cybergate | 45136f592879272a9ff4aa1dfefb30f542b3a733d66f7d50d01f5b4dac983169 | Triage

Sharing

General

Target

JaffaCakes118_1855c70d334df8e27cbfe9df12848f80
Size

324KB
Sample

250222-jy5krssmbm
MD5

1855c70d334df8e27cbfe9df12848f80
SHA1

ffa2d56a708d63ee3e61a477f364ce153070fc0d
SHA256

45136f592879272a9ff4aa1dfefb30f542b3a733d66f7d50d01f5b4dac983169
SHA512

d84058c4b0e67c5d80b089fc9e49016914be6c6f5d856539ea2d5d5ca2e8841ecf0dc361c87906ba1d97e847dc0ad3046a329eb6044bdf1a7bf76e1551043420
SSDEEP

6144:rvu42NAsTT3EBsRfPkghZDpAOOH8q006woNUXUzF/pdoQIKNBYt28UX:SJn02Rk+5q16woN/Fxbp4I80

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

REMOTE

C2

df.servebeer.com:87

Mutex

1770XTT7I6Q2Q7

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Winbooter
install_file
svchostx32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
dwellftw
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_1855c70d334df8e27cbfe9df12848f80
- Size
  
  324KB
- MD5
  
  1855c70d334df8e27cbfe9df12848f80
- SHA1
  
  ffa2d56a708d63ee3e61a477f364ce153070fc0d
- SHA256
  
  45136f592879272a9ff4aa1dfefb30f542b3a733d66f7d50d01f5b4dac983169
- SHA512
  
  d84058c4b0e67c5d80b089fc9e49016914be6c6f5d856539ea2d5d5ca2e8841ecf0dc361c87906ba1d97e847dc0ad3046a329eb6044bdf1a7bf76e1551043420
- SSDEEP
  
  6144:rvu42NAsTT3EBsRfPkghZDpAOOH8q006woNUXUzF/pdoQIKNBYt28UX:SJn02Rk+5q16woN/Fxbp4I80
Score

10^/10

cybergate remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotediscoverypersistencestealertrojanupx

behavioral2

discoverypersistence