General
-
Target
JaffaCakes118_0d2bd47cb962bc86643f0b07aedb5d00
-
Size
304KB
-
Sample
250604-dltpvafk2z
-
MD5
0d2bd47cb962bc86643f0b07aedb5d00
-
SHA1
477a42ff0657a7f9e85418cd0b78d7d9be1f6da9
-
SHA256
44c81edbc14bfde638b8ac92129d5c695ebad6c63c0ab0f43336d0e23eaefd94
-
SHA512
1374b37fd12c8b95b55e1ed4bd505a4ed4f7d46652ec26217855c0878f5f1cd4c993137b43a31b15d1bba95888cdb65e438e70c730db59b1c4bac709c5604aef
-
SSDEEP
6144:jmgWbYpaiov3kwBwoApnmIrHY/MSEt9cg4pRR+O4cyWlreARKyWo:jmgWEX20ae7pSEz94pRR+eyWl/RKyp
Static task
static1
Malware Config
Extracted
cybergate
v1.07.5
Cyber
voldemort.zapto.org:1232
0TP8TD322L3M20
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
System32
-
install_file
avguar.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123
-
regkey_hkcu
Win32
-
regkey_hklm
Win32
Targets
-
-
Target
Facelogger.exe
-
Size
426KB
-
MD5
afd38705ef7d943fd6559111a4eaa137
-
SHA1
dbe55edddfa6b9ec97b4abb6bbbbee1f8ea6a8a8
-
SHA256
dc561f4c145eb85a13949fcd7e897b18621311f2a8fd0f9d282a1b05217b89e8
-
SHA512
a9cce7a6627e4758e13e04b694c152b7105ecd4e28cc508eca812849891944e6e3c43651ef7ebc444c119fbb484de5400a3bb893ecd4139d4bc100b9a1985969
-
SSDEEP
12288:Qa7VIHa7oa75LfI7tNMiIftPeyaDjrbYgSGvDjX4PkN:5TVcERtPeyavrKQX2kN
-
Cybergate family
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2