General
-
Target
dd4481feaea06cbba88ba3f97a42c081_JaffaCakes118
-
Size
755KB
-
Sample
240912-3wgkpssclr
-
MD5
dd4481feaea06cbba88ba3f97a42c081
-
SHA1
df4c08794a15acfe9763f6adacef6a1019b09fa3
-
SHA256
650124d0da1396746f89de172251b5368a51227a63d9b34337cee577b01d5daa
-
SHA512
8b014102a7a00d36ff371603b5adad770c4c3a96f42f6040936a736634f3c7ae560287d25586d863ca84b1ef56b5e9b95e5dcd34ca3c96ad0b8a25c7209a19f9
-
SSDEEP
12288:12H6lnmlRC2nzISGA/QpUeOz9dqUU/RV0DlOvl4vYrUcmmej7DDk52osjG:12alnog2BGoA/OR2wJ+l4vG1mmejfDkP
Static task
static1
Behavioral task
behavioral1
Sample
dd4481feaea06cbba88ba3f97a42c081_JaffaCakes118.exe
Resource
win7-20240708-en
Malware Config
Extracted
cybergate
v1.07.5
Hacked
boeseboese.dyndns.org:8767
W53J5U7O30TN00
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
caik93
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
dd4481feaea06cbba88ba3f97a42c081_JaffaCakes118
-
Size
755KB
-
MD5
dd4481feaea06cbba88ba3f97a42c081
-
SHA1
df4c08794a15acfe9763f6adacef6a1019b09fa3
-
SHA256
650124d0da1396746f89de172251b5368a51227a63d9b34337cee577b01d5daa
-
SHA512
8b014102a7a00d36ff371603b5adad770c4c3a96f42f6040936a736634f3c7ae560287d25586d863ca84b1ef56b5e9b95e5dcd34ca3c96ad0b8a25c7209a19f9
-
SSDEEP
12288:12H6lnmlRC2nzISGA/QpUeOz9dqUU/RV0DlOvl4vYrUcmmej7DDk52osjG:12alnog2BGoA/OR2wJ+l4vG1mmejfDkP
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-