General
-
Target
e1c4108d3db3495e152a012e0dea8466_JaffaCakes118
-
Size
1.1MB
-
Sample
240915-fwd39axdrq
-
MD5
e1c4108d3db3495e152a012e0dea8466
-
SHA1
de962fe79c9f33181c7ec349d8d230e4b0ee853b
-
SHA256
f7f888aa1bc2251b768d3e020a2390b2e6a34a5b600577291ba360161fece78b
-
SHA512
d236574fa561340bb43d8da50061504fd101f7b1431b3964ce8d0762c8a73626e7fa8a88860802939d10088754fc386089dca6e18d6e246cd0e0dc6c66b701c3
-
SSDEEP
12288:lV0jeLHQsnMDbxAeFJJvfUQKP0om7T+zx8KmFfhEjxGKOelAsapM/L9z1V62R4pi:l+j2n86OZKsj2LMcu46q
Static task
static1
Behavioral task
behavioral1
Sample
e1c4108d3db3495e152a012e0dea8466_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
cybergate
v1.07.5
remote
cutescreen.no-ip.info:5120
AP747BTU6W84N0
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
msgprs.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
eggbert
Targets
-
-
Target
e1c4108d3db3495e152a012e0dea8466_JaffaCakes118
-
Size
1.1MB
-
MD5
e1c4108d3db3495e152a012e0dea8466
-
SHA1
de962fe79c9f33181c7ec349d8d230e4b0ee853b
-
SHA256
f7f888aa1bc2251b768d3e020a2390b2e6a34a5b600577291ba360161fece78b
-
SHA512
d236574fa561340bb43d8da50061504fd101f7b1431b3964ce8d0762c8a73626e7fa8a88860802939d10088754fc386089dca6e18d6e246cd0e0dc6c66b701c3
-
SSDEEP
12288:lV0jeLHQsnMDbxAeFJJvfUQKP0om7T+zx8KmFfhEjxGKOelAsapM/L9z1V62R4pi:l+j2n86OZKsj2LMcu46q
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-