General
-
Target
f7d0497d63d602c60da51508a0d68d75_JaffaCakes118
-
Size
341KB
-
Sample
240418-mlpkkabg71
-
MD5
f7d0497d63d602c60da51508a0d68d75
-
SHA1
89dbbc423e7c3bbab4039a80d8c9c713e879f997
-
SHA256
a3ad40887558f233fca75384afeed49d68f20fe371ee2c232a3aa986dd3fbb4e
-
SHA512
d354c689af8375bc6d6f7f7d0a4925a21f16e9871aaa0c7ab30a9f97f7d42e610aa33b5d451189e76530c5ce3fbcf708620d11b2956da4a3934bfca89dd5fcd1
-
SSDEEP
6144:XI3vE9YFooLUyju4StrLMJfuMA8FostkR/bWK3+ZH7e9Az:oIjoLXju4StrgJfuMrosyR/bWKOsQ
Static task
static1
Behavioral task
behavioral1
Sample
f7d0497d63d602c60da51508a0d68d75_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
cybergate
v1.18.0 - Crack Version
Pro2
cometidoh.no-ip.org:1546
JY743LYL07G5YD
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./datos
-
ftp_interval
20
-
ftp_password
fake5558555
-
ftp_port
21
-
ftp_server
ftp.drivehq.com
-
ftp_username
nixh
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
nfconfig.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Este archivo es una aplicación Win32 no válida.
-
message_box_title
Error
-
password
5558555
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
f7d0497d63d602c60da51508a0d68d75_JaffaCakes118
-
Size
341KB
-
MD5
f7d0497d63d602c60da51508a0d68d75
-
SHA1
89dbbc423e7c3bbab4039a80d8c9c713e879f997
-
SHA256
a3ad40887558f233fca75384afeed49d68f20fe371ee2c232a3aa986dd3fbb4e
-
SHA512
d354c689af8375bc6d6f7f7d0a4925a21f16e9871aaa0c7ab30a9f97f7d42e610aa33b5d451189e76530c5ce3fbcf708620d11b2956da4a3934bfca89dd5fcd1
-
SSDEEP
6144:XI3vE9YFooLUyju4StrLMJfuMA8FostkR/bWK3+ZH7e9Az:oIjoLXju4StrgJfuMrosyR/bWKOsQ
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-