Overview

overview

10

Static

static

10

3ba897d0c1...18.exe

windows7-x64

10

3ba897d0c1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 19:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe

  • Size

    128KB

  • MD5

    3ba897d0c17ee90debaec62b17bb323d

  • SHA1

    eaf8e697d1554984e1ba2a9e49046a77f6dc8c46

  • SHA256

    b683ccee257c2edb5dada7ca00e936cfbb7a81e006719afc5c91778188d349e5

  • SHA512

    ad552034772f7970c4cc85fcf7b516b281c45630e2ed6e1295fb98479d0a783096ee1df1c164006a20c823f64909e438d23199bc4ea1043dc39f9ce305296937

  • SSDEEP

    3072:n9mQrWSB/WM+dCB+IF1G6911I0EDAUQ+iU2r2:n9USBOMNBNF1Hy0EDAUQ+iU2r2

Score
10/10
gootkit8888bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

8888

C2

sslsecurehost.com

securessl256.com
Attributes
  • vendor_id

    8888

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3844
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240598546.bat" "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"
          4⤵
          • Views/modifies file attributes
          PID:1500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240598546.bat
    Filesize

    76B

    MD5

    b1954605b3e329f6dfc8a3fa8c46227e

    SHA1

    1ec20a1a6485465ac4e04e96180cf6bd202aebb3

    SHA256

    bbbc538ab412e7a6a9ac3a2b20b5186dba4b530536c4928e04a23e5001996146

    SHA512

    ff73965b00ccf5fb4f09582820bae0486599d21ccb8eaff9a043f2694f5cb6b4632835defa61ed1c8b58047758373278c2528af1e7f197ea8c651cfacccd2feb

    Download Submit

  • memory/3696-0-0x0000000000A10000-0x0000000000A30000-memory.dmp

    Filesize

    128KB

    Download