General
-
Target
JaffaCakes118_4c941f3e5b45e7dd7a0c952ea0eca873
-
Size
1011KB
-
Sample
250128-s73xzawpaj
-
MD5
4c941f3e5b45e7dd7a0c952ea0eca873
-
SHA1
62188d96857542f646af2e25efc9bfaad360989b
-
SHA256
6b6c71e2acdcd6cd60b6a92a6315bbd8a238c515da7121b2093a5a5b8f012de8
-
SHA512
bf85324101691d2e46ea6df1283179cf3ebaa4781022d82a74eaa57ebbecef57eb2912e7c0e696899954165a1e04341684be422b2b5bbf9ae3120807bc320d27
-
SSDEEP
24576:ea0wkR6E2GhhOdVOrP/snad+sIQ/RgsG3Ev4LVKrwK1Y91jYd:qsGOmr33d+sj/RFG0gLVKrwKc1jQ
Malware Config
Extracted
cybergate
2.6
xlskk
ratxlsk.zapto.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
explorer.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Hack been created !!HackeR!!
-
message_box_title
Coded by !!HackeR!!
-
password
1111
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
JaffaCakes118_4c941f3e5b45e7dd7a0c952ea0eca873
-
Size
1011KB
-
MD5
4c941f3e5b45e7dd7a0c952ea0eca873
-
SHA1
62188d96857542f646af2e25efc9bfaad360989b
-
SHA256
6b6c71e2acdcd6cd60b6a92a6315bbd8a238c515da7121b2093a5a5b8f012de8
-
SHA512
bf85324101691d2e46ea6df1283179cf3ebaa4781022d82a74eaa57ebbecef57eb2912e7c0e696899954165a1e04341684be422b2b5bbf9ae3120807bc320d27
-
SSDEEP
24576:ea0wkR6E2GhhOdVOrP/snad+sIQ/RgsG3Ev4LVKrwK1Y91jYd:qsGOmr33d+sj/RFG0gLVKrwKc1jQ
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8