General
-
Target
JaffaCakes118_6d76e1ada029aace36df893fb5b2166f
-
Size
357KB
-
Sample
250312-2nynksv1bv
-
MD5
6d76e1ada029aace36df893fb5b2166f
-
SHA1
3a3efa4aa0bbc534213e459778ba54a578f6a916
-
SHA256
8977f8b2765877a23ff0be05b7d330d9276a18636757902fc567f37b0071b448
-
SHA512
4d5243deb6a62dccc4ed99debd0737db4418104e48b73d414f6b6ad8155d3532193a0a782b766b387cf78b9a08fe4842cb1bf8324b517dc3cff30318bd243493
-
SSDEEP
6144:ak4qmqA1qjjvT4ndWgC4+II4xOMjIv2sfv6Z3bPJAEo2zGyCt+y8/Bl4Ggr:F9k+TadWIDICcO8aDbyKpsr
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
cybergate
2.6
ÖÍíÉ
mstlj.no-ip.biz:288
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
Internet Explorer.exe
-
install_file
Win_Xp.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Please try again later.
-
message_box_title
Error
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
JaffaCakes118_6d76e1ada029aace36df893fb5b2166f
-
Size
357KB
-
MD5
6d76e1ada029aace36df893fb5b2166f
-
SHA1
3a3efa4aa0bbc534213e459778ba54a578f6a916
-
SHA256
8977f8b2765877a23ff0be05b7d330d9276a18636757902fc567f37b0071b448
-
SHA512
4d5243deb6a62dccc4ed99debd0737db4418104e48b73d414f6b6ad8155d3532193a0a782b766b387cf78b9a08fe4842cb1bf8324b517dc3cff30318bd243493
-
SSDEEP
6144:ak4qmqA1qjjvT4ndWgC4+II4xOMjIv2sfv6Z3bPJAEo2zGyCt+y8/Bl4Ggr:F9k+TadWIDICcO8aDbyKpsr
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8