General
-
Target
16d02bdf8c985198ced13e0489b9db5d_JaffaCakes118
-
Size
626KB
-
Sample
240627-vppzha1dnh
-
MD5
16d02bdf8c985198ced13e0489b9db5d
-
SHA1
ff84726dd62b7b8f2fe9808c5cbd07762942955d
-
SHA256
5cc4faeddb0c96356f3088caff5f7e3470a8bc57bbb0bc2fc04ab8db2c4927a7
-
SHA512
fc20ba21889d9a0a3b7975161974149dbcf442dc2bfc9eb5ec2f3660d19139cb91b7e5c3b07467aeeed876af6c0f7146e8c1f2d6b1badebe04f25c1be7940eef
-
SSDEEP
12288:+HLUMuiv9RgfSjAzRtyf5jGIt8R9rT7fVGLbVULHk:8tARUZG48R9rT7fVAWE
Static task
static1
Behavioral task
behavioral1
Sample
16d02bdf8c985198ced13e0489b9db5d_JaffaCakes118.exe
Resource
win7-20240611-en
Malware Config
Extracted
cybergate
2.6
vítima
longinos000.no-ip.org:880
Jackal
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
win33.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Arquivo incompatível com configuração. Tente novamente.
-
message_box_title
Atenção!
-
password
jmp007
-
regkey_hkcu
win33
-
regkey_hklm
win33
Targets
-
-
Target
16d02bdf8c985198ced13e0489b9db5d_JaffaCakes118
-
Size
626KB
-
MD5
16d02bdf8c985198ced13e0489b9db5d
-
SHA1
ff84726dd62b7b8f2fe9808c5cbd07762942955d
-
SHA256
5cc4faeddb0c96356f3088caff5f7e3470a8bc57bbb0bc2fc04ab8db2c4927a7
-
SHA512
fc20ba21889d9a0a3b7975161974149dbcf442dc2bfc9eb5ec2f3660d19139cb91b7e5c3b07467aeeed876af6c0f7146e8c1f2d6b1badebe04f25c1be7940eef
-
SSDEEP
12288:+HLUMuiv9RgfSjAzRtyf5jGIt8R9rT7fVGLbVULHk:8tARUZG48R9rT7fVAWE
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-