gootkit | b683ccee257c2edb5dada7ca00e936cfbb7a81e006719afc5c91778188d349e5

General

Target

3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe
Size

128KB
MD5

3ba897d0c17ee90debaec62b17bb323d
SHA1

eaf8e697d1554984e1ba2a9e49046a77f6dc8c46
SHA256

b683ccee257c2edb5dada7ca00e936cfbb7a81e006719afc5c91778188d349e5
SHA512

ad552034772f7970c4cc85fcf7b516b281c45630e2ed6e1295fb98479d0a783096ee1df1c164006a20c823f64909e438d23199bc4ea1043dc39f9ce305296937
SSDEEP

3072:n9mQrWSB/WM+dCB+IF1G6911I0EDAUQ+iU2r2:n9USBOMNBNF1Hy0EDAUQ+iU2r2

Score

10^/10

gootkit 8888 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

8888

C2

sslsecurehost.com

securessl256.com

Attributes

vendor_id
8888

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2612 cmd.exe

pid	process
2612	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mstsc.exe

pid	process
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe
2344	mstsc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe

pid process

1612 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe

pid	process
1612	3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exemstsc.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 2344	1612	3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe	mstsc.exe
PID 1612 wrote to memory of 2344	1612	3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe	mstsc.exe
PID 1612 wrote to memory of 2344	1612	3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe	mstsc.exe
PID 1612 wrote to memory of 2344	1612	3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe	mstsc.exe
PID 1612 wrote to memory of 2344	1612	3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe	mstsc.exe
PID 1612 wrote to memory of 2344	1612	3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe	mstsc.exe
PID 1612 wrote to memory of 2344	1612	3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe	mstsc.exe
PID 1612 wrote to memory of 2344	1612	3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe	mstsc.exe
PID 1612 wrote to memory of 2344	1612	3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe	mstsc.exe
PID 2344 wrote to memory of 2612	2344	mstsc.exe	cmd.exe
PID 2344 wrote to memory of 2612	2344	mstsc.exe	cmd.exe
PID 2344 wrote to memory of 2612	2344	mstsc.exe	cmd.exe
PID 2344 wrote to memory of 2612	2344	mstsc.exe	cmd.exe
PID 2612 wrote to memory of 2912	2612	cmd.exe	attrib.exe
PID 2612 wrote to memory of 2912	2612	cmd.exe	attrib.exe
PID 2612 wrote to memory of 2912	2612	cmd.exe	attrib.exe
PID 2612 wrote to memory of 2912	2612	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2912 attrib.exe

pid	process
2912	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\mstsc.exe
  C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259429959.bat" "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe""
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"
      4⤵
      Views/modifies file attributes
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259429959.bat

Filesize
76B

MD5
920a46297210fc91a9d5ab079b91b787

SHA1
d22e32340fe97ee7ca57dcaa64b8df7b02a646da

SHA256
397ecd3b137b84cb61a758a1ec9b14130b1fd07c404910635545fd7c9c0dd9d8

SHA512
a273089dab748741f2029b4baca28ae969b9b148a91fbc5b2945c8288009a8c76dfa831e05bfc278a5b3df1804060c8770496202849e853d5772517ab4b0c5dc

Download Submit
memory/2344-0-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing