General
-
Target
fad53bdbad9b9427768e0096a3346bed_JaffaCakes118
-
Size
397KB
-
Sample
240419-v9p51abg5v
-
MD5
fad53bdbad9b9427768e0096a3346bed
-
SHA1
dd28833f28b3e1380415df59a2cc104063bf7dca
-
SHA256
d5309a9da961565bd7f0de17b004a8dcd077e1eb4571bbc89e629ad8fac6cd6e
-
SHA512
3bcbc3189a6756710a00831630e7df353343080ea0043b92014bc0a0d382a3aaa67f7149dea56996469b92af19141498431b15bc6d3c07b9ae7d21a0d8ffc3de
-
SSDEEP
6144:PxnXB8ZSiOBQ47rpGHufeq8S3FSLa34eugs/os9BGaaaV2+Ed1SkS9ZuMhkvjMU9:P1XB8G7AHYr5VSL8Ng9B/c1StJ+Itu9
Behavioral task
behavioral1
Sample
fad53bdbad9b9427768e0096a3346bed_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fad53bdbad9b9427768e0096a3346bed_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
cybergate
v1.07.5
19_06_fishing
127.0.0.1:71
3CO7R35VYR34OF
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Microsoft Offices
-
install_file
startup.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
111
-
regkey_hkcu
HKCO
-
regkey_hklm
HKLN
Targets
-
-
Target
fad53bdbad9b9427768e0096a3346bed_JaffaCakes118
-
Size
397KB
-
MD5
fad53bdbad9b9427768e0096a3346bed
-
SHA1
dd28833f28b3e1380415df59a2cc104063bf7dca
-
SHA256
d5309a9da961565bd7f0de17b004a8dcd077e1eb4571bbc89e629ad8fac6cd6e
-
SHA512
3bcbc3189a6756710a00831630e7df353343080ea0043b92014bc0a0d382a3aaa67f7149dea56996469b92af19141498431b15bc6d3c07b9ae7d21a0d8ffc3de
-
SSDEEP
6144:PxnXB8ZSiOBQ47rpGHufeq8S3FSLa34eugs/os9BGaaaV2+Ed1SkS9ZuMhkvjMU9:P1XB8G7AHYr5VSL8Ng9B/c1StJ+Itu9
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-