Overview

overview

10

Static

static

3

JaffaCakes...3b.exe

windows7-x64

10

JaffaCakes...3b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_65925d4dbae361fc84d6cf919889c93b

  • Size

    1.0MB

  • Sample

    250311-qz37natqw6

  • MD5

    65925d4dbae361fc84d6cf919889c93b

  • SHA1

    0922c971af3736c6c83b3d9c7b345fe9cf2e2b0b

  • SHA256

    9a03a8a25f06fabdf7deec821d5d4f39d04344e8803561a3ac8385e95529ee3a

  • SHA512

    9a7f19d8b4832c6343283b397215d485a34181ca38052432c371e72103688012829c433aadfa78bf06be4629f9f36d1da53d5ec7016299a1f9a4237cad945ccc

  • SSDEEP

    24576:c5uXWetHpMzOhoFLLEBud9ergB776krliJlA85cBWo05g0d0:c6WetaSiZLoKjll8WPG0

Score
10/10
cybergatecybercredential_accessdiscoverypersistencespywarestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

barthsss.no-ip.biz:19123

Mutex

733G1LM010OEGG

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_file

    explorer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Targets

    • Target

      JaffaCakes118_65925d4dbae361fc84d6cf919889c93b

    • Size

      1.0MB

    • MD5

      65925d4dbae361fc84d6cf919889c93b

    • SHA1

      0922c971af3736c6c83b3d9c7b345fe9cf2e2b0b

    • SHA256

      9a03a8a25f06fabdf7deec821d5d4f39d04344e8803561a3ac8385e95529ee3a

    • SHA512

      9a7f19d8b4832c6343283b397215d485a34181ca38052432c371e72103688012829c433aadfa78bf06be4629f9f36d1da53d5ec7016299a1f9a4237cad945ccc

    • SSDEEP

      24576:c5uXWetHpMzOhoFLLEBud9ergB776krliJlA85cBWo05g0d0:c6WetaSiZLoKjll8WPG0

    Score
    10/10
    cybergatecybercredential_accessdiscoverypersistencespywarestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks