cybergate | 43d38eb21fe9c4eaf9a74ccf9b27f397f5c027c2e54a44ff131bd9c24080307f | Triage

Sharing

General

Target

JaffaCakes118_b19789ca40668e474ce5343b12194ba6
Size

337KB
Sample

250412-jqh2sszqx3
MD5

b19789ca40668e474ce5343b12194ba6
SHA1

8c4113f73535f57c128764d2245b7ab9f19ae444
SHA256

43d38eb21fe9c4eaf9a74ccf9b27f397f5c027c2e54a44ff131bd9c24080307f
SHA512

d5565004311f9960b58f2bc3140e4409fdafd8cc96e30df67eab1c6a66a640bd6e7296502d8162e2036041172a9abcfae1269b189771530c9e8b88bd7c3e6a9e
SSDEEP

6144:VAfVR4FEI9ykw6Y7iacY7SCWavYtseRyKCZrNhkm3eAY0s/7bVi6hieMPwjzvrG1:V6+NFrCgtseIJkm3HY0s/VZieMPwjvEJ

Score

10^/10

cybergate remote discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

C2

127.0.0.1:7878

razame.no-ip.biz:7878

Mutex

37FH3T87W68TQS

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Thank you for running our WebcamFix. Your system has now been optimized to the mrfreecams.com standards and your Webcam should run smoothly from now on. MyFreeCams.com Support.
message_box_title
MyFreeCams.com WebcamFix
password
raz44raz

Targets

- Target
  
  JaffaCakes118_b19789ca40668e474ce5343b12194ba6
- Size
  
  337KB
- MD5
  
  b19789ca40668e474ce5343b12194ba6
- SHA1
  
  8c4113f73535f57c128764d2245b7ab9f19ae444
- SHA256
  
  43d38eb21fe9c4eaf9a74ccf9b27f397f5c027c2e54a44ff131bd9c24080307f
- SHA512
  
  d5565004311f9960b58f2bc3140e4409fdafd8cc96e30df67eab1c6a66a640bd6e7296502d8162e2036041172a9abcfae1269b189771530c9e8b88bd7c3e6a9e
- SSDEEP
  
  6144:VAfVR4FEI9ykw6Y7iacY7SCWavYtseRyKCZrNhkm3eAY0s/7bVi6hieMPwjzvrG1:V6+NFrCgtseIJkm3HY0s/VZieMPwjvEJ
Score

10^/10

cybergate remote discovery persistence stealer trojan
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotediscoverypersistencestealertrojan