General
-
Target
8c7cfd184c8d7147c516232f7998394e_JaffaCakes118
-
Size
488KB
-
Sample
240811-3wwpmazcjd
-
MD5
8c7cfd184c8d7147c516232f7998394e
-
SHA1
c5d13f7083616c3bea41eca901e35804346b463a
-
SHA256
72b25697ec1ead4e2e4fca0cc122a5f44537b21d674716baa55f3d8dd5171234
-
SHA512
3bfbbd2d20c5d3ce65b68f0cf86ff76455c0c749aa1368f3f77609d8f9b5a43ab81f98f471aeb0488a3c3ec45aa02918970f9d68d2c5387d0b367bd94415190c
-
SSDEEP
6144:aWlOqDywv80rLP3d3WwWpcVUPYeKO4Ol/3+myqq1d+bbCDkxuhk3JdTF:a1a5v//dWwWbP0bH1dWbCDAsWJdTF
Static task
static1
Behavioral task
behavioral1
Sample
8c7cfd184c8d7147c516232f7998394e_JaffaCakes118.exe
Resource
win7-20240708-en
Malware Config
Extracted
cybergate
2.6
vítima
hyperbole.servehttp.com:8245
transferhost.servehttp.com:8245
H2RFPLQM-M886-SJW3-5S2T-Y6C5L485IGH2
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Google\Common\Google Update
-
install_file
GoogleUpdaterServices.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
romulan
-
regkey_hkcu
Google Updates
Targets
-
-
Target
8c7cfd184c8d7147c516232f7998394e_JaffaCakes118
-
Size
488KB
-
MD5
8c7cfd184c8d7147c516232f7998394e
-
SHA1
c5d13f7083616c3bea41eca901e35804346b463a
-
SHA256
72b25697ec1ead4e2e4fca0cc122a5f44537b21d674716baa55f3d8dd5171234
-
SHA512
3bfbbd2d20c5d3ce65b68f0cf86ff76455c0c749aa1368f3f77609d8f9b5a43ab81f98f471aeb0488a3c3ec45aa02918970f9d68d2c5387d0b367bd94415190c
-
SSDEEP
6144:aWlOqDywv80rLP3d3WwWpcVUPYeKO4Ol/3+myqq1d+bbCDkxuhk3JdTF:a1a5v//dWwWbP0bH1dWbCDAsWJdTF
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-