General
-
Target
1a29a7d4a609376611f776cd0beb8b65_JaffaCakes118
-
Size
444KB
-
Sample
240628-px776asgpm
-
MD5
1a29a7d4a609376611f776cd0beb8b65
-
SHA1
b3b0fbfca92f6f44fe42fc0212e7fcacb93c752e
-
SHA256
2f8f52892b22dc6a694d7e6384eae3d6114b098b06aa1f2f888d35e85295b8ef
-
SHA512
06c2bc7cc3b1241f560eef6385dd753dfc2cbdc261841fc786407e88e91564b82a1704626b5b149fa761adf9b77420bae9a486cb182d4eb7559932d86f66a55d
-
SSDEEP
6144:FO+M1uhejQME1MwzCjhuAczZ7pl9Aa5KDYNOQUiARcHX3jitubBaKX5Sedy/:ZM1GeMX1Mwzuhtc1fGqOQ5QajiswKXE
Static task
static1
Behavioral task
behavioral1
Sample
1a29a7d4a609376611f776cd0beb8b65_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
cybergate
v1.07.5
MODEL0909
finders.hopto.org:425
0N48G0L5CBKB71
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Google Update
-
install_file
taskmgr.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Error - application not supported on this operating system
-
message_box_title
Model Placement Application
-
password
knarf0909
-
regkey_hkcu
Google Update
-
regkey_hklm
Google Update
Targets
-
-
Target
1a29a7d4a609376611f776cd0beb8b65_JaffaCakes118
-
Size
444KB
-
MD5
1a29a7d4a609376611f776cd0beb8b65
-
SHA1
b3b0fbfca92f6f44fe42fc0212e7fcacb93c752e
-
SHA256
2f8f52892b22dc6a694d7e6384eae3d6114b098b06aa1f2f888d35e85295b8ef
-
SHA512
06c2bc7cc3b1241f560eef6385dd753dfc2cbdc261841fc786407e88e91564b82a1704626b5b149fa761adf9b77420bae9a486cb182d4eb7559932d86f66a55d
-
SSDEEP
6144:FO+M1uhejQME1MwzCjhuAczZ7pl9Aa5KDYNOQUiARcHX3jitubBaKX5Sedy/:ZM1GeMX1Mwzuhtc1fGqOQ5QajiswKXE
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-