General
-
Target
JaffaCakes118_7fcdd3852c12a4a95fbc9cf8a5374456
-
Size
1.9MB
-
Sample
250202-xj6feavkdw
-
MD5
7fcdd3852c12a4a95fbc9cf8a5374456
-
SHA1
5643b54872a88d19996b422ae033371c265bfca3
-
SHA256
52dbf4c1599859ade0660037f79bc876c85c1c75ada063ff3712ba044f4765cf
-
SHA512
b47c7e430e78b72460afbaaf5057f3d5c61fb4e744b60e334a821d2e49cf1a0721f730e265a57433e73aff43e0929d1d52bc1d4af478f6fab9f502a764429d0e
-
SSDEEP
49152:PEwvjxhlxOk7J3jtWZgpELsnx0db7D2BqRbZU:PEwvdhlcIJj4ZAnx0t7yBqRlU
Malware Config
Extracted
cybergate
2.6
vítima
henryshadowrod.no-ip.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Win
-
install_file
Regedit.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
Targets
-
-
Target
JaffaCakes118_7fcdd3852c12a4a95fbc9cf8a5374456
-
Size
1.9MB
-
MD5
7fcdd3852c12a4a95fbc9cf8a5374456
-
SHA1
5643b54872a88d19996b422ae033371c265bfca3
-
SHA256
52dbf4c1599859ade0660037f79bc876c85c1c75ada063ff3712ba044f4765cf
-
SHA512
b47c7e430e78b72460afbaaf5057f3d5c61fb4e744b60e334a821d2e49cf1a0721f730e265a57433e73aff43e0929d1d52bc1d4af478f6fab9f502a764429d0e
-
SSDEEP
49152:PEwvjxhlxOk7J3jtWZgpELsnx0db7D2BqRbZU:PEwvdhlcIJj4ZAnx0t7yBqRlU
Score10/10-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Modifies firewall policy service
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5