General
-
Target
4b7937a9e3d4f1e9aeab8c0ea8b3d515_JaffaCakes118
-
Size
706KB
-
Sample
240715-1adwkssemg
-
MD5
4b7937a9e3d4f1e9aeab8c0ea8b3d515
-
SHA1
6cca2ad8498a9393aa41ca3a2103aef318f2db72
-
SHA256
9ae553bc8dc4074d36206b24d58020cce9f0a71f164874c2e01eea071298fb0e
-
SHA512
245747967c54bd1baa6b6c7a0c813d86e355bd863869773abf576d8c15b89f7dfd7cc023ac12ef35c9aa79b47e545f91bf4730ce3fa882f7f16bd441597e954b
-
SSDEEP
12288:faQw4/Wb55Ko8J+GxA7CxLnwNRm4XKgV6exhR795GDmpifcunQzzluMC:fPO+EGG78nwC4XKgV6uTpifcunQz6
Static task
static1
Behavioral task
behavioral1
Sample
4b7937a9e3d4f1e9aeab8c0ea8b3d515_JaffaCakes118.exe
Resource
win7-20240708-en
Malware Config
Extracted
cybergate
v1.07.5
cyber
barthsss.no-ip.biz:5622
WSB167W58C4SND
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
SearchIndexer.exe
-
install_dir
System32
-
install_file
explorer.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
passworddecrypter.ocx & winrarpass.ocx are missing please reinstall aplication
-
message_box_title
OCX Files missing
-
password
123456
Targets
-
-
Target
4b7937a9e3d4f1e9aeab8c0ea8b3d515_JaffaCakes118
-
Size
706KB
-
MD5
4b7937a9e3d4f1e9aeab8c0ea8b3d515
-
SHA1
6cca2ad8498a9393aa41ca3a2103aef318f2db72
-
SHA256
9ae553bc8dc4074d36206b24d58020cce9f0a71f164874c2e01eea071298fb0e
-
SHA512
245747967c54bd1baa6b6c7a0c813d86e355bd863869773abf576d8c15b89f7dfd7cc023ac12ef35c9aa79b47e545f91bf4730ce3fa882f7f16bd441597e954b
-
SSDEEP
12288:faQw4/Wb55Ko8J+GxA7CxLnwNRm4XKgV6exhR795GDmpifcunQzzluMC:fPO+EGG78nwC4XKgV6uTpifcunQz6
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-