General

  • Target

    JaffaCakes118_1b07126dfbb75ac38aee6999ea6c8b78

  • Size

    360KB

  • Sample

    250222-vhxqrstmfw

  • MD5

    1b07126dfbb75ac38aee6999ea6c8b78

  • SHA1

    17f39f12c7086804089d106d512badda37ea9295

  • SHA256

    d089dbb592ef267198ad1634284a3320adfa91472bf4bad7614bb3b3bebc0472

  • SHA512

    6d99b09e4f16c05b70c88e887190a94367116bd96e09d4e59a53858ea362d2dfb48e80b37baa48b876914ba2241c576c8346e49249088dfa49114be21b4a27a1

  • SSDEEP

    6144:bLk0K4edQVFD/6YmsuaWntcTICVlXm7C7BLgVwzGZ0XL6IaYn5q9408:bK4edQj9m/t8VlXm7C7aWzG07h5q94R

Malware Config

Extracted

Family

cybergate

Version

v1.01.12

Botnet

remote

C2

probandopoison.no-ip.org:3460

Mutex

Winupdate13

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    winupdate13.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hklm

    HKLM

Targets

    • Target

      JaffaCakes118_1b07126dfbb75ac38aee6999ea6c8b78

    • Size

      360KB

    • MD5

      1b07126dfbb75ac38aee6999ea6c8b78

    • SHA1

      17f39f12c7086804089d106d512badda37ea9295

    • SHA256

      d089dbb592ef267198ad1634284a3320adfa91472bf4bad7614bb3b3bebc0472

    • SHA512

      6d99b09e4f16c05b70c88e887190a94367116bd96e09d4e59a53858ea362d2dfb48e80b37baa48b876914ba2241c576c8346e49249088dfa49114be21b4a27a1

    • SSDEEP

      6144:bLk0K4edQVFD/6YmsuaWntcTICVlXm7C7BLgVwzGZ0XL6IaYn5q9408:bK4edQj9m/t8VlXm7C7aWzG07h5q94R

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks