General
-
Target
JaffaCakes118_47f4cfecb25fec272d69892825ffe180
-
Size
361KB
-
Sample
250303-t3tn6ssxex
-
MD5
47f4cfecb25fec272d69892825ffe180
-
SHA1
eada58c5dd31a5f3d9739c3162cd52c68f5ec8e3
-
SHA256
65eff6666a66ed5175d74f736c69d0cef843e1e0b835c52a66855099a264cb7b
-
SHA512
950d02f9ce9920ce006f2e670e27ea52bd0e95f18a7c3231fdb422aac8a67cf421c8b31357956586e2a05cbf2aff0ababa92c68a493fbffea07e9c029256ccd5
-
SSDEEP
6144:bk4qmgWY+OldTkKadk9oFw04FyMqULqFSwVMDf0uqD1VPijBZXOpvwwMDQgnT:g9dvT0dk70qqTnqfkDLPQezgnT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
cybergate
2.6
ÖÍíÉ
10.5.50.254:200
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
ftp_password
ª÷Öº+Þ
-
ftp_port
21
-
ftp_server
ftp.server.com
-
ftp_username
ftp_user
-
injected_process
svchost.exe
-
install_file
Win_Xp.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Please try again later.
-
message_box_title
Error
-
password
abcd1234
Targets
-
-
Target
JaffaCakes118_47f4cfecb25fec272d69892825ffe180
-
Size
361KB
-
MD5
47f4cfecb25fec272d69892825ffe180
-
SHA1
eada58c5dd31a5f3d9739c3162cd52c68f5ec8e3
-
SHA256
65eff6666a66ed5175d74f736c69d0cef843e1e0b835c52a66855099a264cb7b
-
SHA512
950d02f9ce9920ce006f2e670e27ea52bd0e95f18a7c3231fdb422aac8a67cf421c8b31357956586e2a05cbf2aff0ababa92c68a493fbffea07e9c029256ccd5
-
SSDEEP
6144:bk4qmgWY+OldTkKadk9oFw04FyMqULqFSwVMDf0uqD1VPijBZXOpvwwMDQgnT:g9dvT0dk70qqTnqfkDLPQezgnT
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6