Overview

overview

10

Static

static

3

02a7e926c8...18.exe

windows7-x64

10

02a7e926c8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27/04/2024, 06:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe

  • Size

    112KB

  • MD5

    02a7e926c827c520122fcf6a4567314c

  • SHA1

    3c30ff40ef14baaf3d7ea74cabafdd0ab4d6b162

  • SHA256

    6b6f47abe5a8103adf1b12e5f3651ed24b632a64c5c94ce297a6f9ca0710f772

  • SHA512

    bdcb94e511b12f5d987cb6c493c74a609c1582020b06545654a6c79a0fd72372d25a716cac4919108639cae484dbb3d39cb2dda39539c309a03f011bf5fed7ad

  • SSDEEP

    3072:3XVn8iDW2JpOxR7eAN1NdO/9T2/Qx5lCAeD2EFnBSr1rvSgA//:3l8qW2J8yA/NdO/kox5lCd2EFnBSr1ry

Score
10/10
gootkit1001bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

1001

C2

pell-talak.com

gudsline.com
Attributes
  • vendor_id

    1001

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Drops file in System32 directory 4 IoCs
  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Local\Temp\02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe" kxgtatoyoldeiglhjlvh
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:2632

Network

  • flag-us
    DNS
    pell-talak.com
    02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    pell-talak.com
    IN A
    Response
    pell-talak.com
    IN A
    216.218.208.114
  • flag-us
    DNS
    pell-talak.com
    02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    pell-talak.com
    IN A
    Response
    pell-talak.com
    IN A
    216.218.208.114
  • flag-us
    GET
    https://pell-talak.com:80/rpersist3/0
    02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe
    Remote address:
    216.218.208.114:80
    Request
    GET /rpersist3/0 HTTP/1.1
    Cache-Control: no-cache
    Connection: Close
    Pragma: no-cache
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
    Host: pell-talak.com:80
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.21.6
    Date: Sat, 27 Apr 2024 06:45:29 GMT
    Content-Type: application/octet-stream
    Transfer-Encoding: chunked
    Connection: close
  • flag-us
    DNS
    www.microsoft.com
    02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    23.55.97.181
  • 216.218.208.114:80
    https://pell-talak.com:80/rpersist3/0
    tls, http
    02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe
    2.1kB
     3.6kB
     31
    31

    HTTP Request

    GET https://pell-talak.com:80/rpersist3/0

    HTTP Response

    200
  • 8.8.8.8:53
    pell-talak.com
    dns
    02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe
    60 B
     76 B
     1
    1

    DNS Request

    pell-talak.com

    DNS Response

    216.218.208.114

  • 8.8.8.8:53
    pell-talak.com
    dns
    02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe
    60 B
     76 B
     1
    1

    DNS Request

    pell-talak.com

    DNS Response

    216.218.208.114

  • 8.8.8.8:53
    www.microsoft.com
    dns
    02a7e926c827c520122fcf6a4567314c_JaffaCakes118.exe
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    23.55.97.181

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1664-13-0x0000000002A90000-0x0000000002B59000-memory.dmp

    Filesize

    804KB

    Download

  • memory/1664-11-0x0000000002010000-0x000000000213D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1664-2-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1664-16-0x0000000000470000-0x0000000000475000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1664-3-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-18-0x0000000000470000-0x0000000000475000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1664-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-9-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-1-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1664-15-0x0000000000460000-0x0000000000461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-4-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-12-0x0000000002720000-0x00000000027BF000-memory.dmp

    Filesize

    636KB

    Download

  • memory/1664-14-0x0000000002B60000-0x0000000002C69000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1664-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1664-17-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2632-5-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2632-19-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2632-24-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2632-37-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.