gootkit | 9736a79308b004889cde2fcd8d6912964ca67075c126c049378b438dcee77c83

General

Target

61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe
Size

152KB
MD5

61ee3ec38bee1aff69a3fc4c568b42a8
SHA1

94798cd58c4b720d390afdde9518f8429e86e5d3
SHA256

9736a79308b004889cde2fcd8d6912964ca67075c126c049378b438dcee77c83
SHA512

604d1cb9e919c7a5158b345ae02c247dc3790dbe3e2a3824debf2e96e2e9ec8973414e0dee01d029fd49f084edea9054c83a917bf41fd5211557a749d18267ce
SSDEEP

3072:C9mQrWSB/WM+dCB+IF1G6sT11I0EDAUQ+iU2r2dwat3v:C9USBOMNBNF1cxy0EDAUQ+iU2r2Gev

Score

10^/10

gootkit 8888 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

8888

C2

sslsecurehost.com

securessl256.com

Attributes

vendor_id
8888

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3044 cmd.exe

pid	process
3044	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mstsc.exe

pid	process
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe
3016	mstsc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe

pid process

2372 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe

pid	process
2372	61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exemstsc.execmd.exe

description	pid	process	target process
PID 2372 wrote to memory of 3016	2372	61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe	mstsc.exe
PID 2372 wrote to memory of 3016	2372	61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe	mstsc.exe
PID 2372 wrote to memory of 3016	2372	61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe	mstsc.exe
PID 2372 wrote to memory of 3016	2372	61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe	mstsc.exe
PID 2372 wrote to memory of 3016	2372	61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe	mstsc.exe
PID 2372 wrote to memory of 3016	2372	61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe	mstsc.exe
PID 2372 wrote to memory of 3016	2372	61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe	mstsc.exe
PID 2372 wrote to memory of 3016	2372	61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe	mstsc.exe
PID 2372 wrote to memory of 3016	2372	61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe	mstsc.exe
PID 3016 wrote to memory of 3044	3016	mstsc.exe	cmd.exe
PID 3016 wrote to memory of 3044	3016	mstsc.exe	cmd.exe
PID 3016 wrote to memory of 3044	3016	mstsc.exe	cmd.exe
PID 3016 wrote to memory of 3044	3016	mstsc.exe	cmd.exe
PID 3044 wrote to memory of 1136	3044	cmd.exe	attrib.exe
PID 3044 wrote to memory of 1136	3044	cmd.exe	attrib.exe
PID 3044 wrote to memory of 1136	3044	cmd.exe	attrib.exe
PID 3044 wrote to memory of 1136	3044	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1136 attrib.exe

pid	process
1136	attrib.exe

C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\mstsc.exe
  C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259402284.bat" "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe""
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"
      4⤵
      Views/modifies file attributes
      PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259402284.bat

Filesize
76B

MD5
dd6ca08d9995ff089ecdd8f5d2056ab7

SHA1
26e42f8a43adcba4a3d761b569e90fb703c87f45

SHA256
728b58d0e0ef18da5858b1e4c9aa74f8d38e41b94c3114b29dd6abc55d9af522

SHA512
d2d22dd67614d533ca14481c7ac038444ef2127eb587eddcddeac34a6f2f450af9cc26267a483111d11e508a4fed2d043c5cf72fb9a56249b6699ad6556d0c4c

Download Submit
memory/3016-0-0x00000000000D0000-0x00000000000F0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing