General
-
Target
e81935e057891c3896e528ecf79b8437_JaffaCakes118
-
Size
821KB
-
Sample
240918-b9n36axapq
-
MD5
e81935e057891c3896e528ecf79b8437
-
SHA1
ce72da1ee322162ee1d95e4c197c73c1de1b8c3a
-
SHA256
2e8fd325c1ac7e2ecade99cc07756e8f3c24e8d7969c8b0a0cb7abbbcfbd0966
-
SHA512
e84cd5f3be2417bb1cd1b317e2f5017f053a461679e9e73360ca21b0a7e3b33c05b71725ce506cfe6faba6ed309a3ea612e4b34a97da47c21cdfb3841bef0c2e
-
SSDEEP
12288:nVNDXzVtLs3y3ViApgx4EK13hMXLcy1kLY8UB7IMBj2ZUeZYfQCYfxCgGhHrwNFp:V3tA3swI0uQxc
Static task
static1
Behavioral task
behavioral1
Sample
e81935e057891c3896e528ecf79b8437_JaffaCakes118.exe
Resource
win7-20240729-en
Malware Config
Extracted
cybergate
v1.04.8
remote
frankrat.no-ip.org:43594
127.0.0.1:43594
KOA5XW4GH52061
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
.//public_html/
-
ftp_interval
5
-
ftp_password
f0147258
-
ftp_port
21
-
ftp_server
dcfrank.comoj.com
-
ftp_username
a9697134
-
injected_process
explorer.exe
-
install_file
winboot.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
frank123
Targets
-
-
Target
e81935e057891c3896e528ecf79b8437_JaffaCakes118
-
Size
821KB
-
MD5
e81935e057891c3896e528ecf79b8437
-
SHA1
ce72da1ee322162ee1d95e4c197c73c1de1b8c3a
-
SHA256
2e8fd325c1ac7e2ecade99cc07756e8f3c24e8d7969c8b0a0cb7abbbcfbd0966
-
SHA512
e84cd5f3be2417bb1cd1b317e2f5017f053a461679e9e73360ca21b0a7e3b33c05b71725ce506cfe6faba6ed309a3ea612e4b34a97da47c21cdfb3841bef0c2e
-
SSDEEP
12288:nVNDXzVtLs3y3ViApgx4EK13hMXLcy1kLY8UB7IMBj2ZUeZYfQCYfxCgGhHrwNFp:V3tA3swI0uQxc
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-