cybergate | 5defd93fa61302ca6d0483ae972b6f2d725ae048746f5d3fec7b1fe6ecff2593 | Triage

Sharing

General

Target

JaffaCakes118_b793a8c22e8fb99e3aeefc6318859218
Size

828KB
Sample

250414-nnv1sswls8
MD5

b793a8c22e8fb99e3aeefc6318859218
SHA1

1e7aea0a862372da80c69adff4c52cb710d96638
SHA256

5defd93fa61302ca6d0483ae972b6f2d725ae048746f5d3fec7b1fe6ecff2593
SHA512

577164d17f718daf104c3e63b9cc072c4fc7bd61d5f0d2ad8c10271d48ee4a4b3a19027e1a925fea27df633fa4ea6faa2dab4bcb07d46377ca9d1a30872bb6d2
SSDEEP

12288:PkWAehJuqTsdxFeVuybwagmFXKeRhrMtMRavXJ6BNTSVnOZ5+OEAEPaz+KKNueuD:PkWAAuqeQbPgWyXQB5KnOGO3aaFK/uD

Score

10^/10

cybergate vic discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Vic

C2

chuscarros.zapto.org:4662

Mutex

6NM282PB10NP3M

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_file
igfxpers.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Windows no encuentra Comdlg32.ocx. Reinstalar la aplicacion puede solucionar problemas.
message_box_title
Windows - Comdlg32.ocx
password
kranidos1
regkey_hkcu
Atomic Grafical Estudio
regkey_hklm
igfxpers module.exe

Targets

- Target
  
  JaffaCakes118_b793a8c22e8fb99e3aeefc6318859218
- Size
  
  828KB
- MD5
  
  b793a8c22e8fb99e3aeefc6318859218
- SHA1
  
  1e7aea0a862372da80c69adff4c52cb710d96638
- SHA256
  
  5defd93fa61302ca6d0483ae972b6f2d725ae048746f5d3fec7b1fe6ecff2593
- SHA512
  
  577164d17f718daf104c3e63b9cc072c4fc7bd61d5f0d2ad8c10271d48ee4a4b3a19027e1a925fea27df633fa4ea6faa2dab4bcb07d46377ca9d1a30872bb6d2
- SSDEEP
  
  12288:PkWAehJuqTsdxFeVuybwagmFXKeRhrMtMRavXJ6BNTSVnOZ5+OEAEPaz+KKNueuD:PkWAAuqeQbPgWyXQB5KnOGO3aaFK/uD
Score

10^/10

cybergate vic discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatevicdiscoverypersistencestealertrojanupx