp5GVPvnHOWF+j+QOSgLmAp48fT06TleF7JKqKdCPLpWc1n63vNXglJipCg:Yv2CDGxvVEjROS4p48L06Tl0KdCX65S2

Score

10^/10

cybergate victime2 discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

victime2

C2

moi100.no-ip.biz:1000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
system32
install_file
win32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
MeLeK-J
regkey_hklm
MeLeK-J

Targets

- Target
  
  JaffaCakes118_1764dba8035cd7a1fca4fa66591d9452
- Size
  
  317KB
- MD5
  
  1764dba8035cd7a1fca4fa66591d9452
- SHA1
  
  60e7c3b6aec8fa63a474c92dce40a67c75cdaaa5
- SHA256
  
  1026c10182533e72080697cd804c7e3b2de7543d907c8206da0f563975f0b5eb
- SHA512
  
  983a64f280f8dd9e622f27db49abb4d97dbc58476a1a675f659319c1c865217bd425bf4f276e9fc6af6ac0f8ab47b51523c28d8d12433f5a8ddea01677cc1b4b
- SSDEEP
  
  6144:6Zv2WHp5GVPvnHOWF+j+QOSgLmAp48fT06TleF7JKqKdCPLpWc1n63vNXglJipCg:Yv2CDGxvVEjROS4p48L06Tl0KdCX65S2
Score

10^/10

cybergate victime2 discovery persistence stealer trojan
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatevictime2discoverypersistencestealertrojan

behavioral2

cybergatevictime2discoverystealertrojan