cybergate | 16a8a79cc7630a813a66116387540a4a7b0cff24d020638f9bd8cdb5d8a7a4d0 | Triage

Sharing

General

Target

JaffaCakes118_188ecef341e866969032308355ce905c
Size

349KB
Sample

250222-kpyljatrx2
MD5

188ecef341e866969032308355ce905c
SHA1

580191b9907526567335138d3b3fc3a045ba2b9b
SHA256

16a8a79cc7630a813a66116387540a4a7b0cff24d020638f9bd8cdb5d8a7a4d0
SHA512

1fb716a6ae6589fa0fcecf0db7d2be471143491f0d20acb4da40796e44641f53bc90c97a7e51a4c1fc2064a771cf931feba3439bbfc34ebc324c30689fc134b1
SSDEEP

6144:qQMfVVHuNMnUuirZnvIgY3TKhL+WIQj52bqtKQAlqfMPTL3vhREmj:q2oirZnvIgYTKobqtKj38mj

Score

10^/10

cybergate victime discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victime

C2

pedologiciel.no-ip.org:81

Mutex

0G2NO2001S3AH0

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
windir
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Le bot Dofus n'est pas compatible avec votre Ordinateur actuel. Merci d'essayer de relancer le bot sur un nouvel ordinateur
message_box_title
INCOMPATIBLE
password
123456
regkey_hkcu
svchost.exe
regkey_hklm
svchost.exe

Targets

- Target
  
  JaffaCakes118_188ecef341e866969032308355ce905c
- Size
  
  349KB
- MD5
  
  188ecef341e866969032308355ce905c
- SHA1
  
  580191b9907526567335138d3b3fc3a045ba2b9b
- SHA256
  
  16a8a79cc7630a813a66116387540a4a7b0cff24d020638f9bd8cdb5d8a7a4d0
- SHA512
  
  1fb716a6ae6589fa0fcecf0db7d2be471143491f0d20acb4da40796e44641f53bc90c97a7e51a4c1fc2064a771cf931feba3439bbfc34ebc324c30689fc134b1
- SSDEEP
  
  6144:qQMfVVHuNMnUuirZnvIgY3TKhL+WIQj52bqtKQAlqfMPTL3vhREmj:q2oirZnvIgYTKobqtKj38mj
Score

10^/10

cybergate victime discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatevictimediscoverypersistencestealertrojan

behavioral2

cybergatevictimediscoverypersistencestealertrojanupx