General

  • Target

    JaffaCakes118_0d2bd47cb962bc86643f0b07aedb5d00

  • Size

    304KB

  • Sample

    250604-dltpvafk2z

  • MD5

    0d2bd47cb962bc86643f0b07aedb5d00

  • SHA1

    477a42ff0657a7f9e85418cd0b78d7d9be1f6da9

  • SHA256

    44c81edbc14bfde638b8ac92129d5c695ebad6c63c0ab0f43336d0e23eaefd94

  • SHA512

    1374b37fd12c8b95b55e1ed4bd505a4ed4f7d46652ec26217855c0878f5f1cd4c993137b43a31b15d1bba95888cdb65e438e70c730db59b1c4bac709c5604aef

  • SSDEEP

    6144:jmgWbYpaiov3kwBwoApnmIrHY/MSEt9cg4pRR+O4cyWlreARKyWo:jmgWEX20ae7pSEz94pRR+eyWl/RKyp

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

voldemort.zapto.org:1232

Mutex

0TP8TD322L3M20

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    System32

  • install_file

    avguar.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123

  • regkey_hkcu

    Win32

  • regkey_hklm

    Win32

Targets

    • Target

      Facelogger.exe

    • Size

      426KB

    • MD5

      afd38705ef7d943fd6559111a4eaa137

    • SHA1

      dbe55edddfa6b9ec97b4abb6bbbbee1f8ea6a8a8

    • SHA256

      dc561f4c145eb85a13949fcd7e897b18621311f2a8fd0f9d282a1b05217b89e8

    • SHA512

      a9cce7a6627e4758e13e04b694c152b7105ecd4e28cc508eca812849891944e6e3c43651ef7ebc444c119fbb484de5400a3bb893ecd4139d4bc100b9a1985969

    • SSDEEP

      12288:Qa7VIHa7oa75LfI7tNMiIftPeyaDjrbYgSGvDjX4PkN:5TVcERtPeyavrKQX2kN

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks