General
-
Target
1d6c2b514cf9e89bbc982d340ed7bea3_JaffaCakes118
-
Size
409KB
-
Sample
240702-zs33ratbkl
-
MD5
1d6c2b514cf9e89bbc982d340ed7bea3
-
SHA1
272ae456d65a7f4b6a2fba06e322f54193050baf
-
SHA256
e2d50d1b2260c23589013ade8798bb9591f6c1e6052323c5108323ff1a651161
-
SHA512
204d3761d5bad6c18a4299ce8d8c5176ae15e5845bf59e6d2d45a185d56d1943f8bb291ddf1a54447b2b7051d319ef8138b7186f995f31d11319d2273d0ab3b5
-
SSDEEP
12288:242GWso0C1emuFksw4Co6TR0Xl5dhKG7DPM/J2:cL0CHIzZ6TR0zzNH0/8
Static task
static1
Behavioral task
behavioral1
Sample
1d6c2b514cf9e89bbc982d340ed7bea3_JaffaCakes118.exe
Resource
win7-20240220-en
Malware Config
Extracted
cybergate
v1.07.5
BOTK
mrdemonlord.no-ip.biz:81
C8GL4T8T62132W
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./www/logz/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
DriverCmd
-
install_file
DriverCmd.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
mrdemonlord
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
1d6c2b514cf9e89bbc982d340ed7bea3_JaffaCakes118
-
Size
409KB
-
MD5
1d6c2b514cf9e89bbc982d340ed7bea3
-
SHA1
272ae456d65a7f4b6a2fba06e322f54193050baf
-
SHA256
e2d50d1b2260c23589013ade8798bb9591f6c1e6052323c5108323ff1a651161
-
SHA512
204d3761d5bad6c18a4299ce8d8c5176ae15e5845bf59e6d2d45a185d56d1943f8bb291ddf1a54447b2b7051d319ef8138b7186f995f31d11319d2273d0ab3b5
-
SSDEEP
12288:242GWso0C1emuFksw4Co6TR0Xl5dhKG7DPM/J2:cL0CHIzZ6TR0zzNH0/8
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-