Overview

overview

10

Static

static

3

JaffaCakes...a4.exe

windows7-x64

10

JaffaCakes...a4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_228b4a86ea5dea46752a4e1d554c6fa4

  • Size

    582KB

  • Sample

    250124-r9cm5atlhz

  • MD5

    228b4a86ea5dea46752a4e1d554c6fa4

  • SHA1

    80a80bfd6f6b7db41900935948e33330cdb2b95b

  • SHA256

    52e7c0ecf398bbf3ea348de4b0e0bc28c64daa8cf676dd8588b0c1279f923e63

  • SHA512

    9c2c9182793fd30c2745d7f07a44be80f58b4fb0111e2f8ffc47401bb8f32404412195e320e2b21bc8bdacb919270b5881987839deb5a0cdcc7c6c8359d4adb3

  • SSDEEP

    12288:AkiTAHlI6M/MZ0RCuRTK16DyRrTDz+j28isNdsq80L:Aki0EMORve1f9vz+rs

Score
10/10
cybergateremotediscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

tom69.no-ip.biz:1704

109.110.98.3:1704
Mutex

FE7QIKD8WH34R1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    wbem

  • install_file

    java.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    java

  • regkey_hklm

    java

Targets

    • Target

      JaffaCakes118_228b4a86ea5dea46752a4e1d554c6fa4

    • Size

      582KB

    • MD5

      228b4a86ea5dea46752a4e1d554c6fa4

    • SHA1

      80a80bfd6f6b7db41900935948e33330cdb2b95b

    • SHA256

      52e7c0ecf398bbf3ea348de4b0e0bc28c64daa8cf676dd8588b0c1279f923e63

    • SHA512

      9c2c9182793fd30c2745d7f07a44be80f58b4fb0111e2f8ffc47401bb8f32404412195e320e2b21bc8bdacb919270b5881987839deb5a0cdcc7c6c8359d4adb3

    • SSDEEP

      12288:AkiTAHlI6M/MZ0RCuRTK16DyRrTDz+j28isNdsq80L:Aki0EMORve1f9vz+rs

    Score
    10/10
    cybergateremotediscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks