General
-
Target
5648a22781687dd8db36ac965065f129_JaffaCakes118
-
Size
778KB
-
Sample
240718-f177wszeld
-
MD5
5648a22781687dd8db36ac965065f129
-
SHA1
638b97d404e78335ceb751d9d5165162170ec24c
-
SHA256
d54d88bc9bc1b5413b728eb7835c938c70b1aafaaecb81e0f7930c653e4af7ee
-
SHA512
9c50bedb517d38ec7c23e91b8aecc5b7071e572f3fce7e92bc487d075f8d9a641055833a256827db4b75cd547bb2735745854dccd0bbca6efaf3ee14a9c66e1c
-
SSDEEP
12288:peuu74LAuXp6lq5LdlswLOD7xmmXudnoLyKWxa0DA0mLMMDtE3:4Z4LgSBl/O3x7XKoL16KTxE3
Static task
static1
Behavioral task
behavioral1
Sample
5648a22781687dd8db36ac965065f129_JaffaCakes118.exe
Resource
win7-20240708-en
Malware Config
Extracted
cybergate
2.6
ÖÍíÉ
nba2000.no-ip.biz:82
nba2000..tzo.net:82
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_file
windows.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
Targets
-
-
Target
5648a22781687dd8db36ac965065f129_JaffaCakes118
-
Size
778KB
-
MD5
5648a22781687dd8db36ac965065f129
-
SHA1
638b97d404e78335ceb751d9d5165162170ec24c
-
SHA256
d54d88bc9bc1b5413b728eb7835c938c70b1aafaaecb81e0f7930c653e4af7ee
-
SHA512
9c50bedb517d38ec7c23e91b8aecc5b7071e572f3fce7e92bc487d075f8d9a641055833a256827db4b75cd547bb2735745854dccd0bbca6efaf3ee14a9c66e1c
-
SSDEEP
12288:peuu74LAuXp6lq5LdlswLOD7xmmXudnoLyKWxa0DA0mLMMDtE3:4Z4LgSBl/O3x7XKoL16KTxE3
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-