General
-
Target
23c03ef2a2f02f92516c866d8a0b9fda_JaffaCakes118
-
Size
557KB
-
Sample
240703-2w8hrascje
-
MD5
23c03ef2a2f02f92516c866d8a0b9fda
-
SHA1
40b835a1a02e5d1f4e3bf65ad321d27bb4144045
-
SHA256
435c412dcbd20d50f323d2bf887f50a16955fe9aca49eeebad48079fa31cdb83
-
SHA512
310e7ba647347a453c518099fe3fcb17db07353f70838845cdad6bc55978d7b0e6dabbce6fad46ea6a249adb21e0da794299675a4844d7b68bc5f13b864842ce
-
SSDEEP
12288:Ax9SbihE3Ty3YJsvztcfCgbZR5IzcfIK4C:gAmlKftbZR5I2IKH
Behavioral task
behavioral1
Sample
23c03ef2a2f02f92516c866d8a0b9fda_JaffaCakes118.exe
Resource
win7-20240611-en
Malware Config
Extracted
cybergate
v1.07.5
remote
maom.no-ip.org:999
maom.no-ip.org:1000
127.0.0.1:999
451NRW543O2802
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
aasdfews.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
-
regkey_hkcu
HKCU=
-
regkey_hklm
HKLM=
Targets
-
-
Target
23c03ef2a2f02f92516c866d8a0b9fda_JaffaCakes118
-
Size
557KB
-
MD5
23c03ef2a2f02f92516c866d8a0b9fda
-
SHA1
40b835a1a02e5d1f4e3bf65ad321d27bb4144045
-
SHA256
435c412dcbd20d50f323d2bf887f50a16955fe9aca49eeebad48079fa31cdb83
-
SHA512
310e7ba647347a453c518099fe3fcb17db07353f70838845cdad6bc55978d7b0e6dabbce6fad46ea6a249adb21e0da794299675a4844d7b68bc5f13b864842ce
-
SSDEEP
12288:Ax9SbihE3Ty3YJsvztcfCgbZR5IzcfIK4C:gAmlKftbZR5I2IKH
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-