General

  • Target

    JaffaCakes118_7bd17ff63a34d9d30abafeba2c1e671d

  • Size

    280KB

  • Sample

    250316-1mq2nstpz6

  • MD5

    7bd17ff63a34d9d30abafeba2c1e671d

  • SHA1

    e9eb0d21a2e0586a00bdd8fe5aae444f79dbceda

  • SHA256

    205e761fa7ed8d9e8afdff276713972ef275bee9f1b77c417e66e2c7b92e3641

  • SHA512

    97bff8d7752eb74d43b7c94dc0a617cf2483faa46025b805ec04338ae9da89454235305e046ba050457f533db5571f335d2edf9ccee833ee412d3d26ba43f7e5

  • SSDEEP

    6144:a6U9MjGT03gokVlt2T+zOhps+rA0XwPd:nU+CY3g9ViT1p/c06

Malware Config

Extracted

Family

cybergate

Version

2.4

Botnet

vítima

C2

127.0.0.1:80

bullseye23.no-ip.biz:81

Mutex

***mULTaAEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    .//lib-1/

  • ftp_interval

    30

  • ftp_password

    woolsa

  • ftp_port

    21

  • ftp_server

    bullseye23.0catch.com

  • ftp_username

    bullseye23.0catch.com

  • injected_process

    explorer.exe

  • install_dir

    Windll

  • install_file

    psdk.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      JaffaCakes118_7bd17ff63a34d9d30abafeba2c1e671d

    • Size

      280KB

    • MD5

      7bd17ff63a34d9d30abafeba2c1e671d

    • SHA1

      e9eb0d21a2e0586a00bdd8fe5aae444f79dbceda

    • SHA256

      205e761fa7ed8d9e8afdff276713972ef275bee9f1b77c417e66e2c7b92e3641

    • SHA512

      97bff8d7752eb74d43b7c94dc0a617cf2483faa46025b805ec04338ae9da89454235305e046ba050457f533db5571f335d2edf9ccee833ee412d3d26ba43f7e5

    • SSDEEP

      6144:a6U9MjGT03gokVlt2T+zOhps+rA0XwPd:nU+CY3g9ViT1p/c06

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks