Extracted

Extracted

• • Target

    a014a5ce46a0ad1feabf1373bbe31144_JaffaCakes118

  • Size

    3.2MB

  • MD5

    a014a5ce46a0ad1feabf1373bbe31144

  • SHA1

    f0c7d8076183d104fb410de83709df73da9535a4

  • SHA256

    4ea226f3365494493d91091b9a2cee351f357cd295d4f16614a3b5e9789f5754

  • SHA512

    05fb4b1d453970810b038de34a4a4a8c24e350c464046706c5c83496beb8a15e2c02b9b58990d0b9369620b9c23ce21cfbf3b7e1e4a2c0c80ebfd094324dcccf

  • SSDEEP

    49152:6PcXq/ZpWT0Fu+Hyta6RHsqlFYyztreuJ++j:

  Score

  10^/10

  cybergatelatentbotmrnice_spreadingcredential_accessdiscoverypersistencespywarestealertrojanupx

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2