Overview

overview

10

Static

static

3

1776525d33...18.exe

windows7-x64

10

1776525d33...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1776525d33d01c4bff8ae34fb7f77e27_JaffaCakes118

  • Size

    1.4MB

  • Sample

    240627-zkb93azdqf

  • MD5

    1776525d33d01c4bff8ae34fb7f77e27

  • SHA1

    2fca349e526346e051d25a5f2ded85eb80351475

  • SHA256

    4dcf6f43f2b92583870b1f7da85cae8ca10205589d19581fec503b027b7bb0ce

  • SHA512

    6f197ed2edf03440dcd4252c6270ace985ef99eda1a0daa1830e5985b29c82d3f4d3aaf961203555b444ff34f15eff31ce4ec5a623e6f679c87e1769a03a77eb

  • SSDEEP

    6144:6SQlVCxwY7ftRKWBNiE0nh6bZ0BR06pjl:6tlVCxwY7ftLZmh6bZc06pjl

Score
10/10
cybergateöííépersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

127.0.0.1:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      1776525d33d01c4bff8ae34fb7f77e27_JaffaCakes118

    • Size

      1.4MB

    • MD5

      1776525d33d01c4bff8ae34fb7f77e27

    • SHA1

      2fca349e526346e051d25a5f2ded85eb80351475

    • SHA256

      4dcf6f43f2b92583870b1f7da85cae8ca10205589d19581fec503b027b7bb0ce

    • SHA512

      6f197ed2edf03440dcd4252c6270ace985ef99eda1a0daa1830e5985b29c82d3f4d3aaf961203555b444ff34f15eff31ce4ec5a623e6f679c87e1769a03a77eb

    • SSDEEP

      6144:6SQlVCxwY7ftRKWBNiE0nh6bZ0BR06pjl:6tlVCxwY7ftLZmh6bZc06pjl

    Score
    10/10
    cybergateöííépersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks