gootkit | 8646105621d6c01b212cede10b2fde39c70d76d8cece3bb957c2e4b5176fd9d1

General

Target

5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Size

104KB
MD5

5d5ec039c6e151b1d7119f9aae350c0d
SHA1

7a654ff2489ff36d08ff73343669a40a3c45ea73
SHA256

8646105621d6c01b212cede10b2fde39c70d76d8cece3bb957c2e4b5176fd9d1
SHA512

e76391fcc6a5fe8134831dbfc245e6f99b601a638ce7571495e597512f3a96f031d63e0db6bfc15e980944c72537a930b28144932bebfe82a687121853353fa5
SSDEEP

3072:Lx78Ll6UnxKC6FWhd9aP6YsaS+LQXyjPoU:F7QDxvwWhdgCYspXuo

Score

10^/10

gootkit 1001 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

1001

C2

pell-talak.com

gudsline.com

Attributes

vendor_id
1001

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Drops file in System32 directory 4 IoCs

Processes:

5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe

description	pid	process	target process
PID 1640 wrote to memory of 616	1640	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe	5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5d5ec039c6e151b1d7119f9aae350c0d_JaffaCakes118.exe" kqooiarpirqurqvyaxjk
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/616-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/616-36-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/616-23-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/616-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/616-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/616-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1640-12-0x0000000002A20000-0x0000000002AE9000-memory.dmp

Filesize
804KB

Download
memory/1640-15-0x00000000002E0000-0x00000000002E5000-memory.dmp

Filesize
20KB

Download
memory/1640-9-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1640-8-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1640-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1640-13-0x0000000002AF0000-0x0000000002BF9000-memory.dmp

Filesize
1.0MB

Download
memory/1640-14-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1640-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1640-11-0x0000000001FE0000-0x000000000207F000-memory.dmp

Filesize
636KB

Download
memory/1640-10-0x0000000002660000-0x000000000278D000-memory.dmp

Filesize
1.2MB

Download
memory/1640-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1640-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1640-17-0x00000000002E0000-0x00000000002E5000-memory.dmp

Filesize
20KB

Download
memory/1640-16-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1640-1-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads