Extracted

• • Target

    17b61afb02e1c61d5ba981df1fca4ef3_JaffaCakes118

  • Size

    514KB

  • MD5

    17b61afb02e1c61d5ba981df1fca4ef3

  • SHA1

    7bbd897570b1ab2346b6fcddfc0253f8fb7932a1

  • SHA256

    1c095e93f3e79a74118e9c6e42d84766845f611ce0aaf6fbdb8cf096ebe5776d

  • SHA512

    4953de43f4b29cd008b02ac6272a3f93cfe5d811772299360917655462902a0f1fa29c65e2bf75a9f924c99a2bfa97d92e4f659865039ac98549979ed08b6603

  • SSDEEP

    12288:mjDxDEYjFq/R4Q0PMG+2/VUdMJ2pll4zW3lbva1:m24FPQ/MdUdE2d4oRva1

  Score

  10^/10

  cybergatemodiloadervítimadiscoveryevasionpersistencestealertrojanupx

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • UAC bypass

    evasiontrojan

  • ModiLoader Second Stage

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2