General
-
Target
fa7ea90f0fb77f0cec1307a856995c19_JaffaCakes118
-
Size
452KB
-
Sample
240419-rqtsasef27
-
MD5
fa7ea90f0fb77f0cec1307a856995c19
-
SHA1
ce1bb5a50c924b436c37c55f77a1b4bc9e3c0800
-
SHA256
0229c9ebe5e2bb7bd2de5c1bde5490809be6987e95d45df02fe5a3fa1a1ae0df
-
SHA512
998e865fb782770d9fd4b14a16090c27b6fe7185ab960b431090c8f98bb559bd3ba5d642f7b8be7cbbe496c669613621223956f79db5e5563b852a34aaa9af4f
-
SSDEEP
6144:z7yIJH3O2jabhs6lRsu/xaHzuWpc54dcDbM6V5ORzmOEv4W5bETsJMgT:pJTjukExaiC7cXlUf9W5bETsJhT
Static task
static1
Behavioral task
behavioral1
Sample
fa7ea90f0fb77f0cec1307a856995c19_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
cybergate
v1.07.5
KENUN0915
finders.hopto.org:425
1441M05M610QE4
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Google Update
-
install_file
taskmgr.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Error - Application not supported on this operating system
-
message_box_title
Model Placement Application
-
password
knarf0909
-
regkey_hkcu
Google Update
-
regkey_hklm
Google Update
Targets
-
-
Target
fa7ea90f0fb77f0cec1307a856995c19_JaffaCakes118
-
Size
452KB
-
MD5
fa7ea90f0fb77f0cec1307a856995c19
-
SHA1
ce1bb5a50c924b436c37c55f77a1b4bc9e3c0800
-
SHA256
0229c9ebe5e2bb7bd2de5c1bde5490809be6987e95d45df02fe5a3fa1a1ae0df
-
SHA512
998e865fb782770d9fd4b14a16090c27b6fe7185ab960b431090c8f98bb559bd3ba5d642f7b8be7cbbe496c669613621223956f79db5e5563b852a34aaa9af4f
-
SSDEEP
6144:z7yIJH3O2jabhs6lRsu/xaHzuWpc54dcDbM6V5ORzmOEv4W5bETsJMgT:pJTjukExaiC7cXlUf9W5bETsJhT
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-