General
-
Target
028e1ae680f08f9dcb668f8f3170c232_JaffaCakes118
-
Size
780KB
-
Sample
240622-rhwxpavgjp
-
MD5
028e1ae680f08f9dcb668f8f3170c232
-
SHA1
91969a1b38517afc8a892a459b394aabf46f4475
-
SHA256
3e63424c1a99b5226eb245fa04dcd8952e73e28b7b0d401b1ccc0710df14c290
-
SHA512
c15ab214946903647ac6b98d27a93088a35f07adb7e72cb3582980a6e399e14a39bc715c80c084804d22d326ed5f2f0628820079bb282b0b20126cb3fc9827d0
-
SSDEEP
12288:ewXZ6sAZLwGoLQQDRfqZ3avWT8v7g8n3I7pZKtz+r4UTZBfg0fGHq4Sav:T6sAZLw9vxE9T8vb+pX4aBo0Mv
Static task
static1
Behavioral task
behavioral1
Sample
028e1ae680f08f9dcb668f8f3170c232_JaffaCakes118.exe
Resource
win7-20240508-en
Malware Config
Extracted
cybergate
v1.07.5
FUD4LIFE
QI2854Q653B3T3
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
windows update
-
install_file
winupdate.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Activate now?
-
message_box_title
....::::....::::....::::....::::....::::....::::....::::....::::....::::....::::....
-
password
lmaa
-
regkey_hkcu
Windows Update
-
regkey_hklm
Windows Update
Targets
-
-
Target
028e1ae680f08f9dcb668f8f3170c232_JaffaCakes118
-
Size
780KB
-
MD5
028e1ae680f08f9dcb668f8f3170c232
-
SHA1
91969a1b38517afc8a892a459b394aabf46f4475
-
SHA256
3e63424c1a99b5226eb245fa04dcd8952e73e28b7b0d401b1ccc0710df14c290
-
SHA512
c15ab214946903647ac6b98d27a93088a35f07adb7e72cb3582980a6e399e14a39bc715c80c084804d22d326ed5f2f0628820079bb282b0b20126cb3fc9827d0
-
SSDEEP
12288:ewXZ6sAZLwGoLQQDRfqZ3avWT8v7g8n3I7pZKtz+r4UTZBfg0fGHq4Sav:T6sAZLw9vxE9T8vb+pX4aBo0Mv
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-