Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
-
submitted
31-07-2024 17:52
General
-
Target
7d62e1b94f471c3d0dc01af8ef1070f2_JaffaCakes118.exe
-
Size
412KB
-
MD5
7d62e1b94f471c3d0dc01af8ef1070f2
-
SHA1
e49e8ba2aa87edf578ce603fc186b89e5f8ddfc3
-
SHA256
2140eb8fb75c67eb1a7ab305c07dd6bb1bc97fafda4b6632e5e7a58bb077f497
-
SHA512
8e953a842749bfebd81bb0785b733d5b3330fa4b265eecf0f01422d2d661ce6b7808f617aae5dcc908f3853bc5b74baa86537f7d5860f331f3a4e9bbef0ac59b
-
SSDEEP
6144:2rKd/9yO8EJKdRWWyU/PgJoK01tDWUej3dc9YJTVK1GHzbAW0tOpOZibXPU/gC9Z:zdl7iutsClIqSYhjKT7x/++U0Zdd
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
l2mymom#
Extracted
gozi
Signatures
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Detected Nirsoft tools 4 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops desktop.ini file(s) 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 11 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d62e1b94f471c3d0dc01af8ef1070f2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d62e1b94f471c3d0dc01af8ef1070f2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Java Update.exe"C:\Users\Admin\AppData\Local\Temp\Java Update.exe" /stext C:\Users\Admin\AppData\Local\Temp\mess.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" /stext C:\Users\Admin\AppData\Local\Temp\iepv.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Update.exeC:\Users\Admin\AppData\Local\Temp\Microsoft_Update.exe /stext C:\Users\Admin\AppData\Local\Temp\ChromePass.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\WINDOWS\system32\explorer\winlogon.exeC:\WINDOWS\system32\explorer\winlogon.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
63KB
MD5fbb93d4c91453b06414d6973152d904e
SHA14624232c5450e7e9e7ba1f2113a07f8800dc5b5f
SHA2568898b138a3f238fa985992a9d0e48f6b5865dd2cc35e08b83fa326260c510ffe
SHA5124ed926d230af576a945bdd4d9b2d4001e8036abbcf1ef9a35669823d9420b6d95b426d80384a6fd022165c1fc2485fda0e28193b99b301927236928ddfcac6f7
-
Filesize
125KB
MD59b3b1c0db965166319469b2afa6c4f0c
SHA19f1e65a3056dff872949329c4e5e70c007cc5621
SHA256dbfa10a7deeb6d1ac8fd95ffeb23b87adc58e6388e522812fabe7f710e3cdd89
SHA512c11512599b83fa1875a67915a7e7454512ed8300a0a47c16692ebc1f526755c39c795fe9721dd97d417bfcb29f9e4c1f3283cf4c426af6571b3996005f7e4f5e
-
Filesize
42KB
MD528c110b8d0ad095131c8d06043678086
SHA1c684cf321e890e0e766a97609a4cde866156d6c5
SHA256dbc2216d5f31f5218e940e3d802998dee90eeb69af69cbeb063c69c6a5a3f1e1
SHA512065e043b76b0e1163e73f4a1c257bae793ae9b46bff1951956c2174ef91deb2528730da77aab76b9e7246d705c3b8c1d23f05dc3b161cacabf3e52d0f563c922
-
Filesize
86B
MD559a761c211a2111802550482d5d26d0e
SHA1b12c3fdc250696d634aa546d4a9c3e853ef61ba7
SHA25668bdc4a244f3b984ec14cc13e539eaaef03df9e010eb2b4c9d333e307e93dfb1
SHA512ff1d90d199e258c84b524d5be2aab9650146a2c422badaa98aba0736559e199fce666d4772d8f261116aaab72fdbbae7f395d90a8e1ad9b01cbe6d780dca1751
-
Filesize
412KB
MD57d62e1b94f471c3d0dc01af8ef1070f2
SHA1e49e8ba2aa87edf578ce603fc186b89e5f8ddfc3
SHA2562140eb8fb75c67eb1a7ab305c07dd6bb1bc97fafda4b6632e5e7a58bb077f497
SHA5128e953a842749bfebd81bb0785b733d5b3330fa4b265eecf0f01422d2d661ce6b7808f617aae5dcc908f3853bc5b74baa86537f7d5860f331f3a4e9bbef0ac59b
-
Filesize
114B
MD5e89f75f918dbdcee28604d4e09dd71d7
SHA1f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA2566dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA5128df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
304KB
-
Filesize
624KB
-
Filesize
256KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
392KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
3.1MB
-
Filesize
9.6MB
-
Filesize
664KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
244KB