Extracted

• • Target

    5814270433ae5dce5fea8abd750b2162_JaffaCakes118

  • Size

    376KB

  • MD5

    5814270433ae5dce5fea8abd750b2162

  • SHA1

    09d54fce2423efd9ad7027284f618475d667b812

  • SHA256

    735923e89aaf5905417b60f2d8623c96879bc5cdeaeb00eab20163e36217d36f

  • SHA512

    4fa329c53bae87aab05c4f1bd752f43a36aaf11100377a1edba1128debd23f74144ad289d68dce901ca4f32590ee03508ab73416eec5ab09a72a32fd248162a4

  • SSDEEP

    6144:ZFZ/+7tnUBSpJEXtuPDFT/DInh6KeYebYmZg0tDxeV1nqnbaULA14DuY1khSd:A5nUBuJ205/DInQKeYedZg0tteVVqbx7

  Score

  10^/10

  cybergateneshtawinsxsdiscoverypersistencespywarestealertrojanupx

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • Detect Neshta payload

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2