Malware Analysis Report

2024-10-16 02:23

Sample ID 240712-xlsx4aybkc
Target 3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118
SHA256 be148e027aec352e1a0c4c01bf1722155905bc164592f218de1c0211da34e144
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be148e027aec352e1a0c4c01bf1722155905bc164592f218de1c0211da34e144

Threat Level: Known bad

The file 3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Deletes itself

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-12 18:56

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 18:56

Reported

2024-07-12 18:59

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gth68338.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\mmsfc1.dll C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mmsfc1.dll C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ComRes.dll C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gth68338.exe C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fOntS\ComRes.dll C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A
File created C:\Windows\fOntS\gth68338.ttf C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A
File created C:\Windows\fOntS\gth68338.fon C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\gth68338.exe N/A
N/A N/A C:\Windows\SysWOW64\gth68338.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gth68338.exe N/A
N/A N/A C:\Windows\SysWOW64\gth68338.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe"

C:\Windows\SysWOW64\gth68338.exe

C:\Windows\system32\gth68338.exe C:\Windows\fOntS\ComRes.dll ins C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe

Network

N/A

Files

memory/2824-1-0x0000000000400000-0x0000000000437000-memory.dmp

\Windows\SysWOW64\mmsfc1.dll

MD5 84799328d87b3091a3bdd251e1ad31f9
SHA1 64dbbe8210049f4d762de22525a7fe4313bf99d0
SHA256 f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b
SHA512 0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

\Windows\SysWOW64\gth68338.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Windows\fOntS\ComRes.dll

MD5 615d4a31846add4208fc9e861e615954
SHA1 80d5324d7d1aacf800efd008b2f23d59531ff5e3
SHA256 097747eb5f1ccd26f2702c00f203e8c34bd9f7b914edcc02ccabf4538e8aaf07
SHA512 9648c3b0c82295ed2a6db8c2562e24b9f52c4861e0df76273b8fa93581d9d5c2a189a0a73ab7209bb039c489ec0b9274b0833b7f5d57a859bc69656c0a4966c4

memory/2596-15-0x0000000010000000-0x0000000010016000-memory.dmp

memory/2596-19-0x0000000010000000-0x0000000010016000-memory.dmp

memory/2596-21-0x0000000010000000-0x0000000010016000-memory.dmp

C:\Windows\fOntS\gth68338.ttf

MD5 3b19bb1f62c945c96e70c825292554a8
SHA1 db996acf9835ff516326b5722f359943b075da66
SHA256 129068b51496841bbbd05a53ecc96d418ea0d06e3516182c2188fd9087c14fca
SHA512 dceb4278ee648283080f56f9b2dd8b23403d66108dd07a6dac8af349a1a19b46449e8c6cd5f7d6569abeea085d3b7f843306fa0043532da5db0b6d113070847e

memory/2596-24-0x0000000000160000-0x000000000016E000-memory.dmp

C:\Windows\fOntS\gth68338.fon

MD5 63ef40e4a30981e291f8fdc419747a5b
SHA1 691df18cf097a8b601f8658e6fc2e0f5219d6039
SHA256 b37ecb8c15327e54cb217ee954eee46249828d7ce3b5640e8d8a23b2f265e124
SHA512 a1718c9a9a7b99295b420d602d1ae5173df9ef9e953877ba84e39513e1301cfe6150e36edbe88e669fcaec2b94cc94dba083ac73e17d40035e261af0012c6b10

memory/2596-26-0x0000000010000000-0x0000000010016000-memory.dmp

memory/2596-27-0x0000000000160000-0x000000000016E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 18:56

Reported

2024-07-12 18:59

Platform

win10v2004-20240709-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gth68338.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gth68338.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ComRes.dll C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gth68338.exe C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mmsfc1.dll C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mmsfc1.dll C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fOntS\ComRes.dll C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A
File created C:\Windows\fOntS\gth68338.ttf C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A
File created C:\Windows\fOntS\gth68338.fon C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gth68338.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe"

C:\Windows\SysWOW64\gth68338.exe

C:\Windows\system32\gth68338.exe C:\Windows\fOntS\ComRes.dll ins C:\Users\Admin\AppData\Local\Temp\3e7e3187fa9ba4daf323781d9d249595_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp

Files

memory/4940-0-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\mmsfc1.dll

MD5 98c499fccb739ab23b75c0d8b98e0481
SHA1 0ef5c464823550d5f53dd485e91dabc5d5a1ba0a
SHA256 d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087
SHA512 9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

C:\Windows\SysWOW64\gth68338.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/4940-12-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\fOntS\ComRes.dll

MD5 615d4a31846add4208fc9e861e615954
SHA1 80d5324d7d1aacf800efd008b2f23d59531ff5e3
SHA256 097747eb5f1ccd26f2702c00f203e8c34bd9f7b914edcc02ccabf4538e8aaf07
SHA512 9648c3b0c82295ed2a6db8c2562e24b9f52c4861e0df76273b8fa93581d9d5c2a189a0a73ab7209bb039c489ec0b9274b0833b7f5d57a859bc69656c0a4966c4

memory/960-16-0x0000000010000000-0x0000000010016000-memory.dmp