cybergate | f2d364284ad982f2c892d55b78160c3a04c3807be0c15ae29dc59b1a0797704f | Triage

Submit
Reports

Overview

overview

Static

static

1b69387a29...18.exe

windows7-x64

1b69387a29...18.exe

windows10-2004-x64

Sharing

General

Target

1b69387a295df5aea1c2c4384341b10f_JaffaCakes118
Size

301KB
Sample

240701-qbzjkawgpq
MD5

1b69387a295df5aea1c2c4384341b10f
SHA1

bef8820c335612a9359b2238212ff9ab39d18479
SHA256

f2d364284ad982f2c892d55b78160c3a04c3807be0c15ae29dc59b1a0797704f
SHA512

545f446c9363649dd3884f6d69ff1e2f83442597a1391bc2c80048829b96a4f4e6c23db38480c5b3dada5b1d6696724bda71f575b6cb769b68c5fd7749d91078
SSDEEP

6144:MmcD66RRjC5JGmrpQsK3RD2u270jupCJsCxCS:9cD663bZ2zkPaCxR

Score

10^/10

cybergate swat team persistence stealer trojan upx

Static task

static1

swat team cybergate

2 signatures

Behavioral task

behavioral1

Sample

1b69387a295df5aea1c2c4384341b10f_JaffaCakes118.exe

Resource

win7-20240220-en

cybergate swat team persistence stealer trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

1b69387a295df5aea1c2c4384341b10f_JaffaCakes118.exe

Resource

win10v2004-20240508-en

cybergate swat team persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Swat Team

C2

jesica1.no-ip.biz:82

jesica.no-ip.biz:82

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
sytsem 32
install_file
mictosoft.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
lololol
message_box_title
lolol
password
123456
regkey_hkcu
java
regkey_hklm
java

Targets

- Target
  
  1b69387a295df5aea1c2c4384341b10f_JaffaCakes118
- Size
  
  301KB
- MD5
  
  1b69387a295df5aea1c2c4384341b10f
- SHA1
  
  bef8820c335612a9359b2238212ff9ab39d18479
- SHA256
  
  f2d364284ad982f2c892d55b78160c3a04c3807be0c15ae29dc59b1a0797704f
- SHA512
  
  545f446c9363649dd3884f6d69ff1e2f83442597a1391bc2c80048829b96a4f4e6c23db38480c5b3dada5b1d6696724bda71f575b6cb769b68c5fd7749d91078
- SSDEEP
  
  6144:MmcD66RRjC5JGmrpQsK3RD2u270jupCJsCxCS:9cD663bZ2zkPaCxR
Score

10^/10

cybergate swat team persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Suspicious use of NtCreateProcessExOtherParentProcess
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

swat teamcybergate

behavioral1

cybergateswat teampersistencestealertrojanupx

behavioral2

cybergateswat teampersistencestealertrojanupx

© 2018-2024

Terms | Privacy