General
-
Target
23df3c3bf976124f1eba879c89512175_JaffaCakes118
-
Size
928KB
-
Sample
240703-3mpvqasckq
-
MD5
23df3c3bf976124f1eba879c89512175
-
SHA1
1b41631365b9893dac0f1c3e2420d73ee3e43fc1
-
SHA256
d7c55a39964451b45cd7cb99d58fbbd4dd9a40d0e879b0a70f4786d2727d35d2
-
SHA512
70d8add1997028fe8fb0d81a7e5d18670376a8b77f074a9d699db0d6e1f64e3f8820c4133ed01065b1c9d817251e8d85d47ea9b68fcfaa99ddd109a208839085
-
SSDEEP
12288:7v/RiFmEbZEq2V8pBNSo6XJAMxXt7CLfBUypzfv:7nRiFbZKV81QV5RCLfBBpTv
Behavioral task
behavioral1
Sample
23df3c3bf976124f1eba879c89512175_JaffaCakes118.exe
Resource
win7-20240611-en
Malware Config
Extracted
cybergate
v1.15.4
May27
microsoft11a.serveftp.com:20161
microsoft11a.dyndns.org:20161
7248U23PI048D2
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
lsass.exe
-
install_dir
lsass
-
install_file
lsass.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
matt422s
-
regkey_hkcu
lsass.exe
-
regkey_hklm
lsass.exe
Targets
-
-
Target
23df3c3bf976124f1eba879c89512175_JaffaCakes118
-
Size
928KB
-
MD5
23df3c3bf976124f1eba879c89512175
-
SHA1
1b41631365b9893dac0f1c3e2420d73ee3e43fc1
-
SHA256
d7c55a39964451b45cd7cb99d58fbbd4dd9a40d0e879b0a70f4786d2727d35d2
-
SHA512
70d8add1997028fe8fb0d81a7e5d18670376a8b77f074a9d699db0d6e1f64e3f8820c4133ed01065b1c9d817251e8d85d47ea9b68fcfaa99ddd109a208839085
-
SSDEEP
12288:7v/RiFmEbZEq2V8pBNSo6XJAMxXt7CLfBUypzfv:7nRiFbZKV81QV5RCLfBBpTv
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-