Extracted

• • Target

    JaffaCakes118_63695aab8d849ed964b4698763bad225

  • Size

    788KB

  • MD5

    63695aab8d849ed964b4698763bad225

  • SHA1

    19655d3e5937b485275f137308242c6fc8868e75

  • SHA256

    160b00f82db12dcf5e84510565f7da878e9e252e104392ae7740b75c59050f35

  • SHA512

    e4421c50b886401f1271f21e5acd151626a4e1117490a9bc6cecbd00e8726594b553f29faa694a964e7ce71983bd222b30d08993ac2ef57033325cda869399a9

  • SSDEEP

    12288:DlP3QOq8VL/YN0XmtyjgDkatT1CFNjh56ARPax530MbwDB+PV4jiS:ZU8Bs0KyEXi/V5LRPUkEwDSVHS

  Score

  10^/10

  blackshadescybergatehackedbootkitdefense_evasiondiscoverypersistenceratstealertrojanupx

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades

  • Blackshades family

    blackshades

  • Blackshades payload

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate

  • Cybergate family

    cybergate

  • Modifies firewall policy service

    defense_evasion

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2