cybergate | 209d3e96368b23d06ca18171fca55567848db5f47c0a47fc09dd3c13f73035aa | Triage

Sharing

General

Target

JaffaCakes118_1d0c61bd007be88e89524e30289f8ffc
Size

378KB
Sample

250222-3ttggssmhr
MD5

1d0c61bd007be88e89524e30289f8ffc
SHA1

97aa95383a9a0ef308be9199b34a12f4ae000625
SHA256

209d3e96368b23d06ca18171fca55567848db5f47c0a47fc09dd3c13f73035aa
SHA512

a7735abbfa2e694b07115e1e8866453c36380ce825f0b76c06acfb27512ce4697c10b417cf4c558983d80ef6cc06f8d26e24a5510677e559a8d586a951ee2f98
SSDEEP

6144:dopsivPiHJoCn9Bi9ZYBO5E7UnLMisGvJSjIAyAsAiciNUAhM71hq:dCid9Bi/p5weTcj1M7UAhW

Score

10^/10

cybergate runescape discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

RunescapE

C2

triipu.no-ip.info:82

Mutex

D2TX145I052P42

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Systam
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
lollakas123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_1d0c61bd007be88e89524e30289f8ffc
- Size
  
  378KB
- MD5
  
  1d0c61bd007be88e89524e30289f8ffc
- SHA1
  
  97aa95383a9a0ef308be9199b34a12f4ae000625
- SHA256
  
  209d3e96368b23d06ca18171fca55567848db5f47c0a47fc09dd3c13f73035aa
- SHA512
  
  a7735abbfa2e694b07115e1e8866453c36380ce825f0b76c06acfb27512ce4697c10b417cf4c558983d80ef6cc06f8d26e24a5510677e559a8d586a951ee2f98
- SSDEEP
  
  6144:dopsivPiHJoCn9Bi9ZYBO5E7UnLMisGvJSjIAyAsAiciNUAhM71hq:dCid9Bi/p5weTcj1M7UAhW
Score

10^/10

cybergate runescape discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergaterunescapediscoverypersistencestealertrojanupx

behavioral2

cybergaterunescapediscoverypersistencestealertrojanupx