General
-
Target
496c9b00aab640806f7db7679015cb9f_JaffaCakes118
-
Size
1.2MB
-
Sample
240715-mpp1hascmj
-
MD5
496c9b00aab640806f7db7679015cb9f
-
SHA1
4499cadfe7f4a913c9abc88ac87c9d3b3ce7b6df
-
SHA256
6d9182866ac228dbc06a605bc5d9949e7dff7d3b956d0bbf80ca92e894febbde
-
SHA512
5ec6077d0991db35d9ead126e95ab3d9fd66c5fa290bf3159dbc12481561b5044d93608fd84f1908ded6e5b9646959da8606df03ad72f4a713c33afe68ea13d8
-
SSDEEP
24576:uLScTgFJbRyQ4mzxpZguHuEMBVP7zbnDN717GzO3LhI:uL52lR+yxsiunzLDF8za1I
Static task
static1
Behavioral task
behavioral1
Sample
496c9b00aab640806f7db7679015cb9f_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
496c9b00aab640806f7db7679015cb9f_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
cybergate
v1.07.5
îàîììì
ddiimma.zapto.org:100
nikname2011.zapto.org:100
ddiimmaa.zapto.org:100
WX8N451P1D52CN
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
avast.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
password
1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Extracted
latentbot
nikname2011.zapto.org
Targets
-
-
Target
496c9b00aab640806f7db7679015cb9f_JaffaCakes118
-
Size
1.2MB
-
MD5
496c9b00aab640806f7db7679015cb9f
-
SHA1
4499cadfe7f4a913c9abc88ac87c9d3b3ce7b6df
-
SHA256
6d9182866ac228dbc06a605bc5d9949e7dff7d3b956d0bbf80ca92e894febbde
-
SHA512
5ec6077d0991db35d9ead126e95ab3d9fd66c5fa290bf3159dbc12481561b5044d93608fd84f1908ded6e5b9646959da8606df03ad72f4a713c33afe68ea13d8
-
SSDEEP
24576:uLScTgFJbRyQ4mzxpZguHuEMBVP7zbnDN717GzO3LhI:uL52lR+yxsiunzLDF8za1I
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-