General
-
Target
26255adf932bdc8f381e5e92128e43c8_JaffaCakes118
-
Size
371KB
-
Sample
240704-zhl2gsxgkq
-
MD5
26255adf932bdc8f381e5e92128e43c8
-
SHA1
44dc2d6120ebe334aae32887d6ba6075542b5c63
-
SHA256
540822a4f0bf800a6762466dbe66adcdb219cc9a3ef69380a2013ac231f1c29e
-
SHA512
622d4a71405ff2646e9100cd32ca0943a5c327312b544c0e2565f6c3448887889572f0999a61185a8a0ad6fadaca4db8f485bb5cba4e31b77f2b556321f211ab
-
SSDEEP
6144:1SfNawSOjMJgNIDCHqWUXCewNo3l4rnzKDM7n7+LG39crNM9:8fPrUXHwKwyLG3D
Static task
static1
Behavioral task
behavioral1
Sample
26255adf932bdc8f381e5e92128e43c8_JaffaCakes118.exe
Resource
win7-20240220-en
Malware Config
Extracted
cybergate
v1.07.5
Cyber
127.0.0.1:999
caldog7.no-ip.biz:3086
0RLUX46FGM778O
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
svchost.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
Targets
-
-
Target
26255adf932bdc8f381e5e92128e43c8_JaffaCakes118
-
Size
371KB
-
MD5
26255adf932bdc8f381e5e92128e43c8
-
SHA1
44dc2d6120ebe334aae32887d6ba6075542b5c63
-
SHA256
540822a4f0bf800a6762466dbe66adcdb219cc9a3ef69380a2013ac231f1c29e
-
SHA512
622d4a71405ff2646e9100cd32ca0943a5c327312b544c0e2565f6c3448887889572f0999a61185a8a0ad6fadaca4db8f485bb5cba4e31b77f2b556321f211ab
-
SSDEEP
6144:1SfNawSOjMJgNIDCHqWUXCewNo3l4rnzKDM7n7+LG39crNM9:8fPrUXHwKwyLG3D
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-