cybergate | 51f5ddc8f1accc20ec871ac5669b399e528a3051394fa2bde9fde0ccffaa4832 | Triage

Sharing

General

Target

JaffaCakes118_172e90aef487cf51ea9885708679a122
Size

516KB
Sample

250123-plbpta1ncn
MD5

172e90aef487cf51ea9885708679a122
SHA1

511cf2a267b0c259568cde2c6db4f42417ff269a
SHA256

51f5ddc8f1accc20ec871ac5669b399e528a3051394fa2bde9fde0ccffaa4832
SHA512

d003a9da7ec7d5163b3b370dcd94d37ce9f1139c47f34291922797194975a95e30bdce6d55364a2cc298e88e6111c86e40c647752391ea5a011ad27b7156abb6
SSDEEP

12288:Xlipl65gohXTi7ijbFttlvITb/s39GHFcuvlIWF8Hk:ViP65g4XTi7WFajs3sHFczW

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

nikola.no-ip.info:1000

Mutex

2X5RJ3E62HPG61

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate

Targets

- Target
  
  JaffaCakes118_172e90aef487cf51ea9885708679a122
- Size
  
  516KB
- MD5
  
  172e90aef487cf51ea9885708679a122
- SHA1
  
  511cf2a267b0c259568cde2c6db4f42417ff269a
- SHA256
  
  51f5ddc8f1accc20ec871ac5669b399e528a3051394fa2bde9fde0ccffaa4832
- SHA512
  
  d003a9da7ec7d5163b3b370dcd94d37ce9f1139c47f34291922797194975a95e30bdce6d55364a2cc298e88e6111c86e40c647752391ea5a011ad27b7156abb6
- SSDEEP
  
  12288:Xlipl65gohXTi7ijbFttlvITb/s39GHFcuvlIWF8Hk:ViP65g4XTi7WFajs3sHFczW
Score

10^/10

cybergate remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotediscoverypersistencestealertrojanupx

behavioral2

cybergateremotediscoverypersistencestealertrojanupx