cybergate | 40623860d8ccae91fffd53a20ddeb65795b2e20c37751b9f3caabf2d48145ee7

General

Target

19526df81dabca7468ef6106a4bc79a9_JaffaCakes118
Size

270KB
Sample

240628-jker7ayaqd
MD5

19526df81dabca7468ef6106a4bc79a9
SHA1

3399e2dcd8b9d6d58083998f17b1235da63c2c1e
SHA256

40623860d8ccae91fffd53a20ddeb65795b2e20c37751b9f3caabf2d48145ee7
SHA512

cfd1ee32716420ee0ab79a6ed5fd03e7c422efc704bac9586fdec2016e97a4ba6da0eeeb83518c16fcaf39dde9b1237d2c240e7ac15aad2df60af9f4fe022e07
SSDEEP

6144:tJM2YGOuhzi9uM+zYdscEP8TxecorWzH1rU:vVYGOuhscEWvUlehrWzHe

Score

10^/10

Malware Config

Extracted

Family

cybergate

Botnet

FALSE

C2

ØØÎÙÏÏ¼¼êÕÎÈÉÝÐìÎÓÈÙßÈ¼¼êÕÎÈÉÝÐýÐÐÓß¼¼êÕÎÈÉÝÐúÎÙÙ¼¼¼ùÄÕÈìÎÓßÙÏÏ¼¼¼ðÏÝÿÐÓÏÙ¼¼ÿÎÅÌÈéÒÌÎÓÈÙßÈøÝÈÝ¼¼óÐÙõÒÕÈÕÝÐÕÆÙ¼¼¼ïÅÏúÎÙÙïÈÎÕÒÛ¼¼¼ìïÈÓÎÙÿÎÙÝÈÙõÒÏÈÝÒßÙ¼¼îÝÏùÒÉÑùÒÈÎÕÙÏý¼¼¼ïôûÙÈïÌÙßÕÝÐúÓÐØÙÎìÝÈÔý¼¼¼èÓýÏßÕÕ¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼1Y8UJ-ACTH-RDQS-J725-M7JRY88LFDBP}

HKLM

HKCU

FALSE

16

0

CyberGate

Remote Administration anywhere in the world.

TRUE

ftp.server.com

./logs/

ftp_user

ª÷Öº+Þ

21

30

Mutex

Attributes

enable_keylogger
false
enable_message_box
true
install_dir
FALSE
install_file
FALSE
install_flag
false
keylogger_enable_ftp
false
message_box_caption
TRUE
message_box_title
TRUE
password
FALSE
regkey_hkcu
FALSE
regkey_hklm
FALSE

Extracted

Family

cybergate

Version

v1.07.5

Botnet

exploit2

C2

r50.no-ip.info:81

Mutex

60TKV1WG2S1E08

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install56565
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
kokusha123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  19526df81dabca7468ef6106a4bc79a9_JaffaCakes118
- Size
  
  270KB
- MD5
  
  19526df81dabca7468ef6106a4bc79a9
- SHA1
  
  3399e2dcd8b9d6d58083998f17b1235da63c2c1e
- SHA256
  
  40623860d8ccae91fffd53a20ddeb65795b2e20c37751b9f3caabf2d48145ee7
- SHA512
  
  cfd1ee32716420ee0ab79a6ed5fd03e7c422efc704bac9586fdec2016e97a4ba6da0eeeb83518c16fcaf39dde9b1237d2c240e7ac15aad2df60af9f4fe022e07
- SSDEEP
  
  6144:tJM2YGOuhzi9uM+zYdscEP8TxecorWzH1rU:vVYGOuhscEWvUlehrWzHe
Score

10^/10

cybergate exploit2 persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2