Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
4c8290e55929dd8d276c67bbb64e1fa1_JaffaCakes118
-
Size
514KB
-
Sample
240716-ddc25avarf
-
MD5
4c8290e55929dd8d276c67bbb64e1fa1
-
SHA1
bd5c114f4a1c725ad453913aab387cd2c75675f7
-
SHA256
ecbd086a87b0718777755d42e81f49bec8d002b0a7eea291592b9be591701c93
-
SHA512
5d53c1dab8e6690e9934435b1f58e2cd56c2de8999d447b4959b6f6ca7b1ff0c5d16d75ff61c052c7bc59ca7eca8742097e0e8fdce8e16a2612267cf145743e0
-
SSDEEP
12288:j4vpLPRpNJ5aWuRyetzvRBgnOYgq/xFTrFs8ZVDB5FViivP45AEoq2m9V1azSnQS:j+pVjW1zgvtf6EilaOQk
Static task
static1
Behavioral task
behavioral1
Sample
4c8290e55929dd8d276c67bbb64e1fa1_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4c8290e55929dd8d276c67bbb64e1fa1_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
cybergate
v1.23.0
tadeupratique
demolidor22.no-ip.org:7050
cacatata.no-ip.org:7055
demolidor22.no-ip.org:7060
demolidor22.no-ip.org:7065
84CX24F08W0E73
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
windows
-
install_file
msn.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Atualizar agora?
-
message_box_title
NOD32 4.2.71
-
password
zzpratique
Targets
-
-
Target
4c8290e55929dd8d276c67bbb64e1fa1_JaffaCakes118
-
Size
514KB
-
MD5
4c8290e55929dd8d276c67bbb64e1fa1
-
SHA1
bd5c114f4a1c725ad453913aab387cd2c75675f7
-
SHA256
ecbd086a87b0718777755d42e81f49bec8d002b0a7eea291592b9be591701c93
-
SHA512
5d53c1dab8e6690e9934435b1f58e2cd56c2de8999d447b4959b6f6ca7b1ff0c5d16d75ff61c052c7bc59ca7eca8742097e0e8fdce8e16a2612267cf145743e0
-
SSDEEP
12288:j4vpLPRpNJ5aWuRyetzvRBgnOYgq/xFTrFs8ZVDB5FViivP45AEoq2m9V1azSnQS:j+pVjW1zgvtf6EilaOQk
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-