General
-
Target
0f38854f5a13c8afeef6fda05d897e43_JaffaCakes118
-
Size
289KB
-
Sample
240625-xzqpwszgml
-
MD5
0f38854f5a13c8afeef6fda05d897e43
-
SHA1
375137768ddfc8d83b4289803e4ec5914616e1be
-
SHA256
71b73e0f7b9c80977a9409806e3b2f29120d898ced3f3391c24aba5185be773b
-
SHA512
3133377e9f4f75db7a41c55d868e3bc02199e5a329183335adbfc7f18ffc28a6a19a699baa47a272265fb90856dcac8a89428dc3b8425dfe7c40c86053dfac0c
-
SSDEEP
6144:2OpslFlqIhdBCkWYxuukP1pjSKSNVkq/MVJb6:2wslLTBd47GLRMTb6
Behavioral task
behavioral1
Sample
0f38854f5a13c8afeef6fda05d897e43_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0f38854f5a13c8afeef6fda05d897e43_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
cybergate
v1.07.5
remote
drekken.serveftp.com:100
E3B61555NWKCAA
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Targets
-
-
Target
0f38854f5a13c8afeef6fda05d897e43_JaffaCakes118
-
Size
289KB
-
MD5
0f38854f5a13c8afeef6fda05d897e43
-
SHA1
375137768ddfc8d83b4289803e4ec5914616e1be
-
SHA256
71b73e0f7b9c80977a9409806e3b2f29120d898ced3f3391c24aba5185be773b
-
SHA512
3133377e9f4f75db7a41c55d868e3bc02199e5a329183335adbfc7f18ffc28a6a19a699baa47a272265fb90856dcac8a89428dc3b8425dfe7c40c86053dfac0c
-
SSDEEP
6144:2OpslFlqIhdBCkWYxuukP1pjSKSNVkq/MVJb6:2wslLTBd47GLRMTb6
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-