General

  • Target

    JaffaCakes118_21c1ce93daca87ab3699359e92fa9ffd

  • Size

    1.0MB

  • Sample

    250225-a6jhtszjw8

  • MD5

    21c1ce93daca87ab3699359e92fa9ffd

  • SHA1

    147f30610bc1d5c7bf5044ed26ded11fbbd5eb96

  • SHA256

    7270a4c6358d00118ab5c01721207507352ec843466b02d1735346ee17d855c9

  • SHA512

    ee4c2c68bacfb0f5d417d34ab9b6b44cb4f8e08f4754426d311d7dcda83338e8cae477160a740c3ba0fb682f73fde53370df1414a546088e7d9de06bd4ce1d86

  • SSDEEP

    12288:D6baiCDvqgbiTyqNaI/AyFp/6g+Ka9o6NIsvmnbu187jFxaTEoaAcKsRYdWbD9ku:s8S//tp6CveCdW1Cd3oJ37UWz8TD

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

remote

C2

localhost:82

dd8d819sika.zapto.org:82

Mutex

4K22N7IKU1M0F1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    csrss.exe

  • install_dir

    Perfmonitor

  • install_file

    Perfmon.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    Perfmon

  • regkey_hklm

    Perfmon

Targets

    • Target

      JaffaCakes118_21c1ce93daca87ab3699359e92fa9ffd

    • Size

      1.0MB

    • MD5

      21c1ce93daca87ab3699359e92fa9ffd

    • SHA1

      147f30610bc1d5c7bf5044ed26ded11fbbd5eb96

    • SHA256

      7270a4c6358d00118ab5c01721207507352ec843466b02d1735346ee17d855c9

    • SHA512

      ee4c2c68bacfb0f5d417d34ab9b6b44cb4f8e08f4754426d311d7dcda83338e8cae477160a740c3ba0fb682f73fde53370df1414a546088e7d9de06bd4ce1d86

    • SSDEEP

      12288:D6baiCDvqgbiTyqNaI/AyFp/6g+Ka9o6NIsvmnbu187jFxaTEoaAcKsRYdWbD9ku:s8S//tp6CveCdW1Cd3oJ37UWz8TD

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks