General
-
Target
e670cdf203f367f00d6bde831a2f935f_JaffaCakes118
-
Size
383KB
-
Sample
240917-kjz76stfkc
-
MD5
e670cdf203f367f00d6bde831a2f935f
-
SHA1
3fa61dd7f71b1e4d479497e81e2c05c91025a31e
-
SHA256
cdc05bc4858deb659fa835d8c640cf0e21034b6fbb00d6b4bae6fd996a9d6bb4
-
SHA512
52a2ae8ff1691859bc5156cb18caf88d821833991e54cc60d5625d24556a2ce6e05a8ab164bc3090fc361388094fe0b2fe46222c29e083334ba04b707784d66d
-
SSDEEP
6144:N4ABF94bpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK:WUJGLE0kuGnESB
Behavioral task
behavioral1
Sample
e670cdf203f367f00d6bde831a2f935f_JaffaCakes118.exe
Resource
win7-20240729-en
Malware Config
Extracted
cybergate
v1.04.8
remote
chipspoker.no-ip.biz:81
4FFP3708DNK838
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
anjing
Targets
-
-
Target
e670cdf203f367f00d6bde831a2f935f_JaffaCakes118
-
Size
383KB
-
MD5
e670cdf203f367f00d6bde831a2f935f
-
SHA1
3fa61dd7f71b1e4d479497e81e2c05c91025a31e
-
SHA256
cdc05bc4858deb659fa835d8c640cf0e21034b6fbb00d6b4bae6fd996a9d6bb4
-
SHA512
52a2ae8ff1691859bc5156cb18caf88d821833991e54cc60d5625d24556a2ce6e05a8ab164bc3090fc361388094fe0b2fe46222c29e083334ba04b707784d66d
-
SSDEEP
6144:N4ABF94bpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK:WUJGLE0kuGnESB
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1