gootkit | 38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab

Analysis

max time kernel
95s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe
Size

293KB
MD5

e561ae3cedb6f9fc0ecff559c62788b0
SHA1

de34eb34e2c489386fb32dd96469e7fdcef617d9
SHA256

38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab
SHA512

c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757
SSDEEP

6144:PbxOVKPwK8GwP5CltgOX6u99MayBg04b7TbZIb7xx9erp3CHP:j4VKPl8GBlp6u99M1LgTg7cpyv

Score

10^/10

gootkit 8888 banker botnet discovery trojan

Malware Config

Extracted

Family

gootkit

Botnet

8888

sslsecurehost.com

securessl256.com

Attributes

vendor_id
8888

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5096 set thread context of 3732	5096	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe
2776	mstsc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3732	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 5096	2028	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	86
PID 2028 wrote to memory of 5096	2028	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	86
PID 2028 wrote to memory of 5096	2028	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	86
PID 5096 wrote to memory of 3732	5096	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	87
PID 5096 wrote to memory of 3732	5096	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	87
PID 5096 wrote to memory of 3732	5096	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	87
PID 5096 wrote to memory of 3732	5096	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	87
PID 5096 wrote to memory of 3732	5096	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	87
PID 5096 wrote to memory of 3732	5096	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	87
PID 5096 wrote to memory of 3732	5096	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	87
PID 5096 wrote to memory of 3732	5096	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	87
PID 5096 wrote to memory of 3732	5096	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	87
PID 3732 wrote to memory of 2776	3732	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	88
PID 3732 wrote to memory of 2776	3732	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	88
PID 3732 wrote to memory of 2776	3732	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	88
PID 3732 wrote to memory of 2776	3732	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	88
PID 3732 wrote to memory of 2776	3732	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	88
PID 3732 wrote to memory of 2776	3732	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	88
PID 3732 wrote to memory of 2776	3732	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	88
PID 3732 wrote to memory of 2776	3732	e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe	88
PID 2776 wrote to memory of 2752	2776	mstsc.exe	89
PID 2776 wrote to memory of 2752	2776	mstsc.exe	89
PID 2776 wrote to memory of 2752	2776	mstsc.exe	89
PID 2752 wrote to memory of 2432	2752	cmd.exe	91
PID 2752 wrote to memory of 2432	2752	cmd.exe	91
PID 2752 wrote to memory of 2432	2752	cmd.exe	91

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2432	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe" -l
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240621578.bat" "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe""
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0_JaffaCakes118.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240621578.bat

Filesize
76B

MD5
ae1072b53928c3ccf4baa349ee37a326

SHA1
cbfd8e36304f48aadb63011772200dc80be4c3e9

SHA256
e12dae1e7cab5ff89c065d2c172898970591f464b0ba9977704921ebe441349b

SHA512
a2d43ff76800e1662d8fc1b365a7729d043391af6dc2ae987ef7e3b4d0b11edeb49996f9c9f75db8b7850bef6c923b34862986c578973facf1606e296a9a90a6

Download Submit
memory/2776-6-0x0000000000500000-0x0000000000520000-memory.dmp

Filesize
128KB

Download
memory/2776-10-0x0000000000500000-0x0000000000520000-memory.dmp

Filesize
128KB

Download
memory/3732-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3732-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3732-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download