General
-
Target
25ffd99f5b1d88f4a9b7235670a0cb9c_JaffaCakes118
-
Size
1.2MB
-
Sample
240704-x9ltpaxdqc
-
MD5
25ffd99f5b1d88f4a9b7235670a0cb9c
-
SHA1
e07fe7fdc2fed6225763a47d34fd5974b48488bf
-
SHA256
7780f29483fc21479f403c5abdf3ecac68885aae6f08baedf6b95f3eb2a10c31
-
SHA512
e77c8ab7717abc0a71620040f68e33bcfc67e9ecbdeac23ca359561b2fcd4ae84030103573692c3e8a27b8203d12a21f6266780525713ec3d7b79807cc07848c
-
SSDEEP
3072:2m3A4yjZIybYwEOCMRqWZAmDrlYSRcqzuD+s1IahUfBYR8jJPz2qJs9mTb4qHCS2:2mJxxd
Static task
static1
Behavioral task
behavioral1
Sample
25ffd99f5b1d88f4a9b7235670a0cb9c_JaffaCakes118.exe
Resource
win7-20240220-en
Malware Config
Extracted
cybergate
v1.18.0 - Trial version
remote
ali70.no-ip.biz:999
WM7NR632JU3GL4
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
rety
-
install_file
massnger.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
25ffd99f5b1d88f4a9b7235670a0cb9c_JaffaCakes118
-
Size
1.2MB
-
MD5
25ffd99f5b1d88f4a9b7235670a0cb9c
-
SHA1
e07fe7fdc2fed6225763a47d34fd5974b48488bf
-
SHA256
7780f29483fc21479f403c5abdf3ecac68885aae6f08baedf6b95f3eb2a10c31
-
SHA512
e77c8ab7717abc0a71620040f68e33bcfc67e9ecbdeac23ca359561b2fcd4ae84030103573692c3e8a27b8203d12a21f6266780525713ec3d7b79807cc07848c
-
SSDEEP
3072:2m3A4yjZIybYwEOCMRqWZAmDrlYSRcqzuD+s1IahUfBYR8jJPz2qJs9mTb4qHCS2:2mJxxd
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-