General
-
Target
d0ac817465a470aaab271b9d821c5843_JaffaCakes118
-
Size
700KB
-
Sample
240906-3vlg9stgjj
-
MD5
d0ac817465a470aaab271b9d821c5843
-
SHA1
419b9f1d379d5d6e6c85b2233e3f9a8b38c39dba
-
SHA256
465935080c16d406f9be2dd6cbecd91babbbc9fa646d4027404631544b81bdf8
-
SHA512
e5e9324e1c8a146bcaf8313c9f3f9026c4bb66f64db9ef2c18cb0431a5bee7705876d9a1db79489348a24ce0c891955b37584ac3ae1d94d399e4415ebe46cd40
-
SSDEEP
12288:I8S4V3z6uO3roYHYYpjM0F7rGNrkty0fkhAlmv:IH4dLsJ4WMeErmyFAe
Static task
static1
Behavioral task
behavioral1
Sample
d0ac817465a470aaab271b9d821c5843_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
cybergate
v1.05.1
remote
127.0.0.1:81
M0P12068H1W54R
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Targets
-
-
Target
d0ac817465a470aaab271b9d821c5843_JaffaCakes118
-
Size
700KB
-
MD5
d0ac817465a470aaab271b9d821c5843
-
SHA1
419b9f1d379d5d6e6c85b2233e3f9a8b38c39dba
-
SHA256
465935080c16d406f9be2dd6cbecd91babbbc9fa646d4027404631544b81bdf8
-
SHA512
e5e9324e1c8a146bcaf8313c9f3f9026c4bb66f64db9ef2c18cb0431a5bee7705876d9a1db79489348a24ce0c891955b37584ac3ae1d94d399e4415ebe46cd40
-
SSDEEP
12288:I8S4V3z6uO3roYHYYpjM0F7rGNrkty0fkhAlmv:IH4dLsJ4WMeErmyFAe
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-