General

  • Target

    JaffaCakes118_8a9912bf493cbe1c568618784cfcf4bd

  • Size

    326KB

  • Sample

    250328-mrl2mavvct

  • MD5

    8a9912bf493cbe1c568618784cfcf4bd

  • SHA1

    ef9f3e7ecee06802bd0f26bebb2cabda3e83555b

  • SHA256

    57c07daf3f4be969b1823f6bdc255bc0594b2f10b61da60dfa29d5bd0ed358af

  • SHA512

    1d645ffc97fead583096fe562e65652721ed05d4e3bdcc56490176217e97ca39f0017d1c655ef656027dbe411efc487b3ebd9f507f0598edd25ddc9205c37346

  • SSDEEP

    6144:Xeg3Yy19Ssgg98IwbgONC3CSvM+r23Anj2rRLZMTZsKQqvujeb9MD7MdyPs:ugX198IwbgOc3HHr23YjERLGTWKQkuyB

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

mrixoodz.no-ip.org:100

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    0000

Targets

    • Target

      JaffaCakes118_8a9912bf493cbe1c568618784cfcf4bd

    • Size

      326KB

    • MD5

      8a9912bf493cbe1c568618784cfcf4bd

    • SHA1

      ef9f3e7ecee06802bd0f26bebb2cabda3e83555b

    • SHA256

      57c07daf3f4be969b1823f6bdc255bc0594b2f10b61da60dfa29d5bd0ed358af

    • SHA512

      1d645ffc97fead583096fe562e65652721ed05d4e3bdcc56490176217e97ca39f0017d1c655ef656027dbe411efc487b3ebd9f507f0598edd25ddc9205c37346

    • SSDEEP

      6144:Xeg3Yy19Ssgg98IwbgONC3CSvM+r23Anj2rRLZMTZsKQqvujeb9MD7MdyPs:ugX198IwbgOc3HHr23YjERLGTWKQkuyB

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks