General
-
Target
a1a296b76be90dd04c3c671b670145a5_JaffaCakes118
-
Size
3.4MB
-
Sample
240817-h3s7vstcqf
-
MD5
a1a296b76be90dd04c3c671b670145a5
-
SHA1
92634cc255631c557dd8ac3b53f9d33de931a5a2
-
SHA256
c977ad9044bb20f176f8ef1c1f0c311092be604fc985e3b579ad3c965ba4b76f
-
SHA512
04cd1cc96ab1dbbfea0b9bf0d7b6d43b517b02b600017209af4333e0ae2e5aeafc4d200738b4691dd731918df8d80fbfd660a6506bf2a5c358d00506dd8b2a0e
-
SSDEEP
49152:mcD5EcpDgsiwEY21Xn0uyoW3L2HOUARbMvl4ePASbANkrNDkyPgTrPvJxk7W+JiU:v20Q3ZQKNARgvllANkrNvPar5aaPc
Static task
static1
Behavioral task
behavioral1
Sample
a1a296b76be90dd04c3c671b670145a5_JaffaCakes118.exe
Resource
win7-20240729-en
Malware Config
Extracted
cybergate
v1.07.5
remote
fmsserver.dyndns.biz:81
fmsserver.dyndns.biz:999
fmsserver.dyndns.biz:1111
newnewnewdslnew.zapto.org:81
newnewnewdslnew.zapto.org:999
newnewnewdslnew.zapto.org:1111
newnewnewdslnew.zapto.org:80
127.0.0.1:81
K305AR06NSGF4W
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
winlogon.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
nonono
-
message_box_title
nonono
-
password
cybergate
Extracted
latentbot
newnewnewdslnew.zapto.org
Targets
-
-
Target
a1a296b76be90dd04c3c671b670145a5_JaffaCakes118
-
Size
3.4MB
-
MD5
a1a296b76be90dd04c3c671b670145a5
-
SHA1
92634cc255631c557dd8ac3b53f9d33de931a5a2
-
SHA256
c977ad9044bb20f176f8ef1c1f0c311092be604fc985e3b579ad3c965ba4b76f
-
SHA512
04cd1cc96ab1dbbfea0b9bf0d7b6d43b517b02b600017209af4333e0ae2e5aeafc4d200738b4691dd731918df8d80fbfd660a6506bf2a5c358d00506dd8b2a0e
-
SSDEEP
49152:mcD5EcpDgsiwEY21Xn0uyoW3L2HOUARbMvl4ePASbANkrNDkyPgTrPvJxk7W+JiU:v20Q3ZQKNARgvllANkrNvPar5aaPc
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-