General
-
Target
0e73ecb733c97daaa4bf446d29fa15b9_JaffaCakes118
-
Size
1.2MB
-
Sample
240625-r2pmqawbqd
-
MD5
0e73ecb733c97daaa4bf446d29fa15b9
-
SHA1
cc97c85051df425ed9ba8f887100e13ebabd76b3
-
SHA256
66b455dc9d3d42df74e6cf6164f41104f4f89ad93b836821cebaee26bb670127
-
SHA512
e9ef7770792f8c71fb5a746f2d9a1ece2a7dca39c2f195befd4e32c0d5b60e657c801c5365431acd4b57d43e65131102c9a1f66ba1e5896f94ddd8428b1e5a0f
-
SSDEEP
3072:7sLC3FLwdD31SJNqqE0/U/1ZEcychxAJE+QNV4+AFEgBZ9INUH22lVpo2wiMpPTW:xBx
Static task
static1
Behavioral task
behavioral1
Sample
0e73ecb733c97daaa4bf446d29fa15b9_JaffaCakes118.exe
Resource
win7-20240508-en
Malware Config
Extracted
cybergate
2.6
vítima
mal3k.no-ip.org:87
***ROZE***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
UZUZ
-
install_file
CORE i 3.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
This program works with the old version
-
message_box_title
Error
-
password
abcd1234
Targets
-
-
Target
0e73ecb733c97daaa4bf446d29fa15b9_JaffaCakes118
-
Size
1.2MB
-
MD5
0e73ecb733c97daaa4bf446d29fa15b9
-
SHA1
cc97c85051df425ed9ba8f887100e13ebabd76b3
-
SHA256
66b455dc9d3d42df74e6cf6164f41104f4f89ad93b836821cebaee26bb670127
-
SHA512
e9ef7770792f8c71fb5a746f2d9a1ece2a7dca39c2f195befd4e32c0d5b60e657c801c5365431acd4b57d43e65131102c9a1f66ba1e5896f94ddd8428b1e5a0f
-
SSDEEP
3072:7sLC3FLwdD31SJNqqE0/U/1ZEcychxAJE+QNV4+AFEgBZ9INUH22lVpo2wiMpPTW:xBx
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-