General
-
Target
4221b347d19ec4ab0b166fb8dacb4712_JaffaCakes118
-
Size
465KB
-
Sample
240713-r6ecjsvenk
-
MD5
4221b347d19ec4ab0b166fb8dacb4712
-
SHA1
5b9980be0583523f917abc5962aa014a0a96640e
-
SHA256
ced3bacdff548d799a2a903029ac767bb740c558efaa82fc963a00dffe156d04
-
SHA512
14b9a5ea7e820a089aa9a40f3e4ded283bc57aa9f213defb07e3b15ab7558552d0799cd98e1c0df8e1ea1569c9820f0c8599c6ddc85b82fa4b17b2e410766df9
-
SSDEEP
12288:W96m2QgxM2yB8Us+4+87JxfD/z25l+lB2U28:M69By2uvs+4Hfu5l6A8
Behavioral task
behavioral1
Sample
4221b347d19ec4ab0b166fb8dacb4712_JaffaCakes118.exe
Resource
win7-20240705-en
Malware Config
Extracted
cybergate
2.6
ÖÍíÉ
alimohor.zapto.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
5
-
ftp_password
ª÷Öº+Þ
-
ftp_port
81
-
ftp_server
ftp.server.com
-
ftp_username
ftp_user
-
injected_process
svchost.exe
-
install_file
windows.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
05987205111
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
4221b347d19ec4ab0b166fb8dacb4712_JaffaCakes118
-
Size
465KB
-
MD5
4221b347d19ec4ab0b166fb8dacb4712
-
SHA1
5b9980be0583523f917abc5962aa014a0a96640e
-
SHA256
ced3bacdff548d799a2a903029ac767bb740c558efaa82fc963a00dffe156d04
-
SHA512
14b9a5ea7e820a089aa9a40f3e4ded283bc57aa9f213defb07e3b15ab7558552d0799cd98e1c0df8e1ea1569c9820f0c8599c6ddc85b82fa4b17b2e410766df9
-
SSDEEP
12288:W96m2QgxM2yB8Us+4+87JxfD/z25l+lB2U28:M69By2uvs+4Hfu5l6A8
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-