General
-
Target
1d2449362a4ec59eec58f4b4af2086b0_JaffaCakes118
-
Size
1.3MB
-
Sample
240702-a2xvnatcmq
-
MD5
1d2449362a4ec59eec58f4b4af2086b0
-
SHA1
73d502e981e057db291a986bb7231c1a1b40c2be
-
SHA256
8d93ec7a09dea50582402fd305aa546fd00dea9f98af708fdbe0e604fc5be174
-
SHA512
fc5d7f97ac7ccf5f3d0e82b0670a108edd0f0d4f85f732f19b421cbc7ed659d37bc68d697228e84fb0b7904d46b7c9391f012c017cc1ab7cec8a022207bd049a
-
SSDEEP
24576:YKwQrsiK3Sr0ckHCb2vjNDqKZb1lxJKjNDqKZb1lxJp:YKl83VckHtjsIzrKjsIzrp
Malware Config
Extracted
cybergate
2.6
10.0.2.15
10.0.2.15:80
crack
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
espiao.exe
-
install_dir
spynet
-
install_file
spy.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Ja entrou!
-
message_box_title
Ups
-
password
md
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
1d2449362a4ec59eec58f4b4af2086b0_JaffaCakes118
-
Size
1.3MB
-
MD5
1d2449362a4ec59eec58f4b4af2086b0
-
SHA1
73d502e981e057db291a986bb7231c1a1b40c2be
-
SHA256
8d93ec7a09dea50582402fd305aa546fd00dea9f98af708fdbe0e604fc5be174
-
SHA512
fc5d7f97ac7ccf5f3d0e82b0670a108edd0f0d4f85f732f19b421cbc7ed659d37bc68d697228e84fb0b7904d46b7c9391f012c017cc1ab7cec8a022207bd049a
-
SSDEEP
24576:YKwQrsiK3Sr0ckHCb2vjNDqKZb1lxJKjNDqKZb1lxJp:YKl83VckHtjsIzrKjsIzrp
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Defense Evasion
Modify Registry
8Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1