cybergate | 146d1e7cb904a6e4c671b5736bdb2761ba28c6df7b1c048c15e2ca0290d2a6f4 | Triage

Sharing

General

Target

JaffaCakes118_00ac78c0487856209c7e83de96f814af
Size

480KB
Sample

250218-tk74vasrhx
MD5

00ac78c0487856209c7e83de96f814af
SHA1

abed6fad3d7dca2045b3bf9958c753d93d5d9b41
SHA256

146d1e7cb904a6e4c671b5736bdb2761ba28c6df7b1c048c15e2ca0290d2a6f4
SHA512

131405dde1cf5e40b2e1057cfc4a067a35abd888fea5736e8b2a829426f799960e8880c3160b958ee61792d414627ca573ae3887c86eb355a57fe9467a1d7c7d
SSDEEP

6144:42XYvoflQxU9DGiBJekVms3a8vztJXA25a31n0+a6MIzMl1qgGI0kM/6fyYNo:Wvofl8UBsk4s3aMTBA3aOzNuf3No

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

error-world.no-ip.biz:82

Mutex

877BXPL0Y0MHO8

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_00ac78c0487856209c7e83de96f814af
- Size
  
  480KB
- MD5
  
  00ac78c0487856209c7e83de96f814af
- SHA1
  
  abed6fad3d7dca2045b3bf9958c753d93d5d9b41
- SHA256
  
  146d1e7cb904a6e4c671b5736bdb2761ba28c6df7b1c048c15e2ca0290d2a6f4
- SHA512
  
  131405dde1cf5e40b2e1057cfc4a067a35abd888fea5736e8b2a829426f799960e8880c3160b958ee61792d414627ca573ae3887c86eb355a57fe9467a1d7c7d
- SSDEEP
  
  6144:42XYvoflQxU9DGiBJekVms3a8vztJXA25a31n0+a6MIzMl1qgGI0kM/6fyYNo:Wvofl8UBsk4s3aMTBA3aOzNuf3No
Score

10^/10

cybergate remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotediscoverypersistencestealertrojanupx

behavioral2

cybergateremotediscoverypersistencestealertrojanupx