Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
JaffaCakes118_88a2b1c3cd7d3a8289661a964bec8ea5
-
Size
396KB
-
Sample
250324-sat9ka1ydx
-
MD5
88a2b1c3cd7d3a8289661a964bec8ea5
-
SHA1
48c265fbac851b676e7fc9213351205b6f29d423
-
SHA256
f75971ede5a974c1f6e9c3b42a0f164d94ffd5e73f46d9091360f65262e48fdc
-
SHA512
ce5103c9947a77706a6c8513fbeea27692f4daaf44093d2a6bd26ead99ff9a084fc74dda19c7a9ccdbce2d8549ca076f368c75a39b795a422028c48c09770b0e
-
SSDEEP
12288:grnJPKtd6JGvWRdZtV6WkbFqSYiyjdSHEE:SQ6JaWRCFqXigYz
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
cybergate
2.6
kurban
127.0.0.1:81
78.160.104.234:81
d123.no-ip.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
123456789
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
JaffaCakes118_88a2b1c3cd7d3a8289661a964bec8ea5
-
Size
396KB
-
MD5
88a2b1c3cd7d3a8289661a964bec8ea5
-
SHA1
48c265fbac851b676e7fc9213351205b6f29d423
-
SHA256
f75971ede5a974c1f6e9c3b42a0f164d94ffd5e73f46d9091360f65262e48fdc
-
SHA512
ce5103c9947a77706a6c8513fbeea27692f4daaf44093d2a6bd26ead99ff9a084fc74dda19c7a9ccdbce2d8549ca076f368c75a39b795a422028c48c09770b0e
-
SSDEEP
12288:grnJPKtd6JGvWRdZtV6WkbFqSYiyjdSHEE:SQ6JaWRCFqXigYz
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9