General
-
Target
1be1c44d54b77212c3a57250b4b359fa_JaffaCakes118
-
Size
923KB
-
Sample
240701-v3fyrazgrb
-
MD5
1be1c44d54b77212c3a57250b4b359fa
-
SHA1
5a2696074e4def5c7d0b2e178d48e3088449829c
-
SHA256
5fc0ad23b2e5fc626717ea72ae873efb5d351077bb1c4269a902c9fa73538454
-
SHA512
b907e8ce8289cb9cacbb4c2795c2cc6d9c22c77c86ad623dfc90040dcd37d4fcf2f373ae1997861a1630576aeda06efe10a3ed3369a88688c3a2f0e6c06cb50c
-
SSDEEP
24576:2RfdI2PQKmqn70jhXFXUcLu2eG/tMTi1ISRjp65/v:2HJYKmqn70jhXFXUcLu27VMwv453
Behavioral task
behavioral1
Sample
1be1c44d54b77212c3a57250b4b359fa_JaffaCakes118.exe
Resource
win7-20240611-en
Malware Config
Extracted
cybergate
2.6
Deise
operspicaz.no-ip.org:1982
Java(TM) Plarform SE 7 U32
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./day_cristina/keyloguer/
-
ftp_interval
30
-
ftp_password
netempresa@12*
-
ftp_port
21
-
ftp_server
ftp.installwarebusiness.com.br
-
ftp_username
installwarebusiness
-
injected_process
jusched.exe
-
install_dir
Java\jre6\bin
-
install_file
Java(TM).exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Curioso(a)? ti enganei hahahahaha
-
message_box_title
Enganado(a)
-
password
abcd1234
-
regkey_hklm
Java(TM) Plarform SE 7 U32
Targets
-
-
Target
1be1c44d54b77212c3a57250b4b359fa_JaffaCakes118
-
Size
923KB
-
MD5
1be1c44d54b77212c3a57250b4b359fa
-
SHA1
5a2696074e4def5c7d0b2e178d48e3088449829c
-
SHA256
5fc0ad23b2e5fc626717ea72ae873efb5d351077bb1c4269a902c9fa73538454
-
SHA512
b907e8ce8289cb9cacbb4c2795c2cc6d9c22c77c86ad623dfc90040dcd37d4fcf2f373ae1997861a1630576aeda06efe10a3ed3369a88688c3a2f0e6c06cb50c
-
SSDEEP
24576:2RfdI2PQKmqn70jhXFXUcLu2eG/tMTi1ISRjp65/v:2HJYKmqn70jhXFXUcLu27VMwv453
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-