General
-
Target
JaffaCakes118_7cb7c1b3d2751bf22969c2a72465610b
-
Size
800KB
-
Sample
250317-dzatwssjy5
-
MD5
7cb7c1b3d2751bf22969c2a72465610b
-
SHA1
aaba3cefc1f327a6de7d0bc804984d529f125e88
-
SHA256
52bf34a070ff4705532607882a66537156861b75dd848ee859eb77982fefd69b
-
SHA512
91b40fd9e6c56a9da1bd9a88da66700c5d35fba95a9ebae4ae05ee5ed402764b3ada58ec9d80b8516a79759cd352130cd1f4ca78dac61f7e924de6b3d0d81c9a
-
SSDEEP
12288:DBCZ7ldWIqC+I3Hshlp+o2dWTe+NvL5iIFcvQLAblu8n2zGBDECZ0oCx30vqCaeH:Antq1hlpdL5pgdDTaoCxMqfeU0
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7cb7c1b3d2751bf22969c2a72465610b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7cb7c1b3d2751bf22969c2a72465610b.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
cybergate
2.6
vítima
godimath.no-ip.org:1337
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
Update.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
Targets
-
-
Target
JaffaCakes118_7cb7c1b3d2751bf22969c2a72465610b
-
Size
800KB
-
MD5
7cb7c1b3d2751bf22969c2a72465610b
-
SHA1
aaba3cefc1f327a6de7d0bc804984d529f125e88
-
SHA256
52bf34a070ff4705532607882a66537156861b75dd848ee859eb77982fefd69b
-
SHA512
91b40fd9e6c56a9da1bd9a88da66700c5d35fba95a9ebae4ae05ee5ed402764b3ada58ec9d80b8516a79759cd352130cd1f4ca78dac61f7e924de6b3d0d81c9a
-
SSDEEP
12288:DBCZ7ldWIqC+I3Hshlp+o2dWTe+NvL5iIFcvQLAblu8n2zGBDECZ0oCx30vqCaeH:Antq1hlpdL5pgdDTaoCxMqfeU0
-
Cybergate family
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2