Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
27b4f626b1d2688fb14ec3a761c11c40_JaffaCakes118
-
Size
392KB
-
Sample
240706-h6hkjasgqf
-
MD5
27b4f626b1d2688fb14ec3a761c11c40
-
SHA1
4fb853c4f1c797678369c00ab18a5b336353f958
-
SHA256
f5799398259156e4601b4ff275e823b6ecbbcc174a05d3020721c7e1141b058f
-
SHA512
899ac316a4ab1cda647e73ff5260af63d9da82094f13e4866616369a3321883707707979b3100b211bdfcb4a2f283972e54aa103090775b94ae89e7cffaec620
-
SSDEEP
6144:gbVbCLrnM3IUFKefqwk2WTpaSaCdsjzUTBNQg8oZYnofRYbWFfhXHRtJHb3:iVbHaef+2K2CdsjzW3bYoZ0WFpXHxHb3
Static task
static1
Behavioral task
behavioral1
Sample
27b4f626b1d2688fb14ec3a761c11c40_JaffaCakes118.exe
Resource
win7-20240704-en
Malware Config
Extracted
cybergate
v1.07.5
samsungi
googlechrome.zapto.org:1604
277JLEVTL3EFTV
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
Searchindexar.exe
-
install_dir
System32
-
install_file
Searchindexar.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
dlma
-
regkey_hkcu
Searchindexar
-
regkey_hklm
Searchindexar
Extracted
latentbot
googlechrome.zapto.org
Targets
-
-
Target
27b4f626b1d2688fb14ec3a761c11c40_JaffaCakes118
-
Size
392KB
-
MD5
27b4f626b1d2688fb14ec3a761c11c40
-
SHA1
4fb853c4f1c797678369c00ab18a5b336353f958
-
SHA256
f5799398259156e4601b4ff275e823b6ecbbcc174a05d3020721c7e1141b058f
-
SHA512
899ac316a4ab1cda647e73ff5260af63d9da82094f13e4866616369a3321883707707979b3100b211bdfcb4a2f283972e54aa103090775b94ae89e7cffaec620
-
SSDEEP
6144:gbVbCLrnM3IUFKefqwk2WTpaSaCdsjzUTBNQg8oZYnofRYbWFfhXHRtJHb3:iVbHaef+2K2CdsjzW3bYoZ0WFpXHxHb3
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-