General
-
Target
JaffaCakes118_7bd17ff63a34d9d30abafeba2c1e671d
-
Size
280KB
-
Sample
250316-1mq2nstpz6
-
MD5
7bd17ff63a34d9d30abafeba2c1e671d
-
SHA1
e9eb0d21a2e0586a00bdd8fe5aae444f79dbceda
-
SHA256
205e761fa7ed8d9e8afdff276713972ef275bee9f1b77c417e66e2c7b92e3641
-
SHA512
97bff8d7752eb74d43b7c94dc0a617cf2483faa46025b805ec04338ae9da89454235305e046ba050457f533db5571f335d2edf9ccee833ee412d3d26ba43f7e5
-
SSDEEP
6144:a6U9MjGT03gokVlt2T+zOhps+rA0XwPd:nU+CY3g9ViT1p/c06
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7bd17ff63a34d9d30abafeba2c1e671d.exe
Resource
win7-20241010-en
Malware Config
Extracted
cybergate
2.4
vítima
127.0.0.1:80
bullseye23.no-ip.biz:81
***mULTaAEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
.//lib-1/
-
ftp_interval
30
-
ftp_password
woolsa
-
ftp_port
21
-
ftp_server
bullseye23.0catch.com
-
ftp_username
bullseye23.0catch.com
-
injected_process
explorer.exe
-
install_dir
Windll
-
install_file
psdk.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
JaffaCakes118_7bd17ff63a34d9d30abafeba2c1e671d
-
Size
280KB
-
MD5
7bd17ff63a34d9d30abafeba2c1e671d
-
SHA1
e9eb0d21a2e0586a00bdd8fe5aae444f79dbceda
-
SHA256
205e761fa7ed8d9e8afdff276713972ef275bee9f1b77c417e66e2c7b92e3641
-
SHA512
97bff8d7752eb74d43b7c94dc0a617cf2483faa46025b805ec04338ae9da89454235305e046ba050457f533db5571f335d2edf9ccee833ee412d3d26ba43f7e5
-
SSDEEP
6144:a6U9MjGT03gokVlt2T+zOhps+rA0XwPd:nU+CY3g9ViT1p/c06
-
Cybergate family
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-