General
-
Target
ae00a6aa409fa261f4adc3f39c1acaa5_JaffaCakes118
-
Size
276KB
-
Sample
240615-mj5h1axcmh
-
MD5
ae00a6aa409fa261f4adc3f39c1acaa5
-
SHA1
b6f8f1f31968a4fe7a341210c070f6329737b122
-
SHA256
3344e38dbbb000a57ce19492e089eee7433eb72e903763cd4b7eb28e7a17f805
-
SHA512
55f646902d342554aa5af7ca2ebd23a30720e94a0af11d22104918a377061f87182c6a9d576107ecaaa0af8ef482ea9ca4e014c9ebe06ebcdab480899775b918
-
SSDEEP
6144:TiOtMNmo5iFnT/dHsB99QqKFfRk49cXS+MkTub3N6s:3tMNmo5iFTRGKpRkGYhMNEs
Static task
static1
Behavioral task
behavioral1
Sample
VIDEOS NENES HACIENDOSE PAJAS POR EL MOVIL Y POR EL PC.exe
Resource
win7-20240220-en
Malware Config
Extracted
cybergate
v1.02.0
remote
adrian15.ddns.net:81
adrian15.ddns.net:82
1V0S4DE0G724I0
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
niƱamovil.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
pinomontano200000
-
regkey_hkcu
HKCU
Targets
-
-
Target
VIDEOS NENES HACIENDOSE PAJAS POR EL MOVIL Y POR EL PC.exe
-
Size
341KB
-
MD5
93dc22df138f86244d5759f875aef7f8
-
SHA1
06a0ce5cffd90c93c4b5f5c854c188052315b060
-
SHA256
596c19c883f0c21cdca7aedc028e863a4cb45f7532bc465fc09bcee99af19a0a
-
SHA512
13372c936ee17c5af02d6aa16bc2dc8c1f36204c1a98075f9e13c36af069cf6d53995df893ec82e4e6373d16816406fc3d352025586a3a8b000a2d639d2704a1
-
SSDEEP
6144:bBj1knWj5NxwazqWPLNsaMdZQP2kyVIstlBNP30FXhnTzhA6ZXJpP:B1kQLwazqWPLNsuPaI4lBNGTVZnpP
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-