Malware Analysis Report

2024-10-16 02:26

Sample ID 240701-j2pnqa1and
Target 1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118
SHA256 f2416b31c7a3b9671b5a90fea79c0c0830f5c7bf8735f0ff7af250214bf18192
Tags
gozi banker isfb trojan discovery persistence ransomware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2416b31c7a3b9671b5a90fea79c0c0830f5c7bf8735f0ff7af250214bf18192

Threat Level: Known bad

The file 1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb trojan discovery persistence ransomware upx

Gozi

Checks computer location settings

UPX packed file

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Sets desktop wallpaper using registry

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Checks processor information in registry

Modifies Control Panel

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-01 08:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-01 08:10

Reported

2024-07-01 08:12

Platform

win7-20240221-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 160

Network

N/A

Files

memory/1728-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1728-1-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1728-3-0x0000000000220000-0x0000000000250000-memory.dmp

memory/1728-2-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1728-4-0x0000000000400000-0x0000000000436000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-01 08:10

Reported

2024-07-01 08:12

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

61s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lphcv4mj0e158 = "C:\\Windows\\system32\\lphcv4mj0e158.exe" C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\phcv4mj0e158.bmp C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\blphcv4mj0e158.scr C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\system32\\phcv4mj0e158.bmp" C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000eb40c78f8f3426de0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000eb40c78f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900eb40c78f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1deb40c78f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000eb40c78f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Colors\Background = "0 0 255" C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\OriginalWallpaper = "C:\\Windows\\system32\\phcv4mj0e158.bmp" C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\system32\\phcv4mj0e158.bmp" C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\blphcv4mj0e158.scr" C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaveActive = "1" C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a8c526fef68c1289cd41addf512d9d8_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\.tt4093.tmp.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3

Network

Country Destination Domain Proto
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 8.8.8.8:53 avxp-2008.com udp

Files

memory/5000-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5000-1-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5000-2-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5000-5-0x0000000000404000-0x0000000000406000-memory.dmp

memory/5000-4-0x00000000006A0000-0x00000000006D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.tt4093.tmp.vbs

MD5 9df700c8f6fd43fac0a89aef04214bbd
SHA1 6ec8bc6d4041ccf19757757c0da6592469f71c57
SHA256 9ab6f2c3cc3965cd05f81d859bdfac3b25a5e70178f61ea677d31987c4e142fd
SHA512 8bbcd322f3998c0f7d81884737ca313c1353ac7e3899f168fc8d44eafbe064193353b8b16f92113288ff2102c47623b542861440c414b8acf36d75c4ad645d4d

C:\Windows\SysWOW64\blphcv4mj0e158.scr

MD5 538f9ead95eba12134d95b4fe7082331
SHA1 527c50b92b5cededdd5b7e3edda71cb13d108dac
SHA256 a416bab39037854c14540edaaf80cff7b5f2e9db31eee235527574e8dedd54e6
SHA512 4631ff7cf868348585ee0e26591b95be3ee8b232c7980f5013f4464f285b0fbdef41794c44cb8653d6fb6dc815c0c0a9f4af780bfeb9b23d2f4c3bdc62bf4581

memory/5000-16-0x0000000002E10000-0x0000000002EC4000-memory.dmp

memory/5000-17-0x0000000000400000-0x0000000000436000-memory.dmp