General
-
Target
JaffaCakes118_9e039f37e7a4f467778a61f5c5b69a02
-
Size
1.4MB
-
Sample
250205-k4a4sazlbs
-
MD5
9e039f37e7a4f467778a61f5c5b69a02
-
SHA1
35c0e2f20b2d3a9160a6a8adfc03c09e6ab62841
-
SHA256
5c633051f4d6ed2386c00e4a362f0cc422dac31cb1e96b90c9473405a347982a
-
SHA512
1f746bd1a84ccc8abb01f3297c154ca47186b69033b90fbaac0f68fa7b94be45a7b24cd1ae0606bfd1b7ce376d38ef24a95bc35bba5d67e897a8267b33e37b28
-
SSDEEP
12288:44tgpLXDc06thPVFL8JcMI1lP9ZaWYg3mDVSeV/CeIyY8eveyuoYYifjseL4a7Mj:4gKfjZoV0oTmZAe495
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
cybergate
2.6
DENEME
127.0.0.1:85
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
svchost.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
OLAY TAMAM :)
-
message_box_title
SERVER CALISTI
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
JaffaCakes118_9e039f37e7a4f467778a61f5c5b69a02
-
Size
1.4MB
-
MD5
9e039f37e7a4f467778a61f5c5b69a02
-
SHA1
35c0e2f20b2d3a9160a6a8adfc03c09e6ab62841
-
SHA256
5c633051f4d6ed2386c00e4a362f0cc422dac31cb1e96b90c9473405a347982a
-
SHA512
1f746bd1a84ccc8abb01f3297c154ca47186b69033b90fbaac0f68fa7b94be45a7b24cd1ae0606bfd1b7ce376d38ef24a95bc35bba5d67e897a8267b33e37b28
-
SSDEEP
12288:44tgpLXDc06thPVFL8JcMI1lP9ZaWYg3mDVSeV/CeIyY8eveyuoYYifjseL4a7Mj:4gKfjZoV0oTmZAe495
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8