cybergate | ad37be9cb192391256649929c0d6c8e3e4e687ad9f498e98ad1db0a070b88541

Sharing

Copy URL

Twitter E-mail

General

Target

1c277dd0724483aa4d57ab9b06751f57_JaffaCakes118
Size

1.4MB
Sample

240701-xrn64athjc
MD5

1c277dd0724483aa4d57ab9b06751f57
SHA1

ecb23f90bed078cf727cf768486edfbb77525615
SHA256

ad37be9cb192391256649929c0d6c8e3e4e687ad9f498e98ad1db0a070b88541
SHA512

a766be37671826143d0667791cf8ee6444a759f51848ecefb16122bf4ce2ec45620cd0b81d9c16d472d94a8d0a2adfb6692e24feb4cab05acfa2cf03824ff02d
SSDEEP

24576:waHfv6Corjqny/QiRwB4WXTizEXaaH+NWNtLOa85pdIvZsze0o48DV:wivqjd/Qis4yqO+UAa85pdCITQJ

Score

10^/10

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

das-tn.zapto.org:5210

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
ftp_password
ª÷Öº+Þ
ftp_port
21
ftp_server
ftp.server.com
ftp_username
ftp_user
injected_process
winlogon.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  1c277dd0724483aa4d57ab9b06751f57_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  1c277dd0724483aa4d57ab9b06751f57
- SHA1
  
  ecb23f90bed078cf727cf768486edfbb77525615
- SHA256
  
  ad37be9cb192391256649929c0d6c8e3e4e687ad9f498e98ad1db0a070b88541
- SHA512
  
  a766be37671826143d0667791cf8ee6444a759f51848ecefb16122bf4ce2ec45620cd0b81d9c16d472d94a8d0a2adfb6692e24feb4cab05acfa2cf03824ff02d
- SSDEEP
  
  24576:waHfv6Corjqny/QiRwB4WXTizEXaaH+NWNtLOa85pdIvZsze0o48DV:wivqjd/Qis4yqO+UAa85pdCITQJ
Score

10^/10

cybergate sality vítima backdoor evasion persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2