Overview

overview

10

Static

static

3

JaffaCakes...76.exe

windows7-x64

10

JaffaCakes...76.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_223977df17845f32a3e316c4ee4e2576

  • Size

    843KB

  • Sample

    250124-rhphlstnbq

  • MD5

    223977df17845f32a3e316c4ee4e2576

  • SHA1

    e84909f50d2ce3d5f263a9cf1a3000aeaf0e21bf

  • SHA256

    481a45ca77706cdac1e8fbfa07b6c685bc3fc7e6b60b5adf00b002e82e99fcad

  • SHA512

    7eb4e0f58d21b1d9f515a7ab4bf0011c0df12aa37e854874b6e8ed85cb85e7a15fb88dd31901490d44afed3664ce7c8ddbcb7c11b84ca151daf0816ccb1a88c5

  • SSDEEP

    24576:2+9ZSyxqPxCvShdWraluM+YDleJ6O3afDwoGf:JLSxiSfW2lr+ilw6v7wTf

Score
10/10
cybergatebot1credential_accessdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

bot1

C2

innokenti.no-ip.org:3333

127.0.0.1:3333
Mutex

innokenti

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_file

    wcfgconf.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123

  • regkey_hkcu

    wcfgconf

Targets

    • Target

      JaffaCakes118_223977df17845f32a3e316c4ee4e2576

    • Size

      843KB

    • MD5

      223977df17845f32a3e316c4ee4e2576

    • SHA1

      e84909f50d2ce3d5f263a9cf1a3000aeaf0e21bf

    • SHA256

      481a45ca77706cdac1e8fbfa07b6c685bc3fc7e6b60b5adf00b002e82e99fcad

    • SHA512

      7eb4e0f58d21b1d9f515a7ab4bf0011c0df12aa37e854874b6e8ed85cb85e7a15fb88dd31901490d44afed3664ce7c8ddbcb7c11b84ca151daf0816ccb1a88c5

    • SSDEEP

      24576:2+9ZSyxqPxCvShdWraluM+YDleJ6O3afDwoGf:JLSxiSfW2lr+ilw6v7wTf

    Score
    10/10
    cybergatebot1credential_accessdiscoverypersistenceransomwarespywarestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Renames multiple (2039) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks