Overview

overview

10

Static

static

10

61ee3ec38b...18.exe

windows7-x64

10

61ee3ec38b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 03:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe

  • Size

    152KB

  • MD5

    61ee3ec38bee1aff69a3fc4c568b42a8

  • SHA1

    94798cd58c4b720d390afdde9518f8429e86e5d3

  • SHA256

    9736a79308b004889cde2fcd8d6912964ca67075c126c049378b438dcee77c83

  • SHA512

    604d1cb9e919c7a5158b345ae02c247dc3790dbe3e2a3824debf2e96e2e9ec8973414e0dee01d029fd49f084edea9054c83a917bf41fd5211557a749d18267ce

  • SSDEEP

    3072:C9mQrWSB/WM+dCB+IF1G6sT11I0EDAUQ+iU2r2dwat3v:C9USBOMNBNF1cxy0EDAUQ+iU2r2Gev

Score
10/10
gootkit8888bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

8888

C2

sslsecurehost.com

securessl256.com
Attributes
  • vendor_id

    8888

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240639781.bat" "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"
          4⤵
          • Views/modifies file attributes
          PID:4528
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8
    1⤵
      PID:3560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\240639781.bat
      Filesize

      76B

      MD5

      3d476d0b80a894739aac24b32fd5fc48

      SHA1

      a52d20a5fbc7478be965f01e9888488ec81ef1fc

      SHA256

      a3069159d3a85fa4dc2d5b128494012be5014b6220a269f03d9454c91e694753

      SHA512

      e34578eaf8111b73161add3305cd63e45181ef4d809cd53f317c70fe32d0813d4b9d2d2db709cea9edefd0f371519cc41e194a025cdd6f8084b9112553b93eb7

      Download Submit

    • memory/3612-0-0x0000000000700000-0x0000000000720000-memory.dmp

      Filesize

      128KB

      Download