General
-
Target
1accbabb85a95511b7c6dbeec93c267c_JaffaCakes118
-
Size
361KB
-
Sample
240701-lmftdaxenn
-
MD5
1accbabb85a95511b7c6dbeec93c267c
-
SHA1
6aacbd272d3721f4592cf54174f31361d2364c1c
-
SHA256
aaed956373ee24c48cc819a42a2d0bd1f899a6844121ccef2998ae17f3953ae6
-
SHA512
f6d27b2de959015945f3822c28ae5eda7f8735b5035e3f91d4a572e1c462f8f55f29587460e7e9e1a9a6d36d2a9eab2563517f96aaa91c7c1c4cc3fb455c6987
-
SSDEEP
6144:mCgj8T9X4D8GWTyzGBcyz9As4O9bTgr6BeFMLTbFxWZ1ru/1f:mCgj8T9Xg8nGacyAs4KAr6aMTF21ru/p
Static task
static1
Behavioral task
behavioral1
Sample
1accbabb85a95511b7c6dbeec93c267c_JaffaCakes118.exe
Resource
win7-20240508-en
Malware Config
Extracted
cybergate
v1.07.5
manco
127.0.0.1:999
127.0.0.1:81
morenita.no-ip.biz:81
morenita.no-ip.org:2000
HY2141AD2A774Q
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
win.32.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
12345
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
1accbabb85a95511b7c6dbeec93c267c_JaffaCakes118
-
Size
361KB
-
MD5
1accbabb85a95511b7c6dbeec93c267c
-
SHA1
6aacbd272d3721f4592cf54174f31361d2364c1c
-
SHA256
aaed956373ee24c48cc819a42a2d0bd1f899a6844121ccef2998ae17f3953ae6
-
SHA512
f6d27b2de959015945f3822c28ae5eda7f8735b5035e3f91d4a572e1c462f8f55f29587460e7e9e1a9a6d36d2a9eab2563517f96aaa91c7c1c4cc3fb455c6987
-
SSDEEP
6144:mCgj8T9X4D8GWTyzGBcyz9As4O9bTgr6BeFMLTbFxWZ1ru/1f:mCgj8T9Xg8nGacyAs4KAr6aMTF21ru/p
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-