General
-
Target
190e81a9f5884e7e27e9fbe996566cf9_JaffaCakes118
-
Size
370KB
-
Sample
240628-gvsqpaxejn
-
MD5
190e81a9f5884e7e27e9fbe996566cf9
-
SHA1
612c2c3cf7faa2508a2dea91071f87bf3fd8ae71
-
SHA256
a143f63b515f75275b55a2861fa1cfdd1c91f13b7195ab460a84784a8ae512d8
-
SHA512
969cf9e9c8205850bee1c1e9c67917a8b3c860c5ee9c7fa9a432998402363a041448f33279a8c2fa8a72a21e2978264e8e7802d0b4201889a0f51c5befe145e4
-
SSDEEP
6144:BSpHIKqV82XrliQsW8ubcadcueLRNI3IGLjsfSYSUi:Pw2lMXVNIXjsfSYg
Static task
static1
Behavioral task
behavioral1
Sample
190e81a9f5884e7e27e9fbe996566cf9_JaffaCakes118.exe
Resource
win7-20240508-en
Malware Config
Extracted
cybergate
v1.03.0
Ev][L
xgn.r00t.la:5197
ur.now.afraid.org:5197
the.warnet.ignorelist.com:5197
LRT5CT7D3QWMKX
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
winsxs
-
install_file
wdmloader.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
c0tcharm@nte!!
Targets
-
-
Target
190e81a9f5884e7e27e9fbe996566cf9_JaffaCakes118
-
Size
370KB
-
MD5
190e81a9f5884e7e27e9fbe996566cf9
-
SHA1
612c2c3cf7faa2508a2dea91071f87bf3fd8ae71
-
SHA256
a143f63b515f75275b55a2861fa1cfdd1c91f13b7195ab460a84784a8ae512d8
-
SHA512
969cf9e9c8205850bee1c1e9c67917a8b3c860c5ee9c7fa9a432998402363a041448f33279a8c2fa8a72a21e2978264e8e7802d0b4201889a0f51c5befe145e4
-
SSDEEP
6144:BSpHIKqV82XrliQsW8ubcadcueLRNI3IGLjsfSYSUi:Pw2lMXVNIXjsfSYg
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-