Overview

overview

10

Static

static

3

JaffaCakes...15.exe

windows7-x64

10

JaffaCakes...15.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_22c6377af4b92e8d9a1c98b2d6d66415

  • Size

    552KB

  • Sample

    250124-srqbyavkew

  • MD5

    22c6377af4b92e8d9a1c98b2d6d66415

  • SHA1

    731108c5d21244ff3d7bea13f8b488d782c6c3c6

  • SHA256

    d443ae2df623268e2aac51cf10610f875bf7613db400fe2910aa20b6602ae5e7

  • SHA512

    309f6221a5afec338c1f38e1e6960c8ed4366c1a9a255c87a03ea97aab96e3e78657f1f4d5dbb5037594a67ffd3cc48cd46f87f31064495af74106881c9140c1

  • SSDEEP

    12288:VtDi8TjO6i989Kn0G7BXtodBNCcrN5Utx3Z8H+c9deiAA:ji3TyY0EXodBNHrN5qU+6CA

Score
10/10
cybergatevítimadiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

C2

coko.zapto.org:1980

88.181.52.170:1980
Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      JaffaCakes118_22c6377af4b92e8d9a1c98b2d6d66415

    • Size

      552KB

    • MD5

      22c6377af4b92e8d9a1c98b2d6d66415

    • SHA1

      731108c5d21244ff3d7bea13f8b488d782c6c3c6

    • SHA256

      d443ae2df623268e2aac51cf10610f875bf7613db400fe2910aa20b6602ae5e7

    • SHA512

      309f6221a5afec338c1f38e1e6960c8ed4366c1a9a255c87a03ea97aab96e3e78657f1f4d5dbb5037594a67ffd3cc48cd46f87f31064495af74106881c9140c1

    • SSDEEP

      12288:VtDi8TjO6i989Kn0G7BXtodBNCcrN5Utx3Z8H+c9deiAA:ji3TyY0EXodBNHrN5qU+6CA

    Score
    10/10
    cybergatevítimadiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks