General
-
Target
e90d4e4f9ea5ce52d76b3453cd182277_JaffaCakes118
-
Size
946KB
-
Sample
240918-nzqkfsygje
-
MD5
e90d4e4f9ea5ce52d76b3453cd182277
-
SHA1
e3710f3f462e0afc2270f1d8270cc60e92127829
-
SHA256
8afe5593b55253603343ac34c2869f7e1f687e31a531ae878cb9e0ff5c1e9f79
-
SHA512
d3460a86eb9a7bc14e4d0b95f451dca227f82092d2c421b4cb5d1dfdd7cb0d5831b9f5a6e2de95efd02a899d74ec6c56f332900a1d69ae76094c2333ac30f032
-
SSDEEP
24576:3h5sHIZKRanOOOxDOlSoOOOOOOOOOqMLEsOOOOOOOOOOOOOCwqpLOWbaNhOOOOOH:3hCHIbnOOOxDOlSoOOOOOOOOOjLEsOOe
Static task
static1
Behavioral task
behavioral1
Sample
e90d4e4f9ea5ce52d76b3453cd182277_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
cybergate
v1.07.5
remote
cgseb.no-ip.biz:333
KT05FP0YID6PL2
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
TestTestTest.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cool
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
e90d4e4f9ea5ce52d76b3453cd182277_JaffaCakes118
-
Size
946KB
-
MD5
e90d4e4f9ea5ce52d76b3453cd182277
-
SHA1
e3710f3f462e0afc2270f1d8270cc60e92127829
-
SHA256
8afe5593b55253603343ac34c2869f7e1f687e31a531ae878cb9e0ff5c1e9f79
-
SHA512
d3460a86eb9a7bc14e4d0b95f451dca227f82092d2c421b4cb5d1dfdd7cb0d5831b9f5a6e2de95efd02a899d74ec6c56f332900a1d69ae76094c2333ac30f032
-
SSDEEP
24576:3h5sHIZKRanOOOxDOlSoOOOOOOOOOqMLEsOOOOOOOOOOOOOCwqpLOWbaNhOOOOOH:3hCHIbnOOOxDOlSoOOOOOOOOOjLEsOOe
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-