General
-
Target
8dc24a61bb82a3295941c5411bcbc55e_JaffaCakes118
-
Size
2.9MB
-
Sample
240812-hrtz1szell
-
MD5
8dc24a61bb82a3295941c5411bcbc55e
-
SHA1
a6882f512f77859fc5dc1a53fdd608cd4609df2b
-
SHA256
4347dbc6c6c4399fc11bc0cfbb9a00451c67bb558665e3e2f882dc2e1e78584d
-
SHA512
1423aebeb3c548e6203abc62b8759064992986387acd412fd05ec2c6b6926e62f4d700f54d783e57a96c5c18e6dbb65ddc711b1ca8d012bc7285f07c08ca600c
-
SSDEEP
24576:wFUZN3jb2Bqh6axt3oY5IShZ7bjQNTUXqErD2AHuE2N7Yb2ICZLrzBnDDc4sxvW1:qUZxjbdfoXSkN6bZJsXzRkpv
Static task
static1
Behavioral task
behavioral1
Sample
8dc24a61bb82a3295941c5411bcbc55e_JaffaCakes118.exe
Resource
win7-20240704-en
Malware Config
Extracted
cybergate
v1.02.0
Cyber
keithpp.no-ip.org:82
IPS572TFS5VKJA
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Winbooterr
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
8dc24a61bb82a3295941c5411bcbc55e_JaffaCakes118
-
Size
2.9MB
-
MD5
8dc24a61bb82a3295941c5411bcbc55e
-
SHA1
a6882f512f77859fc5dc1a53fdd608cd4609df2b
-
SHA256
4347dbc6c6c4399fc11bc0cfbb9a00451c67bb558665e3e2f882dc2e1e78584d
-
SHA512
1423aebeb3c548e6203abc62b8759064992986387acd412fd05ec2c6b6926e62f4d700f54d783e57a96c5c18e6dbb65ddc711b1ca8d012bc7285f07c08ca600c
-
SSDEEP
24576:wFUZN3jb2Bqh6axt3oY5IShZ7bjQNTUXqErD2AHuE2N7Yb2ICZLrzBnDDc4sxvW1:qUZxjbdfoXSkN6bZJsXzRkpv
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-