Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 10:59
Static task
static1
Behavioral task
behavioral1
Sample
86c3cdfe9de317a5cb77ff378de4312a_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
86c3cdfe9de317a5cb77ff378de4312a_JaffaCakes118.exe
-
Size
203KB
-
MD5
86c3cdfe9de317a5cb77ff378de4312a
-
SHA1
4095d6167b43ab660101346b067e46fff728f45f
-
SHA256
649ad032ec2dbe0ce2eec2de332e5a555e02bdf08607e58663af21722eb00919
-
SHA512
5963c0f901e61367116086d4ee91c2fcbb85c934750e676760bd715260d5e11f9478a4c6ded9f1be59dbd2c06d7e748bec3b1ec12c2a205da42ec2590ff4b37d
-
SSDEEP
3072:9bji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:9vdp4uPZzGonqXGXh0bluBc4GZ5
Malware Config
Extracted
gozi
-
build
215165
Extracted
gozi
3162
menehleibe.com
liemuteste.com
thulligend.com
-
build
215165
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
-
server_id
12
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109961" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2959695720" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004f8caa1c9f4cba428e26b677a31a63400000000002000000000010660000000100002000000029479375da0a7aacd469475e447592a287273ebc54afad8fa32864e59e8cca68000000000e80000000020000200000000b2a96f7818340b9e8314951fe1f93d1d5f493c851355ea94278090f52ffd7ab2000000014e4f6870e158f70e96ff32fb67381677fc1e2eb642d49a747f71a77352adb4240000000b40c8be910a442db8f585bb88839d89859d4a6b0d6da21fc7e7e95fdf65c6351c8c27e9cea489e6fb400d0c3cd715e16084a650f5427ca842faaa87b7950e532 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403b04b149b3da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DBF64954-1F3C-11EF-A2D1-D2DDB4689AAC} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004f8caa1c9f4cba428e26b677a31a634000000000020000000000106600000001000020000000250b81c440a26d06da5a9eb9e8d496c991c594fb19fb1138375d11c27b188603000000000e800000000200002000000078c94e76c544e4c0a0fd08c51bdc21aed80280aa6cc1f0775fa7a6b24af3e496200000003ee69a0ac238f8b268f9636668dece15efcffac16d0b9f62d4f22772250fc2a240000000e25d9fcfdd8d4d4dc85fbcf17573bb5d52fbb2cd526b0b4d22e5f54ac4f11b2778bdf3b64cd0808d391751f03d2cb83ae8ba38d13841f108168b5ff5ab1144e8 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109961" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 500ffdb049b3da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2959695720" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 960 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 960 iexplore.exe 960 iexplore.exe 1420 IEXPLORE.EXE 1420 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
iexplore.exedescription pid process target process PID 960 wrote to memory of 1420 960 iexplore.exe IEXPLORE.EXE PID 960 wrote to memory of 1420 960 iexplore.exe IEXPLORE.EXE PID 960 wrote to memory of 1420 960 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\86c3cdfe9de317a5cb77ff378de4312a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\86c3cdfe9de317a5cb77ff378de4312a_JaffaCakes118.exe"1⤵
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4672-0-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4672-1-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4672-2-0x0000000000435000-0x000000000043A000-memory.dmpFilesize
20KB
-
memory/4672-3-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4672-4-0x00000000006F0000-0x000000000070B000-memory.dmpFilesize
108KB
-
memory/4672-13-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB