General
-
Target
1d05724031242b7f88dde883d5145419_JaffaCakes118
-
Size
456KB
-
Sample
240701-31616a1hkl
-
MD5
1d05724031242b7f88dde883d5145419
-
SHA1
39841dc42302ec53c2a99e560d80b489452cc943
-
SHA256
964269aa51c2077246979daf20fd9db4172b6e779d284cb6979fef7325cccebd
-
SHA512
f6e16b3475cadc89610260c81943ab3fc8d3e39bad1f71d2cb1849d69eb3036be4764c0c1f6cf605135b43afe14c487b06b0bdc54ed78df17d0dd50dec047cb2
-
SSDEEP
12288:R4oiGHu7rgBixEovMJCsrLesX7GEjz4qI2/BE8s:3iGHWcNovMJnrSSHz48pE8s
Static task
static1
Behavioral task
behavioral1
Sample
1d05724031242b7f88dde883d5145419_JaffaCakes118.exe
Resource
win7-20240508-en
Malware Config
Extracted
cybergate
v1.07.5
remote
service.slyip.net:1300
FI175106K5B748
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Update
-
install_file
msimn.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Die Datei ist beschÃĪdigt!
-
message_box_title
Error
-
password
hgfvkhyvk78768765876
-
regkey_hkcu
Sun Microsoft Inc.
Targets
-
-
Target
1d05724031242b7f88dde883d5145419_JaffaCakes118
-
Size
456KB
-
MD5
1d05724031242b7f88dde883d5145419
-
SHA1
39841dc42302ec53c2a99e560d80b489452cc943
-
SHA256
964269aa51c2077246979daf20fd9db4172b6e779d284cb6979fef7325cccebd
-
SHA512
f6e16b3475cadc89610260c81943ab3fc8d3e39bad1f71d2cb1849d69eb3036be4764c0c1f6cf605135b43afe14c487b06b0bdc54ed78df17d0dd50dec047cb2
-
SSDEEP
12288:R4oiGHu7rgBixEovMJCsrLesX7GEjz4qI2/BE8s:3iGHWcNovMJnrSSHz48pE8s
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-