Malware Analysis Report

2024-10-16 02:35

Sample ID 240518-28586adc6z
Target 5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118
SHA256 7196d74bc1fefdbabd1ede86ecd8377a18506c19b2fe8e951f05d40472163faf
Tags
gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7196d74bc1fefdbabd1ede86ecd8377a18506c19b2fe8e951f05d40472163faf

Threat Level: Known bad

The file 5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb trojan

Gozi

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 23:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 23:16

Reported

2024-05-18 23:18

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1132 -ip 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1424

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:80 www.microsoft.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsl888A.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 23:16

Reported

2024-05-18 23:18

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-18 23:16

Reported

2024-05-18 23:18

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3204 wrote to memory of 3368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3204 wrote to memory of 3368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3204 wrote to memory of 3368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3368 -ip 3368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4068,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 23:16

Reported

2024-05-18 23:18

Platform

win7-20240419-en

Max time kernel

142s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso5449.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

memory/2784-7-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2784-8-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2784-9-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2784-13-0x00000000004C0000-0x000000000050A000-memory.dmp

memory/2784-20-0x00000000004C0000-0x000000000050A000-memory.dmp