gootkit | f52720305e8cd88c48de5eecd5965983d48693e4c693e3f82cfa48f1f2edfd78

Analysis

max time kernel
47s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
Size

362KB
MD5

cb47db092132c66ed0ed6d705cacd72c
SHA1

884cdfb481b5f38485d7844b015728665eedcc51
SHA256

f52720305e8cd88c48de5eecd5965983d48693e4c693e3f82cfa48f1f2edfd78
SHA512

84b58ff20a057ac4804f7bc2e170c9bfc14227a36bd1b02d738a36c5baf39e478f7fa34718ddce9a760d1e8d0c59442a33b4664d9ea0252ac254e30c67f7a18e
SSDEEP

6144:up2jrNSfUetDI1LdsVifhSMQ35HpYHYpOPYN8v:y2/NyUeJI1LdsHMQpHp9UYN8v

Score

10^/10

gootkit 1235 banker botnet discovery trojan

Malware Config

Extracted

Family

gootkit

Botnet

1235

zalipon.wollega.com

trussardi.qunamti.com

luga5lindalupina.com

Attributes

vendor_id
1235

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2784	2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2784	2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2784	2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2784	2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2784	2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2784	2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2784	2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2784	2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2784	2780	cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2728	2784	mstsc.exe	31
PID 2784 wrote to memory of 2728	2784	mstsc.exe	31
PID 2784 wrote to memory of 2728	2784	mstsc.exe	31
PID 2784 wrote to memory of 2728	2784	mstsc.exe	31
PID 2728 wrote to memory of 1648	2728	cmd.exe	33
PID 2728 wrote to memory of 1648	2728	cmd.exe	33
PID 2728 wrote to memory of 1648	2728	cmd.exe	33
PID 2728 wrote to memory of 1648	2728	cmd.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1648	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\mstsc.exe
  C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259549611.bat" "C:\Users\Admin\AppData\Local\Temp\cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe""
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\cb47db092132c66ed0ed6d705cacd72c_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259549611.bat

Filesize
76B

MD5
4c8cd07a46f7f03abf32f572604d7b21

SHA1
82c10bf05d4fdd344e5728e09d5606218eed87ed

SHA256
48ebdc9558e0fdbfc4c268063b6bb3e9b9b06371f2bc95a1e5b14ac95dfb35c5

SHA512
1837c95b61485cc0fa39a5595f59701b0a66253061bebc5ea3db209beb453d89019cd517a222c22e77f946b0fde7f5bd341513820591a705cf16147acd4aa85b

Download Submit
memory/2780-0-0x0000000003000000-0x0000000003100000-memory.dmp

Filesize
1024KB

Download
memory/2780-1-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/2780-2-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/2780-3-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/2780-4-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/2780-5-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/2780-6-0x0000000003000000-0x0000000003100000-memory.dmp

Filesize
1024KB

Download
memory/2780-8-0x000000004F310000-0x000000004F370000-memory.dmp

Filesize
384KB

Download
memory/2780-9-0x000000004F310000-0x000000004F370000-memory.dmp

Filesize
384KB

Download
memory/2784-10-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download