cybergate | 13bd0605a513aec745eedd3e0911036ce2ce77c212b64b5496205a13b92f7266 | Triage

Sharing

General

Target

JaffaCakes118_1b96a9a83bfb377912da4e065ab021ff
Size

670KB
Sample

250222-xkzz1svpht
MD5

1b96a9a83bfb377912da4e065ab021ff
SHA1

11aea7c2739cbf364cdeb04dfc2cd4eaccedef9d
SHA256

13bd0605a513aec745eedd3e0911036ce2ce77c212b64b5496205a13b92f7266
SHA512

ca2a146ac3653926463363a725f0e99b200eaa18c2989ccda21c476c2e37ac9648248abfc3ff7f6e4d3bebc8658a3958a089bed48323ecc94d326c386f377a44
SSDEEP

12288:na8N1QQ8CiwSg2OJRPpfnH91ZBVrrU2PLRgcoxyhT:na+WbBwSgdJRRfnHv9rxPL+ZA

Score

10^/10

cybergate vítima discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

C2

127.0.0.1:81

imkansiz.dyndns.biz:52055

Mutex

***MUTEX***fghdgflkklasklakso

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
.//
ftp_interval
30
ftp_password
3393031
ftp_port
21
ftp_server
66.220.9.50
ftp_username
kartal5205
injected_process
explorer.exe
install_dir
Installer
install_file
svchust.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
imkansiz
regkey_hkcu
HKCU

Targets

- Target
  
  JaffaCakes118_1b96a9a83bfb377912da4e065ab021ff
- Size
  
  670KB
- MD5
  
  1b96a9a83bfb377912da4e065ab021ff
- SHA1
  
  11aea7c2739cbf364cdeb04dfc2cd4eaccedef9d
- SHA256
  
  13bd0605a513aec745eedd3e0911036ce2ce77c212b64b5496205a13b92f7266
- SHA512
  
  ca2a146ac3653926463363a725f0e99b200eaa18c2989ccda21c476c2e37ac9648248abfc3ff7f6e4d3bebc8658a3958a089bed48323ecc94d326c386f377a44
- SSDEEP
  
  12288:na8N1QQ8CiwSg2OJRPpfnH91ZBVrrU2PLRgcoxyhT:na+WbBwSgdJRRfnHv9rxPL+ZA
Score

10^/10

cybergate vítima discovery persistence stealer trojan
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatevítimadiscoverypersistencestealertrojan

behavioral2