General
-
Target
c6594d13734462e327a75eb803c1e583_JaffaCakes118
-
Size
1.4MB
-
Sample
241205-g8fy2symal
-
MD5
c6594d13734462e327a75eb803c1e583
-
SHA1
a37788d357fe854b4862338e43f2468e80ca216e
-
SHA256
6b67f7c1bfe6dc5060a40c534ed1aaf0c4a39690ef28347b004c777bb5f48263
-
SHA512
5060fc6a29baa20964fc9460a6d2a3b89de430150ec3cbf088d9a253df99f9a131f20cea7652fe2a1d1430a29ead679e65f4b7446e3633d4e244dec04c0f0316
-
SSDEEP
24576:B+qCQdxc25pNzyLXxNDumIbcEsWXy9d0FAv1s:zCQdS25Lyr1uc5WC9d0FAS
Static task
static1
Behavioral task
behavioral1
Sample
c6594d13734462e327a75eb803c1e583_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
cybergate
2.6
Novo
lostbox.mine.nu:587
alivecard.no-ip.org:587
***windows***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Update Microsoft
-
install_file
windows update.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
Targets
-
-
Target
c6594d13734462e327a75eb803c1e583_JaffaCakes118
-
Size
1.4MB
-
MD5
c6594d13734462e327a75eb803c1e583
-
SHA1
a37788d357fe854b4862338e43f2468e80ca216e
-
SHA256
6b67f7c1bfe6dc5060a40c534ed1aaf0c4a39690ef28347b004c777bb5f48263
-
SHA512
5060fc6a29baa20964fc9460a6d2a3b89de430150ec3cbf088d9a253df99f9a131f20cea7652fe2a1d1430a29ead679e65f4b7446e3633d4e244dec04c0f0316
-
SSDEEP
24576:B+qCQdxc25pNzyLXxNDumIbcEsWXy9d0FAv1s:zCQdS25Lyr1uc5WC9d0FAS
-
Cybergate family
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
10Pre-OS Boot
1Bootkit
1