General
-
Target
8f1709d6b00ef22323a40958e709a90d_JaffaCakes118
-
Size
2.2MB
-
Sample
241104-eslhgssmgv
-
MD5
8f1709d6b00ef22323a40958e709a90d
-
SHA1
78bfefe5681f4fbf1858e4bc8da526fdd5351a35
-
SHA256
9b0562ef15a929499159ecace4b2f0a2ff2c6cced73a770f35de2119371df6cd
-
SHA512
8cb5ad374dc110abd588912626ea0f5e41c51f5dcc7e8cb8bd10db70ba8f5f5c83c45246e6a8bfb483b852b4b09c33f28c8c0c5856c2e506f11798c2ac17438a
-
SSDEEP
49152:/cU7hMotrQUkq1q3NJjFRJbCbX0PoF3fvYAqOGcFuw/3gwffuK23:rSoqhq1wxRJ20PDXcFbfJf23
Static task
static1
Behavioral task
behavioral1
Sample
8f1709d6b00ef22323a40958e709a90d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8f1709d6b00ef22323a40958e709a90d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
cybergate
v1.07.5
RUNESCAPE
127.0.0.1:3737
Hacksrs.no-ip.biz:3737
8C76DX0KC8HX3W
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
.//
-
ftp_interval
20
-
ftp_password
halifax13
-
ftp_port
21
-
ftp_server
0catch.com
-
ftp_username
g-evo.0catch.com
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
windowsupdate.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
DO YOU WISH TO START RSBOT?
-
message_box_title
RSBOT V2.08
-
password
halifax13
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
8f1709d6b00ef22323a40958e709a90d_JaffaCakes118
-
Size
2.2MB
-
MD5
8f1709d6b00ef22323a40958e709a90d
-
SHA1
78bfefe5681f4fbf1858e4bc8da526fdd5351a35
-
SHA256
9b0562ef15a929499159ecace4b2f0a2ff2c6cced73a770f35de2119371df6cd
-
SHA512
8cb5ad374dc110abd588912626ea0f5e41c51f5dcc7e8cb8bd10db70ba8f5f5c83c45246e6a8bfb483b852b4b09c33f28c8c0c5856c2e506f11798c2ac17438a
-
SSDEEP
49152:/cU7hMotrQUkq1q3NJjFRJbCbX0PoF3fvYAqOGcFuw/3gwffuK23:rSoqhq1wxRJ20PDXcFbfJf23
-
Cybergate family
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1