General
-
Target
20d7a449efc7877aee5f5371a8051127_JaffaCakes118
-
Size
533KB
-
Sample
240703-dd3b1syann
-
MD5
20d7a449efc7877aee5f5371a8051127
-
SHA1
f81777b16bb31760a5d97c7c08945c2e41dd8826
-
SHA256
6043a2381413500aafed0f9e0f6439a1f76410d1bf09e6085ef2a632107ca129
-
SHA512
9005312098943dfc2a0f956c9c6bd95fd739bb0fca7874d1d30c3d9aff1b2a8869e7090a04e193f80e8a60e2709b43c76abef84a5a78599cde61da72608cd37f
-
SSDEEP
6144:xt7+enAqZ6L81rgHCUazFdP/boHbtFPYjQtF8jHpo9fzi7MZga1I5+wig8nAE:xQW5ZS812CT/0H/Q0gHpKfbZw5HiqE
Static task
static1
Behavioral task
behavioral1
Sample
20d7a449efc7877aee5f5371a8051127_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
20d7a449efc7877aee5f5371a8051127_JaffaCakes118.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
cybergate
2.6
RUNESCAPE1
127.0.0.1:82
8s4.no-ip.info:82
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
microsftt
-
install_file
windows.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
20d7a449efc7877aee5f5371a8051127_JaffaCakes118
-
Size
533KB
-
MD5
20d7a449efc7877aee5f5371a8051127
-
SHA1
f81777b16bb31760a5d97c7c08945c2e41dd8826
-
SHA256
6043a2381413500aafed0f9e0f6439a1f76410d1bf09e6085ef2a632107ca129
-
SHA512
9005312098943dfc2a0f956c9c6bd95fd739bb0fca7874d1d30c3d9aff1b2a8869e7090a04e193f80e8a60e2709b43c76abef84a5a78599cde61da72608cd37f
-
SSDEEP
6144:xt7+enAqZ6L81rgHCUazFdP/boHbtFPYjQtF8jHpo9fzi7MZga1I5+wig8nAE:xQW5ZS812CT/0H/Q0gHpKfbZw5HiqE
Score10/10-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-