General
-
Target
23c87c3f999669a8e97602c1f1c2d351_JaffaCakes118
-
Size
344KB
-
Sample
240703-2477ys1brn
-
MD5
23c87c3f999669a8e97602c1f1c2d351
-
SHA1
a69d2c6723e7963e2b0618a422b959d2da9ce2e3
-
SHA256
8a9dfa4152b45ec5c13260effcc7dd02c7ef6944c3a03274ecd6d5b06cd3b804
-
SHA512
95f59f3cecef9cc5a2db1f5f6b8d2b03f36ec06dd85c44002d42a916f9fcdb521b40da540d8a4dffdeb3274a36caa9518f53856c5ffa9191bb9d6e2c0767f4bc
-
SSDEEP
6144:wUMHYgCeXsddE2ES4amKshL4HihLDpFrGiwSUn0aoNrDVSmMeiyG32uk:wUMHxX4bsam7LmUiiwdnmNnVMeiyohk
Static task
static1
Behavioral task
behavioral1
Sample
23c87c3f999669a8e97602c1f1c2d351_JaffaCakes118.exe
Resource
win7-20231129-en
Malware Config
Extracted
cybergate
v1.07.5
remote
fenixmusic.no-ip.org:82
arcangel.no-ip.com:81
S58GP8Q2F15XLL
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
.//
-
ftp_interval
30
-
ftp_password
pelonegro
-
ftp_port
21
-
ftp_server
ftp://reyvinblack.re.funpic.org
-
ftp_username
reyvinblack
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
bat.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
pelonegro
Targets
-
-
Target
23c87c3f999669a8e97602c1f1c2d351_JaffaCakes118
-
Size
344KB
-
MD5
23c87c3f999669a8e97602c1f1c2d351
-
SHA1
a69d2c6723e7963e2b0618a422b959d2da9ce2e3
-
SHA256
8a9dfa4152b45ec5c13260effcc7dd02c7ef6944c3a03274ecd6d5b06cd3b804
-
SHA512
95f59f3cecef9cc5a2db1f5f6b8d2b03f36ec06dd85c44002d42a916f9fcdb521b40da540d8a4dffdeb3274a36caa9518f53856c5ffa9191bb9d6e2c0767f4bc
-
SSDEEP
6144:wUMHYgCeXsddE2ES4amKshL4HihLDpFrGiwSUn0aoNrDVSmMeiyG32uk:wUMHxX4bsam7LmUiiwdnmNnVMeiyohk
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-