General
-
Target
1f9c7d49bc6be1ff45192a464bf0dbee_JaffaCakes118
-
Size
312KB
-
Sample
240702-rm7jzszhmj
-
MD5
1f9c7d49bc6be1ff45192a464bf0dbee
-
SHA1
28bb86b9f1c22286881b1375400c432646419595
-
SHA256
0bbc180bc43836a69b9315f8e662e80cd265c4c827d82df5b4467385d70317b6
-
SHA512
501d779f445d8252f756a01076b289be3295b3decabd83f1165ab64801c3ba7ba705eedae1bd5c00c361e3bb86115d903c8070a3e926453b67fa70f8bd66942a
-
SSDEEP
6144:UXBg4CrrfyE8Qt9JNGxb29yUvme/JfALnpadj+SQgV47oyA9:UX2yVQtpGB29ySV/JspadjZHV/79
Static task
static1
Behavioral task
behavioral1
Sample
1f9c7d49bc6be1ff45192a464bf0dbee_JaffaCakes118.exe
Resource
win7-20240611-en
Malware Config
Extracted
cybergate
2.6
ÖÍíÉ
mecall.dyndns-server.com:818
127.0.0.1:81
***sysbom***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
sysbom
-
install_file
sysbom.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
t?tulo da mensagem
-
password
ahmed2010
-
regkey_hkcu
sysbom
-
regkey_hklm
sysbom
Targets
-
-
Target
1f9c7d49bc6be1ff45192a464bf0dbee_JaffaCakes118
-
Size
312KB
-
MD5
1f9c7d49bc6be1ff45192a464bf0dbee
-
SHA1
28bb86b9f1c22286881b1375400c432646419595
-
SHA256
0bbc180bc43836a69b9315f8e662e80cd265c4c827d82df5b4467385d70317b6
-
SHA512
501d779f445d8252f756a01076b289be3295b3decabd83f1165ab64801c3ba7ba705eedae1bd5c00c361e3bb86115d903c8070a3e926453b67fa70f8bd66942a
-
SSDEEP
6144:UXBg4CrrfyE8Qt9JNGxb29yUvme/JfALnpadj+SQgV47oyA9:UX2yVQtpGB29ySV/JspadjZHV/79
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-