General
-
Target
JaffaCakes118_0ad9244c6b575a50d0e4e12e73067488
-
Size
1.4MB
-
Sample
250220-kqfr4s1nar
-
MD5
0ad9244c6b575a50d0e4e12e73067488
-
SHA1
1c4298c694bca1453851dea87c35d47610b4406c
-
SHA256
f4b8f3486cd37574b15015cd2d41a8187656c2c182df806775a505395943ffe2
-
SHA512
3ee2c353e7f5620bcc413c2ed9b5f451273fcb9a6daf3b11defbead77d60fe4582d6adf84bb4a6dadee14f89815c2f8d884b4caf10a31ddf8c5e3818e65880c6
-
SSDEEP
6144:Wk4qmgjsYHAMXPnhay921QL0res29V+XU54vdya9gu0Kgww4ZwmkKzFxD0pR:p9fjTX/haYBR5DVugww4bz30pR
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Extracted
cybergate
2.6
Batx Hackervvvvvvvvv
abade2009.no-ip.info:288
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
JaffaCakes118_0ad9244c6b575a50d0e4e12e73067488
-
Size
1.4MB
-
MD5
0ad9244c6b575a50d0e4e12e73067488
-
SHA1
1c4298c694bca1453851dea87c35d47610b4406c
-
SHA256
f4b8f3486cd37574b15015cd2d41a8187656c2c182df806775a505395943ffe2
-
SHA512
3ee2c353e7f5620bcc413c2ed9b5f451273fcb9a6daf3b11defbead77d60fe4582d6adf84bb4a6dadee14f89815c2f8d884b4caf10a31ddf8c5e3818e65880c6
-
SSDEEP
6144:Wk4qmgjsYHAMXPnhay921QL0res29V+XU54vdya9gu0Kgww4ZwmkKzFxD0pR:p9fjTX/haYBR5DVugww4bz30pR
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7