General
-
Target
JaffaCakes118_8e19a3b24f1b3fb1ef848141d6ef2121
-
Size
318KB
-
Sample
250329-v65fhszny4
-
MD5
8e19a3b24f1b3fb1ef848141d6ef2121
-
SHA1
9567d7a4332cc39b51dd6a2ba9220d94de95bbc9
-
SHA256
83a16fb0384ccddc9c74adc837046da3ac4cff99603c5c777be846dbe844a581
-
SHA512
f7395f83853b01d8b0cdc4c32e4c3e85584103027abda5ccfb04a7657c9df1b59d3ca818665b78833ac7ad3549c5c1baaef4d5364e298d3c40fbcb61568884a2
-
SSDEEP
6144:WXZd/AWdGGqTRCTJX7C+8Os9doc3IJXqPwZaEtUD7uHAzh7QGxl7T:UZdl0GkcX7bs9ic3IJNaGCeAzh7H7T
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8e19a3b24f1b3fb1ef848141d6ef2121.exe
Resource
win7-20240903-en
Malware Config
Extracted
cybergate
2.6
vítima
vinnicom2enes.no-ip.org:82
127.0.0.1:82
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
windows update
-
install_file
update.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Este arquivo está corrompido ou danificado!
-
message_box_title
Error
-
password
030489
-
regkey_hkcu
windows update
-
regkey_hklm
windows update
Targets
-
-
Target
JaffaCakes118_8e19a3b24f1b3fb1ef848141d6ef2121
-
Size
318KB
-
MD5
8e19a3b24f1b3fb1ef848141d6ef2121
-
SHA1
9567d7a4332cc39b51dd6a2ba9220d94de95bbc9
-
SHA256
83a16fb0384ccddc9c74adc837046da3ac4cff99603c5c777be846dbe844a581
-
SHA512
f7395f83853b01d8b0cdc4c32e4c3e85584103027abda5ccfb04a7657c9df1b59d3ca818665b78833ac7ad3549c5c1baaef4d5364e298d3c40fbcb61568884a2
-
SSDEEP
6144:WXZd/AWdGGqTRCTJX7C+8Os9doc3IJXqPwZaEtUD7uHAzh7QGxl7T:UZdl0GkcX7bs9ic3IJNaGCeAzh7H7T
-
Cybergate family
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-