Overview

overview

10

Static

static

10

5a4625af95...18.exe

windows7-x64

10

5a4625af95...18.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    5a4625af958d02587297e2e8e5a7ed34_JaffaCakes118

  • Size

    345KB

  • MD5

    5a4625af958d02587297e2e8e5a7ed34

  • SHA1

    39d23160d98cacb255ba2864e57ef4bbe65d4c8a

  • SHA256

    fb58b93b4deccd3d19c32f4928d00a8a96d9272e48cd2b1cd5637c84ce6538db

  • SHA512

    e2598b172a174051ca0f17c28cec12e2a5a09111ea9195750414e5af92f4f2f20dc472f894b034fb07adcbd9fb49604a315e2c708976b24024e48bb843d75c2d

  • SSDEEP

    6144:qmcD66R65JGmrpQsK3RD2u270jupCJsCxCXI6cRRiSl9:fcD66hZ2zkPaCxGcT

Score
10/10
upx[email protected]cybergate

Malware Config

Extracted

Family

cybergate

Version

2.6

C2

127.0.0.1:81

joseph-rocks.no-ip.org:5150

zack.no-ip.org:5150
Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Your 500K Zp will arrive to any all of the accounts on this computer, But only if you press OK. If you press Cancel, that will cancel the transaction of zp to your accounts. Have Fun :)

  • message_box_title

    Crossfire ZP Hack !

  • password

    No-ip187

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • Cybergate family
    cybergate
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • 5a4625af958d02587297e2e8e5a7ed34_JaffaCakes118
    .exe windows:4 windows x86 arch:x86


    Headers

    Sections