General
-
Target
18e1e154b24d16fe6b026e74f9883126_JaffaCakes118
-
Size
496KB
-
Sample
240628-frse3ssfpa
-
MD5
18e1e154b24d16fe6b026e74f9883126
-
SHA1
98ada9968b0ccfc38b8ab1d71ff4e4d70e396224
-
SHA256
4ecb2e7e488377b0ecb3cd4df323c0bebc759ee90b7593dfb4ec8c9fc4139316
-
SHA512
58cc438d5b9e417e1b70ae487771de99408afa9d41aab2ebbaa6b6c53126af0d71c110baf3bfa1cfe66ab286514e4a2749fc98cf1a93c4afd560a5253b9eac53
-
SSDEEP
12288:ASHzVaXA6e0NSY+IWhjYjz3F3dbKvVqYRuHqnXrk:qQ6eaR2hjG53dbKNw
Static task
static1
Behavioral task
behavioral1
Sample
18e1e154b24d16fe6b026e74f9883126_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
cybergate
v1.07.5
Tencent
symeon3melrich.no-ip.org:45010
danielclaudede.dyndns.org:13889
murazawahara.no-ip.info:7070
TT43M10GK0G5SB
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
ZBj2
Targets
-
-
Target
18e1e154b24d16fe6b026e74f9883126_JaffaCakes118
-
Size
496KB
-
MD5
18e1e154b24d16fe6b026e74f9883126
-
SHA1
98ada9968b0ccfc38b8ab1d71ff4e4d70e396224
-
SHA256
4ecb2e7e488377b0ecb3cd4df323c0bebc759ee90b7593dfb4ec8c9fc4139316
-
SHA512
58cc438d5b9e417e1b70ae487771de99408afa9d41aab2ebbaa6b6c53126af0d71c110baf3bfa1cfe66ab286514e4a2749fc98cf1a93c4afd560a5253b9eac53
-
SSDEEP
12288:ASHzVaXA6e0NSY+IWhjYjz3F3dbKvVqYRuHqnXrk:qQ6eaR2hjG53dbKNw
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-