Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 06:43
Static task
static1
Behavioral task
behavioral1
Sample
28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe
-
Size
539KB
-
MD5
28c49eb4f2dfa09ab41ec5ba7fe96eaf
-
SHA1
e28d4cb57b9836d29e324d9e51692b84a50a3ca5
-
SHA256
eb3e91eb6062ab5dc2682efa3d6485e13745426d5c43c0f8c5da34d85419f3bb
-
SHA512
8d95224a8561d0f5ff4f270447b1c392dd41ee5833dbafdf37b3e8412e3bf7c61bc74c01a789dd92cf7173995698a7cf3ad1a643f8fd2dc4a99d9a4944b30c2f
-
SSDEEP
12288:vdnBNl0RtTNxfSiCjtFYS9ief6JsYVtajaxIABxnjG8oi8WrT:T0rTNpSJtFTNYV4jZABlG8h1/
Malware Config
Extracted
gozi
-
build
215798
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
cmickmgr.execmickmgr.exepid process 2616 cmickmgr.exe 2656 cmickmgr.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2620 cmd.exe 2620 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\compOMEX = "C:\\Users\\Admin\\AppData\\Roaming\\bitsupnp\\cmickmgr.exe" 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.execmickmgr.execmickmgr.exesvchost.exedescription pid process target process PID 2912 set thread context of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 2616 set thread context of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2656 set thread context of 2880 2656 cmickmgr.exe svchost.exe PID 2880 set thread context of 1192 2880 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cmickmgr.exeExplorer.EXEpid process 2656 cmickmgr.exe 1192 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
cmickmgr.exesvchost.exepid process 2656 cmickmgr.exe 2880 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1192 Explorer.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.execmd.execmd.execmickmgr.execmickmgr.exesvchost.exedescription pid process target process PID 2912 wrote to memory of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 2912 wrote to memory of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 2912 wrote to memory of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 2912 wrote to memory of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 2912 wrote to memory of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 2912 wrote to memory of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 2912 wrote to memory of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 2912 wrote to memory of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 2912 wrote to memory of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 2912 wrote to memory of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 2912 wrote to memory of 848 2912 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe PID 848 wrote to memory of 2324 848 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe cmd.exe PID 848 wrote to memory of 2324 848 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe cmd.exe PID 848 wrote to memory of 2324 848 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe cmd.exe PID 848 wrote to memory of 2324 848 28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe cmd.exe PID 2324 wrote to memory of 2620 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 2620 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 2620 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 2620 2324 cmd.exe cmd.exe PID 2620 wrote to memory of 2616 2620 cmd.exe cmickmgr.exe PID 2620 wrote to memory of 2616 2620 cmd.exe cmickmgr.exe PID 2620 wrote to memory of 2616 2620 cmd.exe cmickmgr.exe PID 2620 wrote to memory of 2616 2620 cmd.exe cmickmgr.exe PID 2616 wrote to memory of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2616 wrote to memory of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2616 wrote to memory of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2616 wrote to memory of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2616 wrote to memory of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2616 wrote to memory of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2616 wrote to memory of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2616 wrote to memory of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2616 wrote to memory of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2616 wrote to memory of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2616 wrote to memory of 2656 2616 cmickmgr.exe cmickmgr.exe PID 2656 wrote to memory of 2880 2656 cmickmgr.exe svchost.exe PID 2656 wrote to memory of 2880 2656 cmickmgr.exe svchost.exe PID 2656 wrote to memory of 2880 2656 cmickmgr.exe svchost.exe PID 2656 wrote to memory of 2880 2656 cmickmgr.exe svchost.exe PID 2656 wrote to memory of 2880 2656 cmickmgr.exe svchost.exe PID 2656 wrote to memory of 2880 2656 cmickmgr.exe svchost.exe PID 2656 wrote to memory of 2880 2656 cmickmgr.exe svchost.exe PID 2880 wrote to memory of 1192 2880 svchost.exe Explorer.EXE PID 2880 wrote to memory of 1192 2880 svchost.exe Explorer.EXE PID 2880 wrote to memory of 1192 2880 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28c49eb4f2dfa09ab41ec5ba7fe96eaf_JaffaCakes118.exe"3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\92A0\4950.bat" "C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\28C49E~1.EXE""4⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\28C49E~1.EXE""5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe"C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\28C49E~1.EXE"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe"C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112B
MD5bd8b325f970a9f2cb4745ee1760eb0c1
SHA1ece418ccb23368ba7363966adf5985ebe0c64678
SHA25680b3d709a63b80470360fed62529aac002f8e284f965be784b6eb51120e88081
SHA512f98b5b0d407f053071a8191c009b525c390e9bec041ce26c3e107e6da41fd2dabb47cc31e49ab32593c54979c053e82827ebcc47a6d80916aca12f0b6bd27ced
-
Filesize
539KB
MD528c49eb4f2dfa09ab41ec5ba7fe96eaf
SHA1e28d4cb57b9836d29e324d9e51692b84a50a3ca5
SHA256eb3e91eb6062ab5dc2682efa3d6485e13745426d5c43c0f8c5da34d85419f3bb
SHA5128d95224a8561d0f5ff4f270447b1c392dd41ee5833dbafdf37b3e8412e3bf7c61bc74c01a789dd92cf7173995698a7cf3ad1a643f8fd2dc4a99d9a4944b30c2f