Behavioral task
behavioral1
Sample
a9a28ab1a1ae0da4c8246de769387e1c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a9a28ab1a1ae0da4c8246de769387e1c_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a9a28ab1a1ae0da4c8246de769387e1c_JaffaCakes118
-
Size
228KB
-
MD5
a9a28ab1a1ae0da4c8246de769387e1c
-
SHA1
24dfc4b7c7f69b8c29d532d19973ea7a38f811b4
-
SHA256
64e4d572b9356c23a0678d803881dd7829f0cd21dc5c37be83e7b35b9d0e6df6
-
SHA512
bf4a90d1cd2321bcd7c864fe114d29b680c19eea501a8128c5cb8198d89bf6eee9490b33614523c5e8e654c040ba59e4c464accea646a7fce558951ca062415c
-
SSDEEP
3072:+BqV1mxWKfeZw00tOWP8Qwy4iawlxiMEL+A3xZlL7OSckyvj0XDzeoELm877o:YmufeNEjaWiMEL+A3hPOSckg03JELmV
Malware Config
Extracted
gozi
Signatures
-
Gozi family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource a9a28ab1a1ae0da4c8246de769387e1c_JaffaCakes118
Files
-
a9a28ab1a1ae0da4c8246de769387e1c_JaffaCakes118.exe windows:4 windows x86 arch:x86
3a876a17864a1700d58dd4eefbfc7801
Headers
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
ZwOpenProcessToken
ZwClose
mbstowcs
NtQuerySystemInformation
RtlNtStatusToDosError
memcpy
memset
ZwQueryInformationProcess
NtUnmapViewOfSection
NtMapViewOfSection
RtlUpcaseUnicodeString
NtCreateSection
ZwOpenProcess
ZwQueryInformationToken
RtlFreeUnicodeString
RtlUnwind
NtQueryVirtualMemory
shlwapi
PathFindExtensionW
StrRChrA
PathFindExtensionA
StrChrA
PathCombineW
PathFindFileNameW
StrChrW
StrTrimW
PathFindFileNameA
kernel32
CloseHandle
ResetEvent
LoadLibraryA
CreateWaitableTimerA
GetTickCount
SetFileAttributesW
CreateProcessA
SetEvent
CreateEventA
GetProcAddress
GetLastError
lstrcatW
Sleep
HeapFree
lstrcmpiW
lstrlenW
SetWaitableTimer
HeapAlloc
GetCommandLineW
ExitProcess
GetModuleHandleA
HeapCreate
HeapDestroy
WaitForSingleObject
DeleteFileW
VirtualProtectEx
ResumeThread
SuspendThread
lstrcmpA
GetTempFileNameA
CreateDirectoryA
GetTempPathA
GetFileSize
lstrcpynA
GetFileTime
FindNextFileA
CompareFileTime
GetLongPathNameW
OpenProcess
GetVersion
GetCurrentProcessId
CreateFileW
GetModuleFileNameA
lstrcatA
FindClose
CreateFileA
VirtualFree
SetLastError
lstrcpyA
lstrcmpiA
VirtualAlloc
SetFilePointer
lstrlenA
ReadFile
GetModuleFileNameW
ExpandEnvironmentStringsA
ExpandEnvironmentStringsW
WriteFile
SetEndOfFile
lstrcpyW
CreateDirectoryW
FlushFileBuffers
LocalFree
FindFirstFileA
user32
wsprintfW
wsprintfA
GetCursorInfo
advapi32
GetSidSubAuthorityCount
RegEnumKeyExA
RegOpenKeyW
RegDeleteValueW
GetTokenInformation
OpenProcessToken
GetSidSubAuthority
RegQueryValueExA
RegCreateKeyA
RegSetValueExW
RegSetValueExA
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegCloseKey
RegQueryValueExW
RegOpenKeyExA
RegOpenKeyA
shell32
ShellExecuteExW
ord92
ShellExecuteW
ole32
CoInitializeEx
CoUninitialize
Sections
.text Size: 17KB - Virtual size: 17KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1024B - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 202KB - Virtual size: 204KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ